Threats Tagged 'donut'

A sophisticated multi-stage malware campaign employs living-off-the-land techniques and in-memory payload delivery to evade security controls. The infection chain begins with a hidden batch file that executes an embedded PowerShell loader, which then injects Donut-generated shellcode into legitimate Windows processes. The final payload is a heavily obfuscated .NET framework implementing advanced anti-analysis techniques, credential harvesting, surveillance capabilities, and remote system control. Data exfiltration occurs via Discord webhooks and Telegram bots. The malware, identified as Pulsar RAT, features live chat functionality and background payload deployment, demonstrating a modern, high-evasion Windows malware operation designed for long-term access and large-scale data theft.

MediumMalwareGermanyFranceUnited Kingdom+4#anti-analysis#telegram#in-memory execution

This tutorial provides an in-depth analysis of a malware infection chain using shellcode generated by the Donut tool. It covers various stages of the attack, including initial download, trace concealment, and final payload delivery. The tutorial aims to familiarize readers with common analysis tools like dnSpy, IDA Pro, x64dbg, and ProcessHacker, while demonstrating both static and dynamic analysis techniques. It highlights malware behaviors such as dynamic API resolution, process injection, and AMSI bypassing. The excerpt focuses on analyzing an unknown function in the shellcode, explaining PC-relative addressing and position-independent code techniques used by malware to access resources.

MediumMalwareGermanyFranceUnited Kingdom+5#x64dbg#malware analysis#shellcode