The post The Self-Parsing Ghost: Inside Deep#Door’s Stealthy Python Backdoor appeared first on Daily CyberSecurity.

Unit 42 uncovers high-risk AI browser extensions. Disguised as productivity tools, they steal data, intercept prompts, and exfiltrate passwords. Protect your browser.

The post That AI Extension Helping You Write Emails? It’s Reading Them First appeared first on Unit 42.

The post Minirat’s Stealth Supply Chain Attack Targets macOS Developers appeared first on Daily CyberSecurity.

The post Attackers Are Weaponizing Foxit PDF Reader’s Reputation appeared first on Daily CyberSecurity.

A newly identified cyber campaign involving JanaWare ransomware is targeting users in Turkey, with researchers linking the activity to a customized version of the Adwind Remote Access Trojan (RAT). The findings come from an analysis by researchers at Acronis’ Threat Research Unit (TRU), who identified the threat cluster during an investigation into suspicious Java-based malware samples. According to the researchers, the JanaWare ransomware operation appears to have been active since at least 2020. Evidence from malware samples and infrastructure indicates that the campaign has continued into late 2025, suggesting sustained activity with limited visibility. The attack relies on a modified Adwind RAT that includes polymorphic capabilities. This allows the malware to change its structure across infections, making detection more difficult. Combined with code obfuscation, these techniques have likely contributed to the campaign remaining relatively unnoticed. Unlike large ransomware groups that focus on high-value enterprise targets, JanaWare ransomware appears to follow a different strategy. Observed ransom demands range between $200 and $400, pointing to a model that prioritizes volume over large individual payouts.

Phishing Identified as Primary Infection Vector

The JanaWare ransomware campaign primarily spreads through phishing emails. Victims are lured into clicking malicious links, which lead to the download of a Java archive file. In many observed cases, the payload is hosted on cloud storage platforms. Telemetry data reviewed by researchers shows a consistent attack chain. A phishing email is opened in Microsoft Outlook, followed by a browser session that downloads the malicious file. The file is then executed using Java, triggering the infection. [caption id="attachment_111347" align="aligncenter" width="761"] Image Source: Acronis’ Threat Research Unit (TRU)[/caption] User reports on public cybersecurity forums also describe similar incidents, supporting the assessment that phishing is the main entry point.

Geofencing Restricts Janaware Ransomware Attacks to Turkey

A key feature of the JanaWare ransomware is its use of geofencing. The malware is designed to execute only on systems that meet specific regional criteria linked to Turkey. It checks system language, locale settings, and external IP geolocation before proceeding. If the system does not match Turkish parameters, the malicious activity is halted. Researchers note that this approach likely serves both operational and defensive purposes. It allows attackers to focus on a specific region while reducing exposure to global security monitoring and automated analysis systems.

Obfuscation and Polymorphism Hinder Detection

The JanaWare ransomware incorporates multiple techniques to evade detection. Researchers identified the use of known obfuscation tools such as Stringer and Allatori, alongside custom methods that complicate analysis. The malware also includes a self-modifying component that alters its file structure during deployment. By adding random data to its Java archive, each instance generates a unique file hash, limiting the effectiveness of signature-based detection. In addition, the malware contains embedded configuration parameters that control its behavior. These include command-and-control server details, communication ports, and authentication values used during initial connections.

Security Controls Disabled Before Encryption Stage

Before encrypting files, the malware attempts to weaken system defenses. It executes commands to disable Microsoft Defender, suppress security alerts, and remove recovery mechanisms such as Volume Shadow Copies. It also interferes with Windows Update and scans for installed antivirus software. These steps reduce the likelihood of detection or recovery once the ransomware payload is activated. The encryption process is carried out by a secondary module delivered after the initial compromise. This module uses AES encryption and communicates with command-and-control infrastructure over the Tor network.

Turkish-Language Ransom Notes Signal Targeted Approach

After encryption, the malware drops ransom notes across affected systems. These notes are written in Turkish and instruct victims to contact the attackers through encrypted communication channels such as qTox or Tor-based websites. Researchers say the consistent use of Turkish-language content, combined with geofencing, indicates a deliberate focus on users in Turkey rather than a broad, global campaign. The JanaWare ransomware campaign highlights how targeted, lower-profile operations can persist over long periods without drawing significant attention. By focusing on home users and small businesses, and keeping ransom demands relatively low, the attackers appear to maintain a steady but less visible operation. Researchers caution that such localized campaigns may continue to operate alongside larger ransomware groups, adding another layer to the evolving threat landscape.

