How to Recognize Evolving Malware Techniques

We are observing widespread and sophisticated fileless malware campaigns targeting companies in the African finance and telecommunications sectors. The campaign typically begins with a phishing email sent to departments such as Sales and Procurement, often disguised as a Request for Quotation (RFQ). The email includes an attachment, commonly a PowerShell (.ps1) dropper file crafted to appear legitimate. In one notable case, the dropper, once executed, downloaded what appeared to be a random image file onto the user’s system. At first glance, the image seemed harmless, but its huge file size raised suspicion. Further analysis revealed the file contained a malicious DLL hidden using steganography. The attackers concealed binary malware within the image file. The dropper extracted this hidden payload and executed it in memory. It also created a scheduled task via Windows Task Scheduler, ensuring persistence even after reboot. The DLL was executed using in-memory .NET assemblies and PowerShell one-liners, avoiding detection by traditional antivirus solutions. Once active, the payload could accept commands from a remote C2 server, launch processes, and exfiltrate sensitive system information. The malware was observed collecting public and private IP addresses, geolocation data, a list of scheduled tasks, and basic system metadata (useful for lateral movement or persistence). These behaviours are consistent with advanced fileless malware operations, where attackers minimise their on-disk footprint and rely on living-off-the-land techniques (LOLBins) to evade detection. Indicators of compromise (IoCs) revealed that the email sender, domain, and IPs have previously been reported in malicious activity, including spoofing, credential harvesting, spam, and phishing. This suggests the threat actors are leveraging an established, actively maintained infrastructure. Recommendations for Security Teams - Train employees to recognise phishing tactics such as urgency-driven language, unexpected RFQs, and suspicious attachments. Encourage reporting to IT/security teams. - Configure filtering policies to block or sandbox compressed file types (e.g., .zip, .rar, .tgz) and scripts (.ps1, .js, .vbs) from untrusted senders. - Enable DMARC, SPF, and DKIM enforcement for email to avoid spoofing and spam. - Deploy advanced EDR solutions with behavioural detection to catch in-memory execution, PowerShell abuse, and steganographic payloads. - Monitor for suspicious persistence mechanisms (e.g., unexpected scheduled tasks). - Regularly apply security patches to operating systems, browsers, and office applications. - Restrict execution of unsigned PowerShell scripts via Constrained Language Mode or AppLocker/Defender Application Control. - Monitor outbound connections to detect C2 traffic patterns. - Hunt for anomalous large image files or unusual PowerShell activity in logs. #SOC #ThreatIntelligence #DigitalForensics #Malware #FilelessMalware #Threat

AI is being weaponized — and attackers are proving it. This week, researchers at @SentinelLabs exposed MalTerminal — the first publicly documented malware to autonomously generate ransomware and reverse shell payloads using GPT-4. Unlike traditional malware, MalTerminal doesn’t ship with pre-written payloads. It abuses the GPT-4 API at runtime to build malicious code on demand. No static signatures. No known-bad patterns. That’s the turning point. Why MalTerminal Matters: 1. Dynamic code generation → No malicious code until runtime 2. Autonomous evasion → Signature-based detection rendered obsolete 3. Exposed API keys → Security analysis uncovered large numbers embedded in samples, showing how attackers are experimenting with LLM access at scale 4, Dual use → Offense and defense both automated by LLMs While there’s no evidence MalTerminal has been deployed in the wild, it’s a proof-of-concept that shows how quickly these techniques can spread. Underground forums are already buzzing. And it follows other experiments like PromptLock, confirming that AI-powered tradecraft is diversifying fast. This is what abstract risk looks like in practice: -- Cybercriminals no longer need coding skills -- Every attack can mutate in real time -- Global ransomware losses are estimated in the tens of billions annually (FBI IC3, 2024) — and AI-driven automation could multiply that curve What Leaders Must Do Now: 1. Shift detection → From static signatures to behavioral + memory analysis 2. Monitor LLM activity → Track anomalous API calls, prompts, and tokens 3. Tabletop + AI defense → Simulate AI-powered malware intrusions and use LLMs to respond at machine speed 4. Board-level briefings → Treat AI threats as strategic resilience issues, not just IT problems Closing Thought: AI isn’t inherently the enemy. But if organizations don’t adapt, attackers will make sure it feels that way. At PRIMSEC, we work with boards and executives to understand these new risks and design resilience strategies tailored for the AI era. How is your organization preparing for the era of AI-powered malware?

