Threats Tagged 't1055'

This is a sophisticated phishing campaign known as the evolution of "ClickFix" that uses social engineering and victim-assisted execution to bypass endpoint security. Attackers send emails with urgent OneDrive document lures containing malicious ZIP attachments. The attack employs LNK shortcuts redirecting victims to landing pages that silently inject PowerShell commands into the clipboard. Victims are tricked into manually executing these commands via Win+R, circumventing traditional security filters. The campaign uses DNS TXT records for payload staging to avoid HTTP detection and includes multiple malicious components such as obfuscated scripts, fake MSI installers masquerading as legitimate software, and spyware-laden ISO images for persistent access. This campaign represents a shift toward long-term post-compromise control of the environment.

A malicious npm package named 'node-fetch-utils' was identified masquerading as a legitimate utility. It uses a remote tarball dependency from GitHub that executes during installation on Windows systems. The package runs an obfuscated postinstall script that downloads a bundled Python runtime, placing it as Microsoft\EdgeBroker\pythonw.exe for persistence. This runtime is then used to execute a fileless Python implant decrypted in memory and launched stealthily via wscript. The dropper scripts self-delete while the disguised runtime remains active, establishing command and control communications.

A sophisticated supply chain attack compromised the legitimate 3CXDesktopApp softphone application across Windows, macOS, and Linux platforms. The malicious activity involved trojanized signed installers that deployed a compromised ffmpeg.dll binary, establishing HTTPS beacons to attacker-controlled infrastructure and enabling second-stage payload deployment. Analysis revealed the attack utilized specific beacon structures and encryption keys matching infrastructure patterns, with hands-on-keyboard activity observed in targeted cases. The operation affected multiple platforms through signed MSI installers containing malicious components. The attack demonstrated advanced tradecraft through abuse of trusted software distribution channels, requiring immediate removal of affected versions and deployment of behavioral detection capabilities to identify malicious beaconing activity.

A comprehensive analysis of 339 commands issued by a French-speaking threat actor nicknamed 'Poisson' over 33 days, targeting a French automotive small business and four French individuals. The attacker utilized a multi-stage fileless attack deploying a 70-line Python keylogger to harvest banking and email credentials. The operation leveraged free-tier infrastructure including Havoc C2 framework, Backblaze B2 storage, and DuckDNS. Most significantly, the attacker installed OpenSSH and Tailscale VPN on victim machines, creating persistent access that survived C2 server takedown. When the C2 went offline for 18 days, the attacker's access remained intact through the VPN mesh, demonstrating that VPN-mesh-based persistence is actively used in real-world intrusions and that traditional C2 takedown is insufficient for remediation.

MediumMalwareFrance#tailscale#rustdesk#poisson

In March 2026, threat actors leveraged AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign employed ClickFix techniques, presenting victims with fake CAPTCHA and BSOD screens to trick them into executing malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan with capabilities including encrypted C2 communications, remote control of screen/keyboard/mouse, credential theft through keylogging and banking overlays, and QR code interception for transaction fraud. The malware establishes persistence via scheduled tasks and Windows services, and targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The threat actors' C2 panel contained critical authentication flaws allowing client-side bypass, suggesting deployment without adequate security review.

MediumMalwareBrazil#banana rat#fake captcha#smartrat

A ClickFix social engineering attack on an unmonitored endpoint led to a multi-stage intrusion affecting over 11 hosts. The infection chain began with a malicious HTA payload that silently installed an MSI package containing Potemkin, a custom loader with a deterministic DGA. Potemkin delivered RMMProject, a 4.4 MB Lua-scriptable RAT featuring browser credential theft with Chrome App-Bound Encryption bypass, hidden-desktop remote control, and 15 distinct task types. The attacker deployed EtherRAT, a Node.js backdoor resolving C2 addresses from Ethereum blockchain, and established a Cloudflare tunnel for persistent access. Hands-on-keyboard activity included battling Windows Defender through AMSI patches, registry modifications, and service termination, followed by lateral movement via WMIExec and SMBExec to deploy malware across the network and reach the domain controller.

An investigation revealed a malicious email campaign directing victims to download a ZIP file from MediaFire. The infection chain began with a Python setup executable (Setu.exe) that side-loaded a malicious 400 MB python37.dll containing repeated byte padding. The DLL performed process injection into dllhost.exe, establishing communication with a C2 server at 138.124.186.2:7000. The threat actor deployed three persistence mechanisms: a PowerShell-based path, a fake EdgeUpdate Python executable with scheduled task, and NetSupport RMM as a third access method. The analysis highlights the importance of comparing file timestamps during triage to identify malicious artifacts within compressed archives.

Since late 2025, cybercriminals have been exploiting Wallpaper Engine, a popular live wallpaper application on Steam, to distribute malware through Steam Workshop. Attackers target primarily Chinese and Russian gamers by embedding malicious code within application wallpapers shared on the platform. These compromised wallpapers deliver various malware types including infostealers, backdoors, crypto miners, and ransomware. One analyzed sample dropped DarkKomet backdoor while hijacking Steam sessions to steal account credentials. The malware modifies system libraries to locate Steam installations and exfiltrate data to attacker-controlled servers. Compromised accounts are then used to upload additional malicious wallpapers. The diverse malware families suggest multiple independent hacking groups are exploiting this distribution method. Infected wallpapers received thousands of downloads before removal, with 89% of infections occurring in China.

MediumMalwareBritish Indian Ocean TerritoryCanadaChina+5#account hijacking#vidar#wallpaper engine

A sophisticated Python-based RAT targeting Korean users through spear phishing emails disguised as Microsoft security alerts. The attack chain employs LNK files embedded in ZIP archives, BAT-based obfuscation, and multi-stage loaders culminating in NarwhalRAT deployment. This advanced malware features keylogging, screen capture, microphone recording, and USB data collection capabilities. It utilizes a dual C2 infrastructure combining Korean relay servers (daehoat.com, novel21.co.kr) with pCloud API as a dead-drop resolver. The malware creates encrypted configuration files, implements anti-VM techniques, and establishes persistence through scheduled tasks. It operates as a manually-controlled RAT with selective function activation via C2 commands, employing in-memory execution to evade file-based detection.

Acronis Threat Research Unit identified two espionage campaigns targeting Cambodian government entities in defense and public works sectors, attributed to a cluster tracked as Khmer Shadow. Both campaigns delivered a custom C++ loader named NIGHTFORGE through government-themed lures in self-extracting archives. NIGHTFORGE employs sophisticated evasion techniques including NTDLL unhooking and Hell's Gate syscall resolution to decrypt and execute a Havoc Demon payload in memory. The loader utilizes DLL sideloading through a legitimate VMware-signed binary (VMwareNamespaceCmd.exe) and establishes persistence via COM-based scheduled tasks. Despite advanced technical capabilities, the actor demonstrated poor operational security by reusing identical payloads and infrastructure across targets. The campaigns targeted Cambodia's Information Collection Bureau and Ministry of Public Works and Transport using meeting-themed social engineering lures.

MediumMalwareCambodia#kaynldr#nightforge#khmer shadow