Ukraine's frontline cyber defense agency became the subject of its own investigation last week after an unknown threat actor built a convincing fake version of its website, sent emails impersonating its staff and instructed recipients across the country to download malware packaged as official security software. The Computer Emergency Response Team of Ukraine, CERT-UA, disclosed on Sunday, that between March 26 and 27, attackers distributed emails falsely attributed to CERT-UA, urging recipients to download a password-protected archive named either "CERT_UA_protection_tool.zip" or "protection_tool.zip". The file was made available for download from Files.fm file-sharing service and installed what the messages described as specialized protective software. The phishing emails were targeted at a broad cross-section of Ukrainian institutions including government organizations, medical centers, security companies, educational institutions, financial institutions and software development firms. Supporting the phishing campaign, attackers had registered and populated a counterfeit website at cert-ua[.]tech — a domain created on March 27, just one day into the distribution window. The look-a-like website had content lifted directly from the official CERT-UA website at cert[.]gov[.]ua, alongside fabricated instructions for downloading the malicious "protection tool." The executable file inside those archives was not protective software. CERT-UA classified it as AGEWHEEZE, a full-featured Remote Access Trojan (RAT) written in the Go programming language. A RAT is malware that gives an attacker complete remote control over an infected machine: not just file access, but live screen viewing, keyboard and mouse emulation, command execution, process and service management, clipboard reading and writing, and the ability to shut down, restart, or lock the device entirely. AGEWHEEZE's command set is exhaustive and purpose-built for persistent, covert control. It supports screen capture and real-time input emulation, full file system operations including read, write, delete, rename, and directory creation, process killing, service control, autorun management, terminal access, and the ability to open arbitrary URLs on the victim machine. AGEWHEEZE establishes persistence through the Windows registry startup key, the Startup directory, or a scheduled task, creating entries named "SvcHelper" or "CoreService" depending on the infection path. All communications to its command-and-control server route over WebSocket connections to a server hosted on infrastructure belonging to French cloud provider OVH. That command-and-control server carried its own revealing details. On port 8443, a web page titled "The Cult" displayed an authentication form. Buried in the HTML source of that page, investigators found Russian-language text reading: "Membership suspended. Your access to the Cult has been blocked. Contact the administrator to restore it." The self-signed SSL certificate on the server was created on March 18, with "TVisor" listed in the Organization field, matching the internal package name found inside the malware itself: "/example.com/tvisor/agent. Attribution arrived quickly and from the attackers themselves. A review of the AI-generated fake website at cert-ua[.]tech uncovered a line embedded in the HTML code reading: "With Love, CYBER SERP — https://t[.]me/CyberSerp_Official." [caption id="attachment_110836" align="aligncenter" width="600"] Fake website and HTML code embedding CyberSerp details. (Source: CERT-UA)[/caption] On March 28, the day after the campaign launched, the Telegram channel referenced in that code published a message claiming responsibility for the attack, eliminating any ambiguity about attribution. CERT-UA created the tracking identifier UAC-0255 for this activity. The agency assessed the cyberattack as "unsuccessful." No more than a few personal devices belonging to employees of educational institutions were identified as infected. CERT-UA said its specialists provided methodological and practical assistance to affected parties, and acknowledged Ukrainian electronic communications providers for their contribution to delivering cyber threat information to subscribers and maintaining national cyber incident response infrastructure. CERT-UA itself has previously documented campaigns by multiple threat groups — including UAC-0002, UAC-0035, and the group tracked here as UAC-0252 — that similarly weaponize government branding. In this case, the attackers targeted the cyber defense agency whose name carries the highest authority in Ukrainian information security communications, turning that trust directly against the institutions that rely on it. CERT-UA noted that the development of artificial intelligence significantly simplifies the execution of cyber threats. The attackers' own use of an AI-generated phishing site is a direct illustration of that warning, the cyber defense agency explained. It recommended that organizations reduce their attack surface by configuring standard operating system protections including Software Restriction Policies and AppLocker, and deploying specialized endpoint protection tools. Full indicators of compromise including file hashes, network indicators, and host-based artifacts are available in the CERT-UA advisory.

Also read: Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports

Iranian threat group Boggy Serpens' cyberespionage evolves with AI-enhanced malware and refined social engineering. Unit 42 details their persistent targeting.

The post Boggy Serpens Threat Assessment appeared first on Unit 42.

Executive Summary

SURXRAT is an actively developed Android Remote Access Trojan (RAT) commercially distributed through a Telegram-based malware-as-a-service (MaaS) ecosystem under the SURXRAT V5 branding.

The malware is marketed using structured reseller and partner licensing tiers, allowing affiliates to generate and distribute customized builds while the operator maintains centralized infrastructure and operational control.

This distribution model reflects the increasing professionalization of the Android threat landscape, where malware developers focus on scalability and monetization through affiliate-driven campaigns.

Technical analysis shows that SURXRAT operates as a full-featured surveillance and device-control platform capable of extensive data exfiltration, real-time remote command execution, and ransomware-style device locking.

The malware abuses accessibility permissions for persistent control and communicates with a Firebase-based command-and-control infrastructure to manage infected devices. Code similarities suggest that it evolved from the ArsinkRAT family.

We have identified the latest samples that conditionally download a large LLM module, indicating experimentation with AI-assisted capabilities, device performance manipulation, and alternative monetization strategies alongside traditional surveillance and extortion activities.

While it may not always be possible to avoid these threats entirely, prompt action can help reduce the impact of compromise. Threat intelligence tools such as Vision provide users with a real-time view of their digital threat landscape, alerting them to any compromise and enabling them to take corrective action.

Key Takeaways

• SURXRAT is sold openly via Telegram, with reseller and partner licensing tiers, enabling scalable distribution through affiliate operators rather than centralized campaigns.
• Source code references and functional overlap indicate SURXRAT likely evolved from ArsinkRAT, highlighting continued reuse and rapid enhancement of Android RAT frameworks.
• The malware collects sensitive data, including SMS messages, contacts, call logs, device information, location data, and browser activity, enabling credential theft and financial fraud operations.
• Use of Firebase Realtime Database infrastructure allows attackers to blend malicious communications with legitimate cloud traffic, improving reliability and complicating detection.
• SURXRAT conditionally downloads a large LLM module from external repositories, suggesting experimentation with AI-driven functionality, device performance manipulation, or evasion techniques.
• The integrated ransomware-style screen locker enables attackers to deny device access and demand payment, allowing flexible monetization through surveillance, fraud, or extortion.