It's not magic—it's a structured process of dissection. Malware analysis is a critical skill for understanding the "how" and "why" behind an attack, turning a malicious binary into a blueprint for defense. The journey typically unfolds in tiers: 1. Static Analysis (The "What is it?"): File Fingerprinting: MD5, SHA256, file type. String Analysis: Extracting readable text for clues (IPs, URLs, commands). PE Header Analysis: Understanding the executable's structure and imports. 2. Dynamic Analysis (The "What does it do?"): Sandbox Execution: Running the sample in a isolated VM (e.g., Cuckoo, ANY.RUN). Network Traffic Monitoring: Capturing C2 (Command & Control) server communications. System Behavior: Monitoring file system, registry, and process changes. 3. Advanced Reverse Engineering (The "How does it work?"): Disassembly: Using tools like IDA Pro or Ghidra to translate machine code back to assembly. Debugging: Stepping through the code with x64dbg to understand logic and bypass anti-analysis tricks. Each technique peels back a layer, revealing the attacker's intent and capabilities. #freepalestine #MalwareAnalysis #ReverseEngineering #CyberSecurity #DFIR #ThreatIntelligence #InfoSec

🎯 APT groups don't need 0-days when your browser stores credentials in SQLite... Kaspersky's latest report on HoneyMyte (aka: Mustang Panda, Earth Preta, Bronze President) uncovers a complex toolkit that should concern anyone defending enterprise endpoints. This Chinese origin APT group has been active since at least 2017, and their latest campaigns show continued evolution in credential harvesting techniques. The operation uses a trio of browser stealers targeting Chromium browsers (Chrome, Edge, Brave and Opera). What makes this interesting from a detection standpoint isn't the technique itself as browser credential theft is hardly novel. However, the implementation details that give us solid detection opportunities. The stealers target two critical files: "Login Data" (an SQLite database containing encrypted credentials) and "Local State" (which holds the encryption key). The attack chain creates temporary artifacts like "chromeTmp" and "Local State-journal" during the extraction process. These artifacts are essentially the fingerprints left behind when malware copies and processes browser databases. Here's the detection logic worth noting: legitimate browser processes accessing their own credential stores is normal. Chrome.exe reading Login Data? Expected behavior. Random executable doing the same? That's your signal for detection. The KQL rule published by one of our contributors: Kaung Khant Ko implements this beautifully. It monitors for two conditions: creation of those telltale temp artifacts (very low FP), OR non browser processes accessing sensitive credential files in browser user data directories. The explicit allowlisting of legitimate browser executables reduces false positives while maintaining visibility on anything suspicious touching those paths. Detection rule at detections.ai: https://lnkd.in/gKmD_yvG From a SOC or analyst perspective the process accessing browser processes is going to determine its suspiciousness. A Python script, PowerShell or unknown binary accessing "Login Data" should immediately raise questions. You're not just alerting on file access, you're correlating the accessing process against expected behavior. For us blue-teamers implementing similar logic: consider extending the browser process allowlist based on your environment. Electron apps and browser automation tools might trigger false positives. Also worth monitoring: processes decrypting the DPAPI-protected keys, which is the natural next step after stealing these files. The broader lesson here is that APT groups continue to prioritize credential access for lateral movement. Browser stored credentials remain low hanging fruit in most enterprises. Research by Securelist: https://lnkd.in/gteSaD4n Rules and threat intel details at detections.ai: https://lnkd.in/g_2t9e8S #KQL #APT #Malware #DetectionEngineering

