Threats Tagged 'in-memory execution'

A sophisticated multi-stage malware campaign targets victims through tax-themed phishing emails impersonating Indian and Japanese government authorities. The operation leverages social engineering, fraudulent tax notifications, and trusted third-party email delivery services to distribute ZIP archives containing three staged payloads. The malware implements advanced evasion techniques including DLL Search Order Hijacking, API hooking, token manipulation, Mersenne Twister-based execution logic, COM callback execution, mutated RC4 encryption, and reflective PE loading. Execution occurs primarily in memory, significantly reducing forensic artifacts. The malware establishes persistent WebSocket-based command-and-control communication through HTTP protocol upgrades, allowing malicious traffic to blend with legitimate activity. Chinese-language artifacts were observed throughout the infrastructure and code, though attribution remains at moderate confidence. The campaign demonstrates characteristics of a mature, ...

MediumCampaignBritish Indian Ocean TerritoryIndiaJapan#websocket c2#dll hijacking#government impersonation

DesckVB RAT emerged in February 2026 through a sophisticated malspam campaign utilizing a dynamic delivery kit that personalizes lures on-the-fly by extracting victim email addresses and pulling company logos in real-time. The attack chain routes through Google's DoubleClick domain to evade email gateways before delivering a five-stage infection: HTML redirect, JScript loader, PowerShell dropper, .NET loader, and finally the RAT itself. The malware employs extensive anti-analysis techniques including sandbox detection, forced reboots upon detection, and in-memory execution via .NET reflection. Once established, it patches AMSI and ETW at the native API level, injects into legitimate Microsoft-signed binaries like InstallUtil.exe and MSBuild.exe, and establishes persistence through registry keys and scheduled tasks. The RAT communicates with DDNS-based C2 infrastructure on non-standard ports, performs system reconnaissance including GPU enumeration possibly for crypto mining, and can deliver additional payl...

Analysts discovered a new Remcos RAT infection chain starting with a batch file executing encoded commands that creates hidden directories and retrieves encrypted payloads. Unlike earlier campaigns relying on PowerShell-hosted .NET loaders, this variant incorporates DonutLoader shellcode and AutoIt-based staging for in-memory payload delivery. The infection begins with a phishing email containing a malicious batch file named Bestellung.CMD. The chain abuses legitimate Windows utilities including cscript.exe and SyncAppvPublishingServer.vbs to execute Base64-encoded payloads. Additional components are downloaded from cloud storage, including 7Zip tools and password-protected archives containing obfuscated JScript. The final payload consists of DonutLoader shellcode that injects Remcos RAT version 7.2.1 Pro into colorcpl.exe, enabling remote control, credential harvesting, keystroke logging, and additional payload deployment.