Overview

Cyble Research and Intelligence Labs (CRIL) identified a new variant of SURXRAT, an actively developed Android Remote Access Trojan (RAT) being openly commercialized through a dedicated Telegram-based distribution ecosystem. Unlike opportunistic commodity malware, SURXRAT is positioned as a subscription-style cybercrime product, indicating an increasing level of professionalization in the Android malware-as-a-service (MaaS) landscape.

The Indonesian threat actor (TA) operates a Telegram channel through which the malware is marketed, regularly updated, and distributed to resellers and partners. The channel was created in late 2024, suggesting that active malware development likely began in early 2025. At the time of analysis, we identified more than 180 related samples, indicating continuous development activity and demonstrating that the threat actor is actively maintaining and evolving the malware.

The structured pricing tiers, operational announcements, and feature updates demonstrate a mature commercialization model similar to underground SaaS platforms, suggesting the operator is targeting aspiring cybercriminals rather than conducting attacks directly.

SURXRAT is marketed under a structured licensing scheme branded as SURXRAT V5, indicating active development and ongoing version iteration by the operator. The threat actor offers two primary purchase tiers within a “Ready Plan” model designed to attract both individual operators and larger resellers.

The Reseller Plan, advertised at a one-time payment of 200k, provides permanent access, allows buyers to generate up to three malware builds per day, includes free server upgrades, and permits users to create and sell SURXRAT builds while adhering to the operator’s predefined market pricing.

The Partner Plan, priced at 500k as a permanent license, expands these capabilities by increasing the daily build limit to ten accounts, maintaining free server upgrades, and granting buyers the ability to establish their own reseller networks, effectively enabling further distribution.

Both tiers emphasize a one-time payment structure (“anti pt pt”), suggesting no recurring subscription fees. This tiered commercialization approach demonstrates the operator's deliberate attempt to scale malware adoption through affiliate-style distribution, decentralizing infection operations while retaining centralized control over infrastructure and ecosystem governance.

The threat actor periodically posts operational statistics to reinforce legitimacy and attract buyers. One such announcement revealed:

• Bot Status: Active
• Total Users: 1,318 registered accounts within the system
• Operational confirmation timestamp: January 2026

While these figures cannot be independently verified, public disclosure of user metrics is a common underground marketing tactic intended to establish credibility and demonstrate adoption among cybercriminal customers. If accurate, the numbers suggest a growing ecosystem of operators leveraging SURXRAT for Android surveillance and financial fraud operations.

SURXRAT V5 provides a comprehensive surveillance and remote-control feature set consistent with modern Android RATs. The functionality indicates a strong emphasis on data harvesting, device monitoring, and full remote manipulation.

Data Collection and Surveillance Features

The malware enables extensive extraction of sensitive user information, including:

• SMS monitoring
• Contact list and call logs
• System information and installed applications
• Gmail account data
• Device location tracking
• Network and connectivity information
• Notification interception
• Clipboard monitoring
• Web browsing history
• Cellular tower intelligence
• WiFi scanning and connection history
• Full file manager access

This level of visibility allows attackers to perform credential harvesting, OTP interception, profiling, and reconnaissance for secondary fraud operations.

Remote Device Control Capabilities

SURXRAT extends beyond passive surveillance by enabling attackers to manipulate compromised devices actively:

• Remote device unlocking
• Triggering phone calls
• Wallpaper modification via remote URL
• Remote audio playback
• Network lag manipulation
• Push notification delivery
• Forced website opening
• Flashlight activation
• Device vibration control
• On-screen text overlays
• Device locking using attacker-defined PIN
• Complete storage wipe functionality

During analysis of the SURXRAT sample, references to ArsinkRAT were found in the source code, suggesting a developmental relationship between the two malware families. In January 2026, Zimperium reported an increase in activity associated with ArsinkRAT campaigns targeting Android devices.

A comparative analysis indicates notable functional and structural similarities between SURXRAT and ArsinkRAT, suggesting that the threat actor likely leveraged the ArsinkRAT source code. Using this foundation, an enhanced variant incorporating additional capabilities and updated features was subsequently developed.

This evolution highlights how existing Android RAT frameworks continue to be repurposed and expanded by threat actors, accelerating malware development cycles and enabling rapid introduction of new surveillance and control functionalities.

During our analysis of the latest SURXRAT variant, we identified a deliberate mechanism to manipulate network lag. The malware initiates the download of a large LLM module (>23GB) hosted on Hugging Face. This approach is highly atypical for a mobile-based device.

Notably, this download is conditionally triggered when specific gaming applications are active on the victim’s device, namely Free Fire MAX x JUJUTSU KAISEN (com.dts.freefiremax) and Free Fire x JUJUTSU KAISEN (com.dts.freefireth), or when the malware receives alternative target package names dynamically from the threat actor–controlled server.

