Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia

Operation FrostBeacon is a targeted malware campaign delivering Cobalt Strike beacons to companies in Russia. It uses two infection clusters: one leveraging malicious archive files with LNK shortcuts, and another exploiting CVE-2017-0199 and CVE-2017-11882 vulnerabilities. Both clusters lead to remote HTA execution and deployment of an obfuscated PowerShell loader that decrypts and runs Cobalt Strike shellcode in memory. The campaign targets finance and legal departments of B2B enterprises in logistics, industrial production, construction, and technical supply. It employs phishing emails with Russian-language lures related to contracts, payments, and legal matters. The infrastructure uses multiple Russian-controlled domains as command-and-control servers.

Pulse ID: 693709f10b18abd6b3644445
Pulse Link: https://otx.alienvault.com/pulse/693709f10b18abd6b3644445
Pulse Author: AlienVault
Created: 2025-12-08 17:25:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CyberSecurity #Email #ICS #InfoSec #LNK #Malware #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Russia #ShellCode #Troll #bot #AlienVault

Operation DupeHike: Targeting Russian employees with DUPERUNNER and AdaptixC2

A campaign targeting Russian corporate entities, particularly HR, payroll, and administrative departments, has been uncovered. The attack uses realistic decoy documents themed around employee bonuses and financial policies. The malware ecosystem involves a malicious LNK file leading to an implant dubbed DUPERUNNER, which then loads the AdaptixC2 Beacon to connect to the threat actor's infrastructure. The infection chain begins with a spear-phishing ZIP archive containing PDF-themed LNK files. The DUPERUNNER implant, programmed in C++, performs various functions including downloading and opening decoy PDFs, process enumeration, and shellcode injection. The final stage involves the AdaptixC2 Beacon, which communicates with the command-and-control server. The campaign, tracked as UNG0902, uses multiple malicious infrastructures and is believed to be targeting employees of various organizations.

Pulse ID: 69304959476d2ade5f1c7ff2
Pulse Link: https://otx.alienvault.com/pulse/69304959476d2ade5f1c7ff2
Pulse Author: AlienVault
Created: 2025-12-03 14:29:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CodeInjection #CyberSecurity #InfoSec #LNK #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Russia #ShellCode #SpearPhishing #ZIP #bot #AlienVault

ClickFix Gets Creative: Malware Buried in Images

A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a standard 'Human Verification' and a convincing fake Windows Update screen. The execution chain involves mshta.exe, PowerShell, and .NET assemblies, ultimately extracting and injecting shellcode into target processes. The steganographic technique encodes malicious data directly into image pixel data, using specific color channels for payload reconstruction and decryption in memory. This sophisticated approach helps evade signature-based detection and complicates analysis.

Pulse ID: 6924c9a94b1c7374cf444b82
Pulse Link: https://otx.alienvault.com/pulse/6924c9a94b1c7374cf444b82
Pulse Author: AlienVault
Created: 2025-11-24 21:10:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #LummaC2 #Mac #Malware #NET #OTX #OpenThreatExchange #PowerShell #Rhadamanthys #ShellCode #Steganography #Windows #bot #AlienVault

How would you prefer to name macros that generate syscalls in assembly?

#namingthings #syscalls #assembly #asm #shellcode

Прячем shellcode в приложениях

В этой статье мы рассмотрим одну из наиболее эффективных техник обхода традиционных систем защиты — сокрытие шеллкода. Уязвимости в программном обеспечении могут стать отличной возможностью для злоумышленников, а шеллкод, благодаря своей компактности и скрытности, становится идеальным инструментом для эксплуатации таких уязвимостей. Мы не только объясним, как скрывают вредоносный код, но и подробно рассмотрим методы преобразования стандартных исполняемых файлов в шеллкод, а также покажем, как этот процесс может быть использован для обхода современных средств защиты.

https://habr.com/ru/companies/otus/articles/910474/

#reverseengineering #exploit #shellcode #payload #windows_internals #reverse #reverse_engineering

→ #Speedrunners are #vulnerability researchers, they just don't know it yet
https://zetier.com/speedrunners-are-vulnerability-researchers/

“Super Mario World runners will place items in extremely precise locations so that the X,Y coordinates form #shellcode they can jump to with a dangling reference. Legend of #Zelda: Ocarina of Time players will do heap grooming and write a #function pointer […] so the game “wrong warps” directly to the #end #credit sequence… with nothing more than a #game #controller and a steady #hand”

#Mario

Decai decompiling a malicious shellcode.
The instructions are not so readable, if you're not used to syscalls int 0x80. AI does it for you.

https://asciinema.org/a/4PY8wn2TPg2oBdDQ0Q5bgMYjk

#r2ai #decai #r2 #malware #shellcode #syscall #linux

What are people using as a syscall database?

#reverseengineering #assembly #asm #shellcode

The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:

https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/

I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.

Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).

Have a great day.

#shellcode #malware #reverseengineering

The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:

https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/

I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.

Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).

Have a great day.

#windows #shellcode #malware #reverseengineering #reversing #idapro #malwareanalysis