Investigation of email-based attack delivering MediaFire ZIP file with execution chain analysis
This threat involves a malicious email campaign that delivers a ZIP file hosted on MediaFire. The infection chain starts with a Python setup executable (Setu.exe) that side-loads a large malicious python37.dll containing repeated byte padding. The DLL performs process injection into dllhost.exe and communicates with a command-and-control server. The attacker establishes persistence using three methods: a PowerShell-based path, a fake EdgeUpdate Python executable with a scheduled task, and NetSupport RMM as a remote access tool. The analysis emphasizes the importance of comparing file timestamps during triage to detect malicious files within compressed archives.
AI Analysis
Technical Summary
An email-based attack campaign distributes a ZIP archive via MediaFire containing a Python setup executable (Setu.exe). This executable side-loads a malicious 400 MB python37.dll with repeated byte padding. The DLL injects code into the legitimate dllhost.exe process and establishes communication with a C2 server at IP 138.124.186.2 on port 7000. The threat actor employs three persistence mechanisms: a PowerShell-based persistence path, a scheduled task running a fake EdgeUpdate Python executable, and NetSupport RMM as a third access method. The campaign uses techniques including DLL side-loading, process injection, scheduled task persistence, and remote access tools. The investigation highlights the utility of comparing file timestamps during triage to identify malicious artifacts hidden in compressed files.
Potential Impact
The threat enables remote code execution and persistent access on compromised systems through multiple persistence mechanisms and process injection. The use of a large malicious DLL and process injection into a trusted Windows process (dllhost.exe) can evade detection. The deployment of NetSupport RMM provides the attacker with remote management capabilities. The infection chain initiated via email and MediaFire-hosted ZIP files increases the risk of user-initiated compromise. No known exploits in the wild are reported, but the attack can lead to unauthorized remote access and control.
Mitigation Recommendations
No official patch or fix is available for this threat as it is a malware campaign rather than a software vulnerability. Mitigation should focus on user awareness to avoid opening suspicious email attachments or downloading files from untrusted sources such as unsolicited MediaFire links. Security teams should analyze file timestamps during triage to detect malicious files within archives. Monitoring for the identified indicators of compromise (e.g., IP 138.124.186.2, domains bsc.blockrazor.xyz and xn--fiqq24b9hejs1c.clickvector.tech) and blocking them at network boundaries can reduce risk. Detection and removal of persistence mechanisms such as scheduled tasks and NetSupport RMM installations are recommended.
Indicators of Compromise
- ip: 138.124.186.2
- domain: bsc.blockrazor.xyz
- domain: xn--fiqq24b9hejs1c.clickvector.tech
- ip: 185.76.243.85
Investigation of email-based attack delivering MediaFire ZIP file with execution chain analysis
Description
This threat involves a malicious email campaign that delivers a ZIP file hosted on MediaFire. The infection chain starts with a Python setup executable (Setu.exe) that side-loads a large malicious python37.dll containing repeated byte padding. The DLL performs process injection into dllhost.exe and communicates with a command-and-control server. The attacker establishes persistence using three methods: a PowerShell-based path, a fake EdgeUpdate Python executable with a scheduled task, and NetSupport RMM as a remote access tool. The analysis emphasizes the importance of comparing file timestamps during triage to detect malicious files within compressed archives.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
An email-based attack campaign distributes a ZIP archive via MediaFire containing a Python setup executable (Setu.exe). This executable side-loads a malicious 400 MB python37.dll with repeated byte padding. The DLL injects code into the legitimate dllhost.exe process and establishes communication with a C2 server at IP 138.124.186.2 on port 7000. The threat actor employs three persistence mechanisms: a PowerShell-based persistence path, a scheduled task running a fake EdgeUpdate Python executable, and NetSupport RMM as a third access method. The campaign uses techniques including DLL side-loading, process injection, scheduled task persistence, and remote access tools. The investigation highlights the utility of comparing file timestamps during triage to identify malicious artifacts hidden in compressed files.
Potential Impact
The threat enables remote code execution and persistent access on compromised systems through multiple persistence mechanisms and process injection. The use of a large malicious DLL and process injection into a trusted Windows process (dllhost.exe) can evade detection. The deployment of NetSupport RMM provides the attacker with remote management capabilities. The infection chain initiated via email and MediaFire-hosted ZIP files increases the risk of user-initiated compromise. No known exploits in the wild are reported, but the attack can lead to unauthorized remote access and control.
Mitigation Recommendations
No official patch or fix is available for this threat as it is a malware campaign rather than a software vulnerability. Mitigation should focus on user awareness to avoid opening suspicious email attachments or downloading files from untrusted sources such as unsolicited MediaFire links. Security teams should analyze file timestamps during triage to detect malicious files within archives. Monitoring for the identified indicators of compromise (e.g., IP 138.124.186.2, domains bsc.blockrazor.xyz and xn--fiqq24b9hejs1c.clickvector.tech) and blocking them at network boundaries can reduce risk. Detection and removal of persistence mechanisms such as scheduled tasks and NetSupport RMM installations are recommended.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://x.com/Kostastsale/status/2066545189137629302"]
- Adversary
- null
- Pulse Id
- 6a30df4495796498a192312a
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip138.124.186.2 | — | |
ip185.76.243.85 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbsc.blockrazor.xyz | — | |
domainxn--fiqq24b9hejs1c.clickvector.tech | — |
Threat ID: 6a317d9b0b89be6888e074c6
Added to database: 6/16/2026, 4:45:15 PM
Last enriched: 6/16/2026, 5:00:12 PM
Last updated: 6/17/2026, 4:59:03 AM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.