This indicates that the download behavior is remotely configurable, allowing operators to initiate the module retrieval based on applications specified through backend commands.

While downloading a model of this size on a mobile device may initially appear impractical, the observed behavior indicates intentional implementation rather than a misconfiguration. The LLM module appears to be under active development and may be leveraged to:

• Deliberately introduce device or network latency during gameplay, potentially supporting paid cheating or disruption services
  mask malicious background activity by degrading overall device performance, leading users to attribute abnormal behavior to system issues rather than malware
  enable future AI-driven capabilities, such as automated interactions or adaptive social engineering techniques

The selective and conditional deployment of this module suggests that the threat actor is actively experimenting with AI-based components to enhance monetization strategies, improve evasion techniques, and expand operational capabilities.

Technical Analysis

Upon execution, the malware prompts the victim to grant multiple high-risk permissions, including access to location services, contacts, SMS messages, and device storage.

Following initial permission approval, the malware displays additional prompts guiding the user to enable Accessibility Services. This commonly abused Android feature allows applications to monitor screen content and perform automated actions. The abuse of accessibility permissions significantly increases attacker control, enabling surveillance and facilitating further malicious operations without continuous user interaction.

After acquiring the required permissions, SURXRAT establishes communication with a backend infrastructure hosted on a Firebase Realtime Database:

hxxps://xrat-sisuriya-default-rtdb.firebaseio[.]com

The malware connects using a database reference labeled “arsinkRAT,” further reinforcing the developmental linkage between SURXRAT and the previously observed ArsinkRAT malware family.

Once connectivity is established, the malware performs device registration by generating a random UUID, which serves as a unique identifier for tracking infected devices. Following registration, SURXRAT immediately begins exfiltrating sensitive information to the Firebase backend.

The malware collects and transmits a wide range of victim data, enabling comprehensive device profiling. Exfiltrated information includes:

• Contact lists
• SMS messages
• Call logs
• Device brand and model
• Android OS version
• Battery level and status
• SIM card details
• Network information
• Public IP address

This dataset allows attackers to uniquely identify victims, monitor communications, and prepare follow-on fraud or surveillance activities such as OTP interception and account takeover.

After successful device registration, SURXRAT launches a persistent background service that maintains continuous communication with the Firebase command-and-control (C&C) infrastructure and receives commands. The malware initializes multiple internal manager classes that handle surveillance, device control, and data collection.

The infected device periodically sends status updates to the backend while simultaneously polling for incoming commands issued by the operator. This near real-time synchronization enables attackers to execute actions on compromised devices remotely with minimal delay.

Analysis of command handlers revealed several instructions received from the Firebase backend that allow attackers to perform surveillance and active device manipulation:

Spy Commands	Description
accounts	Collects Google account information associated with the device
apps_list	Retrieves the list of installed applications
device_info	Collects detailed device metadata
audio_record	Records audio
file_list	Enumerates files and extracts metadata
flashlight	Remotely controls the device flashlight
camera_photo	Captures images using the device camera
contacts	Collects contacts
call_log	Collects call log
sms_read	Collects SMSs
Sms_send	Sends SMSs from the infected device
tts	Execute text to speech
call	Makes a call from the infected device
toast	Display a toast message
vibrate	Remotely vibrates the device
file_delete	Deletes file
location	Collects the victim’s location
file_upload	Sends file to the server
RAT Commands	Description
access	Collects clipboard data
unlock	Remove locks
app	Sync app list
Cal	Dail calls
fla	Handles flashlight
for	Wipe data
Mus	Play music
Not	Send System update notification
url	Opens URL
vib	Vibrates device
voi	Executes text-to-speech
wal	Changes wallpapers
Brow	Collects browser history
Cell	Collects the device’s cell info
Lock	Execute the Screen Locker feature
wifih	Collect Wi-Fi history
wifis	Execute text-to-speech

The figure below shows the admin panel image shared on the threat actor’s Telegram account, highlighting the various actions and controls available through SURXRAT.

Screen Locker Activity

The SURXRAT sample also contains a ransomware-style screen locker module that allows a remote attacker to seize control of the victim’s device and temporarily deny access to it. When activated, the malware forces the device to display a persistent full-screen lock message that the user cannot easily dismiss. The attacker can remotely customize both the displayed message and the unlock PIN, enabling them to demand a ransom payment directly from the victim.

The malware continuously reports user interactions back to the attacker’s server. Each incorrect PIN entry is transmitted to the backend, allowing the operator to monitor victim behavior and response attempts in real time. The lock screen can also be remotely removed by the attacker, giving them complete control over when the device becomes usable again. Overall, this functionality appears intended to coerce victims through disruption and intimidation, ultimately facilitating ransom-based monetization.

The integration of ransomware-style locking into a surveillance RAT indicates hybrid monetization, allowing operators to switch between espionage, fraud, and direct extortion based on the value of the victim.

Conclusion

SURXRAT represents a notable evolution in Android malware, combining MaaS-style commercialization, cloud-based command infrastructure, and modular capabilities into a single adaptable threat platform. The malware’s extensive surveillance features, real-time remote control functions, and ransomware-style device locking demonstrate a shift toward multi-functional mobile threats designed for flexible monetization.

