Threats Tagged 'shellcode injection'

APT37 conducted a sophisticated social engineering campaign utilizing Facebook accounts claiming locations in Pyongyang and Pyongsong, North Korea, to conduct reconnaissance and build trust with targets. After establishing relationships through Facebook Messenger, the threat actor migrated conversations to Telegram and employed pretexting tactics, claiming to share encrypted PDF documents containing military weapons information. Victims were persuaded to install a tampered Wondershare PDFelement installer that executed embedded shellcode for initial compromise. The attack chain delivered follow-on commands through a JPG-disguised payload hosted on a compromised Japanese real estate website. The malware abused Zoho WorkDrive OAuth2 APIs as C2 channels, exfiltrating screenshots, documents, system information, and audio files. The campaign employed multiple evasion techniques including code cave injection, process hollowing into legitimate dism.exe, XOR encryption layers, and fileless in-memory execution.

A sophisticated multi-stage malware campaign employs living-off-the-land techniques and in-memory payload delivery to evade security controls. The infection chain begins with a hidden batch file that executes an embedded PowerShell loader, which then injects Donut-generated shellcode into legitimate Windows processes. The final payload is a heavily obfuscated .NET framework implementing advanced anti-analysis techniques, credential harvesting, surveillance capabilities, and remote system control. Data exfiltration occurs via Discord webhooks and Telegram bots. The malware, identified as Pulsar RAT, features live chat functionality and background payload deployment, demonstrating a modern, high-evasion Windows malware operation designed for long-term access and large-scale data theft.

MediumMalwareGermanyFranceUnited Kingdom+4#anti-analysis#telegram#in-memory execution

Attackers are leveraging TikTok videos to distribute malware by masquerading as free software activations. The campaign uses social engineering to convince users to run malicious PowerShell scripts that download additional payloads, including the AuroStealer information stealer. Persistence is established via scheduled tasks, and one payload uses a self-compiling technique to inject shellcode directly into memory, evading detection. Multiple TikTok videos target various software products, employing the ClickFix technique to increase user trust. This threat exploits user interaction and social engineering on a popular platform, posing a medium risk due to its potential to compromise confidentiality and integrity. European organizations with users active on TikTok and those using targeted software products are at risk. Mitigations include user education, PowerShell execution restrictions, monitoring scheduled tasks, and blocking malicious domains. Countries with high TikTok usage and significant software user bases, such as Germany, France, and the UK, are more likely to be affected.

MediumMalwareGermanyFranceItaly+5#scheduled tasks#self-compiling#tiktok