Mastodawn

A Multi-Stage Steganographic Loader Campaign Deploying Diverse Payloads Globally

A sophisticated phishing campaign was identified distributing multiple malware families through a multi-stage loader utilizing steganography and fileless techniques. The infection chain begins with archive attachments containing files disguised as financial documents, primarily targeting Indian organizations using names related to GST, NEFT, RTGS, and IMPS transactions. The loader employs in-memory execution to avoid disk-based artifacts and uses embedded .NET Bitmap objects to conceal payloads. Various malware families have been deployed including Remcos RAT, Agent Tesla, MassLogger, Phantom Stealer, Dark Cloud, Red Line Stealer, Snake keyloggers, Formbook, and xworm. The final payloads establish persistence through registry Run keys, perform process hollowing, steal browser credentials, record audio and webcam, and exfiltrate data to command-and-control infrastructure. The campaign exhibits characteristics of a loader-as-a-service operation serving multiple threat actors globally.

Pulse ID: 6a3ac3d87dd519f2fec1d2ea
Pulse Link: https://otx.alienvault.com/pulse/6a3ac3d87dd519f2fec1d2ea
Pulse Author: AlienVault
Created: 2026-06-23 17:35:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AgentTesla #Browser #Cloud #CyberSecurity #FormBook #ICS #India #InfoSec #KeyLogger #Malware #NET #OTX #OpenThreatExchange #Phishing #RAT #Remcos #RemcosRAT #SSL #Steganography #Tesla #Worm #XWorm #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

Global Feed Jun 12

🔥 VIRAL

📢 Formbook entregado a través de JavaScript ofuscado - SOC Prime

🔗 https://news.google.com/rss/articles/CBMiiwFBVV95cUxQNkVuQnBuYW1kX3Z5d0VydzYya3dTRGNQZ0xSSmd6MUIwUDBNV1BtV0k3SjVtb2RDMVFlbjdxdTZ1T21weGlNSUdFeHc0eTBqeTJRR3dnVDRWOEtpMmcxWFZFV3JJa2R5VTZkTjFZUlRnZkFiRm5jWWxsbVBFUkxuclgwNkdkSlk0UEpv?oc=5

#Formbook #Javascript #Prime #GlobalFeed #News #ES

<i>Publicado automáticamente por Global Feed Bot</i>

🚀 *The panel others don't want you to find.* 👥 Real Discord Members ...

Before you continue

CyberVeille.ch Apr 4

📢 Xloader v8.1+ : nouvelles techniques d'obfuscation et protocole C2 détaillés
📝 ## 🔍 Contexte

Publié le 31 mars 2026 par ThreatLabz (Zscaler), cet article constitue une analyse technique approf...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-05-xloader-v8-1-nouvelles-techniques-d-obfuscation-et-protocole-c2-detailles/
🌐 source : https://www.zscaler.com/blogs/security-research/latest-xloader-obfuscation-methods-and-network-protocol
#C2_protocol #FormBook #Cyberveille

ESET Research Jan 6

In H2 2025, #ESETresearch saw a thirtyfold increase in #CloudEyE detections, amounting to more than 100,000 hits over the course of six months. CloudEyE is a #MaaS downloader and cryptor used to conceal and deploy other malware, such as #Rescoms, #Formbook, and #Agent Tesla.
CloudEyE’s intital stage is a downloader that spreads via #PowerShell scripts, #JavaScript files, and #NSIS executables . These download the next stage – the cryptor component – with the final payload packed within. All of the CloudEyE stages are heavily obfuscated.
Most of CloudEyE attack attempts we registered in H2 2025 targeted Poland (32%). These attacks were part of a wave of email campaigns in Central and Eastern Europe ESET observed in September and October 2025.
In order to appear legitimate, the emails deployed in the campaign were often sent from compromised legitimate accounts and localized to the language of the targeted country. They were usually inquiries about invoice payments, package tracking, and purchase orders.
For further information on CloudEyE, cryptors, and more, head on over to the latest #ESETThreatReport: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf

ransomNews Nov 18, 2025

🚨 FormBook malware spreads via fake installers A new FormBook wave uses weaponized PDFs and spoofed software installers to steal passwords, browser data, keystrokes and screenshots while dropping secondary payloads. Targets include small firms and home users. #ransomNews #FormBook #malware

LynxIntel Sep 22, 2025

🚨 Cyberattaque intercontinentale avec Formbook : ComicForm et SectorJ149 ciblent entreprises industrielles et financières depuis avril 2025. Phishing sophistiqué, obfuscation et extraction de données sensibles. Protégez-vous avec formation, EDR et segmentation réseau. #Cybersécurité #Formbook #Cyberattaque #LynxIntel https://lynxintel.io/cyberattaque-intercontinentale-avec-formbook-les-groupes-en-pleine-action/

Brad Aug 12, 2025

2025-08-11 (Monday): Quick post of an #XLoader ( #Formbook ) infection, with a #pcap, email, and #malware sample available at https://www.malware-traffic-analysis.net/2025/08/11/index.html

ANY.RUN Aug 7, 2025

🎯 Registry abuse helps #malware maintain persistence on infected endpoints. By detonating files in #ANYRUN Sandbox, analysts gain instant threat visibility to accelerate investigations and response.

👨‍💻 See #FormBook and script-based attacks analysis: https://any.run/cybersecurity-blog/how-to-spot-malware-registry-abuse/?utm_source=mastodon&utm_medium=post&utm_campaign=registry_abuse&utm_term=070825&utm_content=linktoblog

#cybersecurity #infosec

ANY.RUN Jun 30, 2025

Top 10 last week's threats by uploads 🌐
⬆️ #Lumma 548 (484)
⬇️ #Neconyd 289 (311)
⬇️ #Asyncrat 244 (300)
⬇️ #Snake 237 (262)
⬇️ #Remcos 190 (468)
⬇️ #Xworm 179 (214)
⬇️ #Agenttesla 168 (174)
⬆️ #Lokibot 154 (145)
⬇️ #Amadey 144 (157)
⬇️ #Formbook 128 (139)
Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=300625

ANY.RUN Jun 24, 2025

🎯 Registry abuse helps #malware maintain persistence and stealth on infected endpoints.
Detonating suspicious files in #ANYRUN Sandbox gives instant visibility into registry activity.

Explore examples, featuring #FormBook and script-based attacks 👇
https://any.run/cybersecurity-blog/how-to-spot-malware-registry-abuse/?utm_source=mastodon&utm_medium=post&utm_campaign=spot_registry_abuse&utm_term=240625&utm_content=linktoblog

#cybersecurity #infosec

How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox - ANY.RUN's Cybersecurity Blog

Get actionable tips and see examples on how to spot malicious registry activities of malware.

ANY.RUN's Cybersecurity Blog