The observed experimentation with large AI model integration further indicates that threat actors are actively exploring emerging technologies to enhance operational effectiveness and evade detection. As Android malware ecosystems continue to mature, threats like SURXRAT highlight the increasing accessibility of advanced mobile attack capabilities to a broader cybercriminal audience, reinforcing the need for improved mobile threat visibility, behavioral detection, and user awareness.

Prevention is ideal, but it isn’t always an option. Threat Intelligence platforms such as Cyble Vision provide users with insight into their digital risk profile and can notify them of any breaches or unauthorized access, enabling them to take immediate corrective action.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

• Install Apps Only from Trusted Sources:
  Download apps exclusively from official platforms, such as the Google Play Store. Avoid third-party app stores or links received via SMS, social media, or email.
• Be Cautious with Permissions and Installs:
  Never grant permissions and install an application unless you're certain of an app's legitimacy.
• Watch for Phishing Pages:
  Always verify the URL and avoid suspicious links and websites that ask for sensitive information.
• Enable Multi-Factor Authentication (MFA):
  Use MFA for banking and financial apps to add an extra layer of protection, even if credentials are compromised.
• Report Suspicious Activity:
  If you suspect you've been targeted or infected, report the incident to your bank and local authorities immediately. If necessary, reset your credentials and perform a factory reset.
• Use Mobile Security Solutions:
  Install a mobile security application that includes real-time scanning.
• Keep Your Device Updated:
   Ensure your Android OS and apps are updated regularly. Security patches often address vulnerabilities exploited by malware.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Procedure
Persistence (TA0028)	Event Triggered Execution: Broadcast Receivers(T1624.001)	SURXRAT registered the BOOT_COMPLETED broadcast receiver to activate the screen locker activity
Persistence (TA0028)	Foreground Persistence (T1541)	SURXRAT uses foreground services by showing a notification
Defense Evasion (TA0030)	Impair Defenses: Prevent Application Removal (T1629.001)	Prevent uninstallation
Defense Evasion (TA0030)	Obfuscated Files or Information (T1406)	SURXRAT uses a Base64 encoding to encode the stolen files and send them to the Telegram Bot
Credential Access (TA0031)	Access Notifications (T1517)	SURXRAT collects device notifications
Discovery (TA0032)	Software Discovery (T1418)	SURXRAT collects the installed application list
Discovery (TA0032)	System Information Discovery (T1426)	SURXRAT collects the device information
Discovery (TA0032)	System Network Connections Discovery (T1421)	SURXRAT collects cell and wifi information
Discovery (TA0032)	File and Directory Discovery (T1420)	SURXRAT Enumerates external storage
Credential Access (TA0031)	Clipboard Data (T1414)	SURXRAT collects Clipboard Data
Collection (TA0035)	Audio Capture (T1429)	SURXRAT can capture audio
Collection (TA0035)	Data from Local System (T1533)	SUXRAT collects files from external storage
Collection (TA0035)	Location Tracking (T1430)	SURXRAT Can collect location
Collection (TA0035)	Protected User Data: Call Log (T1636.002)	SURXRAT Collects call log
Collection (TA0035)	Protected User Data: Contact List (T1636.003)	Collects contact data
Collection (TA0035)	Protected User Data: SMS Messages (T1636.004)	Collects SMS data
Collection (TA0035)	Protected User Data: Accounts (T1636.005)	SUXRAT collects Gmail account data
Collection (TA0035)	Video Capture (T1512)	SURXRAT Captures photos using the device camera
Command and Control (TA0037)	Application Layer Protocol: Web Protocols (T1437.001)	Malware uses HTTPs protocol
Exfiltration (TA0036)	Exfiltration Over C2 Channel (T1646)	SURXRAT sends collected data to the C&C server
Impact (TA0034)	SMS Control (T1582)	SURXRAT can send SMSs from the infected device
Impact (TA0034)	Call Control (T1616)	SURXRAT can make calls
Impact (TA0034)	Data Destruction (T1662)	Wipe external storage

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post SURXRAT: From ArsinkRAT roots to LLM Module Downloads Signaling Capability Expansion appeared first on Cyble.

CVE-2026-1731 is an RCE vulnerability in identity platform BeyondTrust. This flaw allows attackers control of systems without login credentials.

The post VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) appeared first on Unit 42.

Attackers exploited Hugging Face’s trusted infrastructure to spread an Android RAT, using fake security apps and thousands of malware variants.

The post Hugging Face Repositories Abused in New Android Malware Campaign appeared first on TechRepublic.

Executive Summary

CRIL (Cyble Research and Intelligence Labs) has been tracking a sophisticated commodity loader utilized by multiple high-capability threat actors. The campaign demonstrates a high degree of regional and sectoral specificity, primarily targeting Manufacturing and Government organizations across Italy, Finland, and Saudi Arabia.

This campaign utilizes advanced tradecraft, employing a diverse array of infection vectors including weaponized Office documents (exploiting CVE-2017-11882), malicious SVG files, and ZIP archives containing LNK shortcuts. Despite the variety of delivery methods, all vectors leverage a unified commodity loader.

The operation's sophistication is further evidenced by the use of steganography and the trojanization of open-source libraries. Adding their stealth is a custom-engineered, four-stage evasion pipeline designed to minimize their forensic footprint.

By masquerading as legitimate Purchase Order communications, these phishing attacks ultimately deliver Remote Access Trojans (RATs) and Infostealers.