THREAT CAMPAIGN: GODRAT, NEW RAT TARGETING FINANCIAL INSTITUTIONS IN ASIA AND THE MIDDLE EAST ℹ️ In September 2024, researchers detected a new remote access trojan they named GodRAT, targeting financial institutions, particularly trading and brokerage firms, via malicious .scr (screensaver) files masquerading as financial documents delivered through Skype. Attack campaigns have also employed .pif files with similar camouflages. As of the most recent public report, the malware remained active, with the latest detection on August 12, 2025. 📍 TECHNICAL EVOLUTION AND METHODOLOGY ■ GodRAT is rooted in the legacy Gh0st RAT codebase, showing strong ties to the previously identified AwesomePuppet backdoor from 2023, suggesting that GodRAT is likely an evolved successor, and possibly connected to the Winnti (APT41) group. ■ Attackers hide shellcode via steganography, embedding it into image files, to download GodRAT from a C2 server. 📍INFECTION MECHANICS AND EXECUTION FLOW ■ A multi-stage chain initiates with a shellcode injector: it XOR‑decodes embedded shellcode, maps it into memory, and searches for configuration data marked by “godinfo,” which reveals details like the C2 address and command. ■ The first stage fetches and launches a second-stage payload that includes a UPX‑packed GodRAT DLL (internally named ONLINE.dll). ■ This DLL either injects itself into curl.exe or cmd.exe using a -Puppet flag or proceeds directly based on provided command-line arguments. 📍 RAT CAPABILITIES AND PLUGIN SYSTEM ■ Once active, GodRAT connects to its C2 server, harvesting system information, including OS details, host and user info, antivirus presence, and malware process metadata, compressing the data, XOR‑encoding it, and transmitting it upstream. It processes incoming commands, which allow it to: ◽ Inject plugin DLLs into memory (e.g., a FileManager plugin); ◽ Terminate itself; ◽ Download and launch new files; ◽ Open specified URLs (via Internet Explorer); and ◽ Write data to configuration files (like updating config.ini). 📍 THE FILEMANAGER PLUGIN & ASYNCRAT DEPLOYMENT ■ The FileManager plugin (named FILE.dll) collects local drive information and desktop paths, and can reflectively inject shellcode into processes. ■ This in turn initiates AsyncRAT, which patches Windows defenses like AMSI and ETW to disable detection and allow execution of its components. ■ AsyncRAT’s builder permits attackers to masquerade executables (e.g., svchost.exe, cmd.exe, curl.exe) and choose among output formats like .exe, .scr, or .pif, a further evolution rooted in Gh0st RAT code. Reference: 🔗 https://lnkd.in/dwdkFfH5 #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

Back in 2010, I wrote down these notes during UITM i-Hack talk session on botnet Command and Control (C2) strategies. It’s fascinating and alarming how far we have come. Back then, C2 evolution moved from IRC and HTTP to HTTPS, P2P, and even DNS-based custom protocols. Conficker C was a major case study. It generated 50,000 pseudo-random domains daily, choosing 500 to resolve which is a clever evasion trick for takedown resistance. Mariposa botnet, powered by 3 Spanish-built variants, infected over 13 million machines. Its operators leased botnet access for DDoS, spreading via fake software. They used custom UDP protocols to communicate which makes the detection difficult. Fast forward to today, C2 channels are now encrypted, decentralized, and stealthier. Threat actors commonly leverage CDNs, social media, blockchain, and serverless infrastructure (e.g., AWS Lambda or Google Cloud Functions) to mask activities. AI-generated domain fluxing and steganography are making traditional DNS sinkholes less effective. Malware-as-a-Service (MaaS) and C2-as-a-Service platforms have commodified these techniques, giving even low-skilled actors dangerous capabilities. Custom protocols now use covert channels, blending traffic with normal user behavior which make it harder to detect, harder to block. C2 strategies have matured in sophistication, and defenders must evolve too. Behavioral analytics, ML-driven anomaly detection, and zero trust segmentation are no longer optional—they’re essential. I am curious to hear anyone from the cyber defense field how are you tackling the latest wave of evasive C2 infrastructure. Care to share your thoughts? #cyberdefense #syberseeker

𝐍𝐞𝐰 𝐓𝐡𝐫𝐞𝐚𝐭 𝐀𝐥𝐞𝐫𝐭 - 𝐒𝐎𝐂 𝐀𝐍𝐀𝐋𝐘𝐒𝐓𝐒/𝐓𝐇𝐑𝐄𝐀𝐓 𝐇𝐔𝐍𝐓𝐄𝐑𝐒 There has been a recent surge in threat actor campaigns leveraging fake CAPTCHA pages, phishing emails, and malvertising to deceive users reported by many security product lines. Here's a quick breakdown of the attack flow: Initial Access Vectors: * Malvertising * SEO Poisoning * Phishing Emails These techniques lead users to fake CAPTCHA pages, which are crafted to lower suspicion and increase trust. Execution Phase: Victims are tricked into: * Copying and running malicious commands from their clipboard, or * Executing them via `mshta.exe` or `powershell.exe`. These commands fetch remote scripts (hosted on public services like mediafire.com), which then lead to malware payloads. Payloads Delivered: * Obfuscated JavaScript * HTA/MP3 file loaders (Emmental) * Malware such as:  * Lumma Stealer  * Rhadamanthys  * AsyncRAT  * XWorm Endgame: The attacker establishes remote access and exfiltrates stolen credentials/data, while continuously updating infrastructure to avoid blacklisting. --- Use EDR's to Hunt/Monitor 1. Suspicious Use of mshta.exe or powershell.exe launching remote content 2. Clipboard Injection (if clipboard access monitoring is enabled) 3. Suspicious Script Downloads (especially from file-sharing sites) 4. Execution of Obfuscated JavaScript 5. Potential RAT/Stealer Behavior (AsyncRAT, Lumma, etc.) 6. Suspicious Use of Run Dialog (Search/Run box executions) Stay sharp and keep hunting. #SOC #ThreatHunting #CyberSecurity #InfoSec #MalwareDetection #AsyncRAT #LummaStealer #DetectionEngineering 

