Threats Tagged 'multi-stage payload'

A sophisticated multi-stage malware campaign targets victims through tax-themed phishing emails impersonating Indian and Japanese government authorities. The operation leverages social engineering, fraudulent tax notifications, and trusted third-party email delivery services to distribute ZIP archives containing three staged payloads. The malware implements advanced evasion techniques including DLL Search Order Hijacking, API hooking, token manipulation, Mersenne Twister-based execution logic, COM callback execution, mutated RC4 encryption, and reflective PE loading. Execution occurs primarily in memory, significantly reducing forensic artifacts. The malware establishes persistent WebSocket-based command-and-control communication through HTTP protocol upgrades, allowing malicious traffic to blend with legitimate activity. Chinese-language artifacts were observed throughout the infrastructure and code, though attribution remains at moderate confidence. The campaign demonstrates characteristics of a mature, ...

MediumCampaignBritish Indian Ocean TerritoryIndiaJapan#websocket c2#dll hijacking#government impersonation

A sophisticated spear phishing campaign targets professionals in the Eurasian unmanned aviation sector, timed to coincide with the XIII Eurasian International Forum 'Unmanned Aviation 2026' in Moscow. The attack delivers malicious archives containing Rust-based executables disguised as legitimate documents from the Russian Aeronautical Information Center. The malware displays aviation-themed decoy documents in Russian while collecting system information including hostnames, volume serial numbers, network adapter details, and environment variables. Collected data is encrypted via XOR and exfiltrated to a C2 server over HTTPS. The malware subsequently downloads and executes a second-stage payload using AES-256 decryption. The campaign demonstrates targeted social engineering with realistic aviation order documents, translation certificates, and product summaries to compromise victims in Russia, Tajikistan, Central Asia, Middle East and Europe.

MediumCampaignRussiaTajikistan#c2 exfiltration#multi-stage payload#aviation sector

A sophisticated CHM-based malware campaign has been identified targeting Vietnamese victims through a trojanized CV document. The infection chain utilizes a compiled HTML file that deploys a multi-stage payload delivery mechanism involving Python interpreters, C++ DLLs, and layered XOR encryption. The malware establishes persistence through Shell hijacking and scheduled tasks, ultimately delivering a weaponized version of Rebex.Common.dll functioning as a Telegram-based remote access trojan. The RAT communicates via Telegram bot API, supporting commands for file download, token swapping, and arbitrary command execution. The infection demonstrates characteristics typical of targeted state-sponsored activity rather than opportunistic cybercrime, employing techniques historically associated with advanced threat actors operating in the Southeast Asian region.

MediumCampaignVietnam#multi-stage payload#telegram rat#chm infection