Our research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure shared across multiple threat actors.

Key Takeaways

• Precision Targeting & Geographic Scope: The campaign specifically targets the Manufacturing and Industrial sectors across Europe and the Middle East. The primary objective is the exfiltration of sensitive industrial data and the compromise of high-value administrative credentials.
• Versatile Malware Distribution: The loaders serve as a multi-functional distribution platform. They have been observed delivering a variety of RATs (and information stealers, such as PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos). This indicates the loader is likely shared or sold across different threat actor groups.
• Steganography & Infrastructure Abuse: To bypass traditional network security, the threat actors hosted image files on legitimate delivery platforms. These images contain steganographically embedded payloads, allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic
• Trojanization of Open-Source Libraries: The actors utilize a sophisticated "hybrid assembly" technique. By appending malicious functions to trusted open-source libraries and recompiling them, the resulting files retain their authentic appearance and functionality, making signature-based detection extremely difficult.
• Four-Stage Evasion Pipeline: The infection chain is engineered to minimize forensic footprint. It employs a high-velocity, four-stage process:
  • Script Obfuscation: To hide initial intent.
• • Steganographic Extraction: To pull the payload from images.
• • Reflective Loading: To run code directly in memory without touching the disk.
• • Process Injection: To hide malicious activity within legitimate system processes.
• Novel UAC Bypass Discovery: A unique User Account Control (UAC) bypass was identified in a recent sample. The malware monitored system process creation events and opportunistically triggered UAC prompts during legitimate launches, tricking the system or user into granting elevated privileges under the guise of a routine operation.

Technical Analysis

To demonstrate the execution flow of this campaign, we analyzed the sample with the following SHA256 hash: c1322b21eb3f300a7ab0f435d6bcf6941fd0fbd58b02f7af797af464c920040a.

Initial Infection vector

The campaign begins with targeted phishing emails sent to manufacturing organizations, masquerading as legitimate Purchase Order communications from business partners (see Figure 2).

Extraction of the RAR archive reveals a first-stage malicious JavaScript payload, PO No 602450.js, masquerading as a legitimate purchase order document.

Stage 1: JavaScript and PowerShell execution

The JavaScript file contains heavily obfuscated code with special characters that are stripped at runtime. The primary obfuscation techniques involve split and join operations used to dynamically reconstruct malicious strings (see Figure 3).

The de-obfuscated JavaScript creates a hidden PowerShell process using WMI objects (winmgmts:root\cimv2). It employs multiple obfuscation layers, including base64 encoding and string manipulation, to evade detection, with a 5-second sleep delay (see Figure 4).

Stage 2: Steganographic payload retrieval

The decoded PowerShell script functions as a second-stage loader, retrieving a malicious PNG file from Archive.org. This image file contains a steganographically embedded base64-encoded .NET assembly hidden at the end of the file (see Figure 5).

Upon retrieval, the PowerShell script employs regular expression (regex) pattern matching to extract the malicious payload using specific delimiters ("BaseStart-'+'-BaseEnd"). The extracted assembly is then reflected in memory via Reflection.Assembly::Load, invoking the "classlibrary1" namespace with the class name "class1" method “VAI”

This fileless execution technique ensures the final payload executes without writing to disk, significantly reducing detection probability and complicating forensic analysis (see Figure 6).

Stage 3: Weaponized TaskScheduler loader

The reflectively loaded .NET assembly serves as the third-stage loader, weaponizing the legitimate open-source TaskScheduler library from GitHub. The threat actors appended malicious functions to the original library source code and recompiled it, creating a trojanized assembly that retains all legitimate functionality while embedding malicious capabilities (see Figure 7).

Upon execution, the malicious method receives the payload URL in reverse and base64-encoded format, along with DLL path, DLL name, and CLR path parameters (see Figure 8).

Stage 4: Process injection and payload execution

The weaponized loader creates a new suspended RegAsm.exe process and injects the decoded payload into its memory space before executing it (see Figure 9). This process hollowing technique allows the malware to masquerade as a legitimate Windows utility while executing malicious code.

The loader downloads additional content that is similarly reversed and base64-encoded. After downloading, the loader reverses the content, performs base64 decoding, and runs the resulting binary using either RegAsm or AddInProcess32, injecting it into the target process.

Final payload: PureLog Stealer

The injected payload is an executable file containing PureLog Stealer embedded within its resource section. The stealer is extracted using Triple DES decryption in CBC mode with PKCS7 padding, utilizing the provided key and IV parameters. Following decryption, the data undergoes GZip decompression before the resulting payload, PureLog Stealer, is invoked (see Figure 10).

PureLog Stealer is an information-stealing malware designed to exfiltrate sensitive data from compromised hosts, including browser credentials, cryptocurrency wallet information, and comprehensive system details. The threat actor's command and control infrastructure operates at IP address 38.49.210[.]241.