Random notes 0x1337 | 100 In offensive security, understanding the boundaries between user mode and kernel mode unlocks a new class of stealth.Modern EDRs aren’t fooled by basic techniques. If you’re still relying on VirtualAllocEx + CreateRemoteThread, you’re already on borrowed time. What defenders really watch is not what API is called—but how it’s called.That’s why a deep understanding of Windows syscall internals is essential for red teamers and malware developers. Take NtCreateFile, for example. When it’s called from user mode, the execution doesn’t jump straight to the kernel. Instead, it first lands in ntdll.dll, a user-mode DLL that sets up the syscall number in the EAX register, configures arguments (via RCX, RDX, R8, etc.), and then invokes the syscall instruction.Here’s the full flow: Malware calls NtCreateFile (user mode) ntdll.dll sets up the syscall -> syscall Execution transitions to kernel mode and lands at ZwCreateFile inside ntoskrnl.exe This process is predictable—and anything predictable can be monitored. That’s exactly what EDRs do: they hook APIs in kernel32.dll, advapi32.dll, and even ntdll.dll. So even if you’re using native APIs, you’re still on the grid. Direct syscalls skip these layers.Instead of importing NtOpenProcess or NtCreateFile, the malware: Locates ntdll.dll in memory Parses the .text section to find syscall stubs (e.g., mov r10, rcx; mov eax, <syscall_id>; syscall) Extracts the correct syscall number dynamically Builds a function stub in memory and executes it directly No API imports. No symbol resolution. No user-mode telemetry.This technique doesn’t just offer stealth—it offers adaptive evasion, since syscall numbers vary across Windows builds. Hardcoding them is fragile. Dynamic resolution at runtime solves this. Toolkits like SysWhispers2 make this easy. They generate customized syscall wrappers in C or Assembly, letting you make direct kernel calls without ever referencing suspicious APIs. Combined with: String and shellcode encryption, Runtime API resolution, Memory unhooking or patching Key takeaway: Most blue team detection logic relies on spotting common patterns such as standard API calls, DLL imports, and execution chains. However, these patterns often trigger false positives due to legitimate processes exhibiting similar behavior.That’s why process chain analysis becomes critical for defenders—it helps determine whether an action is truly malicious or just part of normal system activity. By using direct syscalls, you’re stepping outside the pattern.You’re not evading detection—you’re bypassing the entire monitoring surface.For red teamers and malware developers working in mature environments, this isn’t just a trick. It’s becoming standard tradecraft.

Botnet Controller Hunter Recently, we identified interesting data captured by our logs hunting platform. In the past, we frequently discovered stealer malware embedded in software shared on the dark web and malware downloaders hidden within logs (credentials stolen by malware stealer) shared in Telegram groups and dark web forums. However, a new tactic has emerged. We observed an actor deploying malware disguised as captured data, which is then sent back to the Command and Control (C2) server. As shown in the first picture, the malware is uploaded to the C2 server under a name mimicking a typical log file (e.g., "Joris-ASUS1337-2024-08-20 11-46-24.html.exe"), which would usually be associated with AgentTesla stealer logs. When the botnet controller opens the file, they unknowingly infect themselves with a custom stealer malware. The actor targeting these botnet controllers has developed a specialized stealer designed to exploit infected machines. Notably, this malware is crafted to appear as a legitimate log file embedded within the executable, minimizing suspicion from the botnet controllers. This clever technique ensures the malware remains stealthy while compromising the controllers' systems. The malware itself is a simple .NET stealer equipped with encryption and custom obfuscation techniques to conceal its intent. We also identified instances of the same malware being embedded into log files shared in underground forums. This discovery highlights the evolving tactics used by threat actors to exploit vulnerabilities in malicious infrastructure. It serves as a reminder to continuously enhance our defenses and adopt proactive threat-hunting strategies to mitigate emerging risks. MD5: 31b3aa4498c158daa623776dc48b4d36 https://lnkd.in/eHzmXwfN C2: http:// 128.199.113[.]162 /XtfcshEgt/upwawsfrg.php