🚨 Update Your Detection Rules: New In-Memory Loader

We caught a highly evasive #HanGhost loader, designed to bypass traditional detection through layered obfuscation and in-memory execution. This activity targets corporate users handling payments, logistics, and contract workflows, expanding exposure across critical operations.

⚠️ The delivery chain combines obfuscated JavaScript, hidden PowerShell execution, and environment-variable staging.

In the second stage, the loader retrieves an image file and extracts an encrypted payload embedded at the end of the file, combining steganography with in-memory loading and making detection significantly harder ❗️

👾 The loader is used to deliver multiple malware families: #PureHVNC, #XWorm, #Meduza, #AgentTesla, and #Phantom, with some chains also deploying #UltraVNC, extending the impact from initial access to persistent remote control.

⚡️#ANYRUN Sandbox allows analysts to reconstruct the full execution chain, helping confirm complex multi-stage activity earlier and reduce MTTR.

🔗 JavaScript-to-Payload execution chain:

JS ➡️ PowerShell ➡️ in-memory .NET assembly ➡️ PNG payload ➡️ Malware

📈 The campaign shows wave-based activity, indicating ongoing development and scaling:

March 26 — early cluster

April 1–2 — first large multi-family wave

April 3 — focused wave (PureHVNC / AgentTesla / Phantom)

April 6 — PureHVNC-heavy activity

April 7 — new peak with split between PureHVNC and XWorm/Meduza clusters

April 8 — multi-family wave (PureHVNC / Phantom / AgentTesla)

April 9–13 — more focused wave dominated by PureHVNC, with Phantom, DarkCloud, Formbook, and Meduza also present

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/cc26155e-e8e9-442b-b000-8d1a1435e7db?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoservice&utm_term=130426

🔍 Use this TI Lookup query to pivot from IOCs, review related activity, and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktotilookup&utm_term=130426#%7B%2522query%2522:%2522commandLine:%255C%2522bYPaSS%2520-Command%2520*iex%2520$env:%255C%2522%2522,%2522dateRange%2522:180%7D%20

👨‍💻 Equip your SOC with faster decisions and lower workload. See how #ANYRUN fits your workflows: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoenterprise&utm_term=130426

#cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬆️ #Asyncrat 695 (490)
⬆️ #Xworm 640 (460)
⬇️ #Stealc 409 (581)
⬆️ #Gh0st 396 (274)
⬇️ #Vidar 343 (371)
⬆️ #Salatstealer 320 (243)
⬇️ #Remcos 297 (385)
⬆️ #Quasar 283 (221)
⬆️ #Dcrat 239 (100)
⬆️ #Agenttesla 196 (196)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=060426&utm_content=linktoregister#register

#cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬇️ #Stealc 581 (600)
⬇️ #Asyncrat 493 (541)
⬇️ #Xworm 460 (509)
⬆️ #Remcos 389 (272)
⬆️ #Vidar 371 (368)
⬇️ #Gh0st 274 (298)
⬆️ #Salatstealer 243 (195)
⬆️ #Quasar 221 (185)
⬆️ #Lokibot 217 (119)
⬇️ #Agenttesla 196 (216)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=300326&utm_content=linktoregister#register

#cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬆️ #Asyncrat 782 (533)
⬆️ #Xworm 431 (350)
⬆️ #Dcrat 427 (268)
⬆️ #Stealc 403 (215)
⬆️ #Vidar 351 (249)
⬆️ #Agenttesla 309 (241)
⬆️ #Gh0st 281 (143)
⬆️ #Remcos 270 (193)
⬆️ #Quasar 187 (158)
⬇️ #Salatstealer 181 (189)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=160326&utm_content=linktoregister#register

#cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬆️ #Xworm 476 (303)
⬆️ #Asyncrat 472 (363)
⬇️ #Dcrat 452 (527)
⬆️ #Vidar 227 (174)
⬆️ #Stealc 212 (176)
⬇️ #Remcos 208 (262)
⬇️ #Salatstealer 183 (219)
⬇️ #Agenttesla 157 (247)
⬇️ #Quasar 156 (192)
⬇️ #Gh0st 155 (161)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=020326&utm_content=linktoregister#register

#cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬆️ #Dcrat 527 (429)
⬇️ #Asyncrat 364 (432)
⬇️ #Xworm 303 (370)
⬆️ #Remcos 268 (250)
⬇️ #Agenttesla 247 (523)
⬆️ #Salatstealer 219 (215)
⬇️ #Quasar 192 (212)
⬇️ #Stealc 176 (258)
⬇️ #Vidar 174 (256)
⬆️ #Lumma 172 (154)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=230226&utm_content=linktoregister#register

#cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬇️ #Agenttesla 523 (548)
⬇️ #Asyncrat 432 (435)
⬆️ #Dcrat 429 (379)
⬆️ #Xworm 370 (366)
⬇️ #Stealc 258 (360)
⬇️ #Vidar 256 (345)
⬆️ #Remcos 254 (232)
⬆️ #Worm 250 (121)
⬆️ #Reverseloader 224 (167)
⬆️ #Quasar 212 (200)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=160226&utm_content=linktoregister#register

#cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬆️ #Agenttesla 549 (306)
⬇️ #Asyncrat 435 (443)
⬆️ #Dcrat 379 (225)
⬇️ #Xworm 366 (435)
⬇️ #Stealc 360 (475)
⬇️ #Vidar 345 (455)
⬆️ #Salatstealer 235 (206)
⬇️ #Remcos 234 (307)
⬆️ #Gh0st 225 (166)
⬇️ #Quasar 200 (207)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=090226&utm_content=linktoregister#register

#cybersecurity #infosec