PureLog Stealer steals the following from the victim's machines:

Category	Targeted Data	Detail
Web Browsers	Chromium-based browsers	Data harvested from a wide range of Chromium-based browsers, including stable, beta, developer, portable, and privacy-focused variants.
	Firefox-based browsers	Data extracted from Firefox and Firefox-derived browsers
	Browser credentials	Saved usernames and passwords associated with websites and web applications
	Browser cookies	Session cookies, authentication tokens, and persistent cookies
	Browser autofill data	Autofill profiles, saved payment information, and form data.
	Browser history	Browsing history, visited URLs, download records, and visit metadata.
	Search queries	Stored browser search terms and normalized keyword data
	Browser tokens	Authentication tokens and associated email identifiers
Cryptocurrency Wallets	Desktop wallets	Wallet data from locally installed cryptocurrency wallet applications
	Browser extension wallets	Wallet data from browser-based cryptocurrency extensions
	Wallet configuration	Encrypted seed phrases, private keys, and wallet configuration files
Password Managers	Browser-based managers	Credentials stored in browser-integrated password management extensions
	Standalone managers	Credentials and vault data from desktop password manager applications
Two-Factor Authentication	2FA applications	One-time password (OTP) secrets and configuration data from authenticator applications
VPN Clients	VPN credentials	VPN configuration files, authentication tokens, and user credentials
Messaging Applications	Instant messaging apps	Account tokens, user identifiers, messages, and configuration files
	Gaming platforms	Authentication and account metadata related to gaming services
FTP Clients	FTP credentials	Stored FTP server credentials and connection configurations
Email Clients	Desktop email clients	Email account credentials, server configurations, and authentication tokens
System Information	Hardware details	CPU, GPU, memory, motherboard identifiers, and system serials
	Operating system	OS version, architecture, and product identifiers
	Network information	Public IP address and network-related metadata
	Security software	Installed security and antivirus product details

Tracing the Footprints: Shared Ecosystem

CRIL’s cross-campaign analysis reveals a striking uniformity of tradecraft, uncovering a persistent architectural blueprint that serves as a common thread. Despite the deployment of diverse malware payloads, the delivery mechanism remains constant.

This standardized methodology includes the use of steganography to conceal payloads within benign image files, the application of string reversal combined with Base64 encoding for deep obfuscation, and the delivery of encoded payload URLs directly to the loader. Furthermore, the actors consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.

This observation is also reinforced by research from Seqrite, Nextron Systems, and Zscaler, which documented identical class naming conventions and execution patterns across a variety of malware families and operations.

The following code snippet illustrates the shared loader architecture observed across these campaigns (see Figure 11).

This consistency suggests that the loader might be part of a shared delivery framework used by multiple threat actors.

UAC Bypass

Notably, a recent sample revealed an LNK file employing similar obfuscation techniques, utilizing PowerShell to download a VBS loader, along with an uncommon UAC bypass method. (see Figure 12)

An uncommon UAC bypass technique is employed in later stages of the attack, where the malware monitors process creation events and triggers a UAC prompt when a new process is launched, thereby enabling the execution of a PowerShell process with elevated privileges after user approval (see Figure 13).

Conclusion

Our research has uncovered a hybrid threat with striking uniformity of tradecraft, uncovering a persistent architectural blueprint. This standardized methodology includes the use of steganography to conceal payloads within benign image files, the application of string reversal combined with Base64 encoding for deep obfuscation, and the delivery of encoded payload URLs directly to the loader. Furthermore, the actors consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.

The fact that multiple malware families leverage these class naming conventions as well as execution patterns across is further testament to how potent this threat is to the target nations and sectors.

The discovery of a novel UAC bypass confirms that this is not a static threat, but an evolving operation with a dedicated development cycle. Organizations, especially in the targeted regions, should treat "benign" image files and email attachments with heightened scrutiny.

Recommendations

Deploy Advanced Email Security with Behavioral Analysis

Implement email security solutions with attachment sandboxing and behavioral analysis capabilities that can detect obfuscated JavaScript, VBScript files, and malicious macros. Enable strict filtering for RAR/ZIP attachments and block execution of scripts from email sources to prevent initial infection vectors targeting business workflows.

Implement Application Whitelisting and Script Execution Controls

Deploy application whitelisting policies to prevent unauthorized JavaScript and VBScript execution from user-accessible directories. Enable PowerShell Constrained Language Mode and comprehensive logging to detect suspicious script activity, particularly commands attempting to download remote content or perform reflective assembly loading. Restrict the execution of legitimate system binaries from non-standard locations to prevent their abuse in living-off-the-land (LotL) attacks.

Deploy EDR Solutions with Advanced Process Monitoring

Implement Endpoint Detection and Response (EDR) solutions that can detect sophisticated evasion techniques and runtime anomalies, enabling effective protection against advanced threats. Configure EDR platforms to monitor for process hollowing activities where legitimate signed Windows binaries are exploited to execute malicious payloads in memory. Establish behavioral detection rules for fileless malware techniques, including reflective assembly loading and suspicious parent-child process relationships that deviate from normal system behavior.

Monitor for Memory-Based Threats and Process Anomalies

Establish behavioral detection rules for fileless malware techniques, including reflective assembly loading, process hollowing, and suspicious parent-child process relationships. Deploy memory analysis tools to identify code injection into legitimate Windows processes, such as MSBuild.exe, RegAsm.exe, and AddInProcess32.exe, which are commonly abused for malicious payload execution.

Strengthen Credential and Cryptocurrency Wallet Protection

Enforce multi-factor authentication across all critical systems and encourage users to store cryptocurrency assets in hardware wallets rather than browser-based solutions. Implement monitoring for unauthorized access to browser credential stores, password managers, and cryptocurrency wallet directories to detect potential data exfiltration attempts.

Implement Steganography Detection and Image Analysis Capabilities

Deploy specialized steganography detection tools that analyze image files for hidden malicious payloads embedded within pixel data or metadata. Implement statistical analysis techniques to identify anomalies in image file entropy and bit patterns that may indicate the presence of concealed executable code. Configure security solutions to perform deep inspection of image formats, particularly PNG files, which are frequently exploited for embedding command-and-control infrastructure or malicious scripts in covert communication channels.

MITRE Tactics, Techniques & Procedures

Tactic	Technique	Procedure
Initial Access (TA0001)	Phishing: Spearphishing Attachment (T1566.001)	Phishing emails with malicious attachments masquerading as Purchase Orders
Initial Access (TA0001)	Exploit Public-Facing Application (T1190)	Exploitation of CVE-2017-11882 in Microsoft Equation Editor
Execution (TA0002)	User Execution: Malicious File (T1204.002)	User opens JavaScript, VBScript, or LNK files from archive attachments
Execution (TA0002)	Command and Scripting Interpreter: JavaScript (T1059.007)	Obfuscated JavaScript executes to download second-stage payloads
Execution (TA0002)	Command and Scripting Interpreter: PowerShell (T1059.001)	A hidden PowerShell instance was spawned to retrieve steganographic payloads
Execution (TA0002)	Windows Management Instrumentation (T1047)	WMI used to spawn hidden PowerShell processes
Defense Evasion (TA0005)	Obfuscated Files or Information (T1027)	Multi-layer obfuscation using base64 encoding and string manipulation
Defense Evasion (TA0005)	Steganography (T1027.003)	Malicious payload hidden within PNG image files
Defense Evasion (TA0005)	Reflective Code Loading (T1620)	The .NET assembly is reflectively loaded into memory without disk writes
Defense Evasion (TA0005)	Process Injection: Process Hollowing (T1055.012)	Payload injected into legitimate Windows system processes
Defense Evasion (TA0005)	Masquerading: Match Legitimate Name or Location (T1036.005)	Execution through legitimate Windows utilities for evasion
Defense Evasion (TA0005)	Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)	UAC bypass using process monitoring and a user approval prompt
Defense Evasion (TA0005)	Virtualization/Sandbox Evasion: Time-Based Evasion (T1497.003)	5-second sleep delay to evade automated sandbox analysis
Credential Access (TA0006)	Unsecured Credentials: Credentials In Files (T1552.001)	Extraction of credentials from browser databases and configuration files
Credential Access (TA0006)	Credentials from Password Stores: Credentials from Web Browsers (T1555.003)	Harvesting saved passwords and cookies from web browsers
Credential Access (TA0006)	Credentials from Password Stores (T1555)	Extraction of credentials from password manager applications
Discovery (TA0007)	System Information Discovery (T1082)	Collection of hardware, OS, and network information
Discovery (TA0007)	Security Software Discovery (T1518.001)	Enumeration of installed antivirus products
Collection (TA0009)	Data from Local System (T1005)	Collection of cryptocurrency wallets, VPN configs, and email data
Collection (TA0009)	Email Collection (T1114)	Harvesting email credentials and configurations from email clients
Command and Control (TA0011)	Web Service (T1102)	Abuse of Archive.org for payload hosting
Exfiltration (TA0010)	Exfiltration Over C2 Channel (T1041)	Data exfiltration to C2 server at 38.49.210.241

Indicators of Compromise (IOCs)

Indicator	Type	Comments
5c0e3209559f83788275b73ac3bcc61867ece6922afabe3ac672240c1c46b1d3	SHA-256	Email
c1322b21eb3f300a7ab0f435d6bcf6941fd0fbd58b02f7af797af464c920040a	SHA-256	PO No 602450.rar
3dfa22389fe1a2e4628c2951f1756005a0b9effdab8de3b0f6bb36b764e2b84a	SHA-256	Microsoft.Win32.TaskScheduler.dll
bb05f1ef4c86620c6b7e8b3596398b3b2789d8e3b48138e12a59b362549b799d	SHA-256	PureLog Stealer
0f1fdbc5adb37f1de0a586e9672a28a5d77f3ca4eff8e3dcf6392c5e4611f914	SHA-256	Zip file contains LNK
917e5c0a8c95685dc88148d2e3262af6c00b96260e5d43fe158319de5f7c313e	SHA-256	LNK File
hxxp://192[.]3.101[.]161/zeus/ConvertedFile[.]txt	URL	Base64 encoded payload
hxxps://pixeldrain[.]com/api/file/7B3Gowyz	URL	Base64 encoded payload
hxxp://dn710107.ca.archive[.]org/0/items/msi-pro-with-b-64_20251208_1511/MSI_PRO_with_b64[.]png	URL	PNG file
hxxps://ia801706.us.archive[.]org/25/items/msi-pro-with-b-64_20251208/MSI_PRO_with_b64[.]png	URL	PNG file
38.49.210[.]241	IP	Purelog Stealer C&C

References:

https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat

https://www.seqrite.com/blog/steganographic-campaign-distributing-malware

https://www.nextron-systems.com/2025/05/23/katz-stealer-threat-analysis/

The post Stealth in Layers: Unmasking the Loader used in Targeted Email Campaigns appeared first on Cyble.