From Malspam to Fileless .NET Loader
Pulse ID: 6a2a3bbe5f5726b9133b6c76
Pulse Link: https://otx.alienvault.com/pulse/6a2a3bbe5f5726b9133b6c76
Pulse Author: Tr1sa111
Created: 2026-06-11 04:38:22
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #MalSpam #NET #OTX #OpenThreatExchange #Spam #bot #Tr1sa111
From Malspam to Fileless .NET Loader
A sophisticated malspam campaign delivers a multi-stage .NET loader through an elaborate chain beginning with HTML email attachments. The attack routes through legitimate Google DoubleClick infrastructure to evade detection, then deploys a dynamically personalized phishing kit that pulls victim company branding in real-time. The infection chain progresses through JavaScript, PowerShell, and multiple .NET components, executing primarily in-memory while actively patching AMSI and ETW to blind Windows telemetry. The loader performs extensive anti-analysis checks, terminates or reboots upon detecting sandboxes or debugging tools, and establishes persistence through registry keys and scheduled tasks disguised as NVIDIA components. It targets Microsoft-signed binaries like InstallUtil.exe and MSBuild.exe for process injection, maintains C2 communications over non-standard ports using AES-encrypted protobuf messages, and profiles victim systems including specific GPU enumeration potentially for cryptocurrency min...
Pulse ID: 6a2836368857c87f205e9605
Pulse Link: https://otx.alienvault.com/pulse/6a2836368857c87f205e9605
Pulse Author: AlienVault
Created: 2026-06-09 15:50:14
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DoubleClick #Email #Google #HTML #InfoSec #Java #JavaScript #MSBuild #MalSpam #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Spam #Windows #bot #cryptocurrency #AlienVault
Inside .NET Loader Analysis: From Malspam to In-Memory Loader | Huntress
Pulse ID: 6a28288c9bf1a394af67afcb
Pulse Link: https://otx.alienvault.com/pulse/6a28288c9bf1a394af67afcb
Pulse Author: CyberHunter_NL
Created: 2026-06-09 14:51:56
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #MalSpam #NET #OTX #OpenThreatExchange #Spam #bot #CyberHunter_NL
Inside DesckVB Rat Analysis: From Malspam to In-Memory RAT
Pulse ID: 6a279c81ab7effd97ab43b55
Pulse Link: https://otx.alienvault.com/pulse/6a279c81ab7effd97ab43b55
Pulse Author: Tr1sa111
Created: 2026-06-09 04:54:25
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #MalSpam #OTX #OpenThreatExchange #RAT #Spam #bot #Tr1sa111
Inside DesckVB Rat Analysis: From Malspam to In-Memory RAT
Pulse ID: 6a279c719787cb9bcc007981
Pulse Link: https://otx.alienvault.com/pulse/6a279c719787cb9bcc007981
Pulse Author: Tr1sa111
Created: 2026-06-09 04:54:09
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #MalSpam #OTX #OpenThreatExchange #RAT #Spam #bot #Tr1sa111
Inside DesckVB Rat Analysis: From Malspam to In-Memory RAT
Pulse ID: 6a279c7468895e344bf1ffef
Pulse Link: https://otx.alienvault.com/pulse/6a279c7468895e344bf1ffef
Pulse Author: Tr1sa111
Created: 2026-06-09 04:54:12
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #MalSpam #OTX #OpenThreatExchange #RAT #Spam #bot #Tr1sa111
Inside DesckVB Rat Analysis: From Malspam to In-Memory RAT
DesckVB RAT emerged in February 2026 through a sophisticated malspam campaign utilizing a dynamic delivery kit that personalizes lures on-the-fly by extracting victim email addresses and pulling company logos in real-time. The attack chain routes through Google's DoubleClick domain to evade email gateways before delivering a five-stage infection: HTML redirect, JScript loader, PowerShell dropper, .NET loader, and finally the RAT itself. The malware employs extensive anti-analysis techniques including sandbox detection, forced reboots upon detection, and in-memory execution via .NET reflection. Once established, it patches AMSI and ETW at the native API level, injects into legitimate Microsoft-signed binaries like InstallUtil.exe and MSBuild.exe, and establishes persistence through registry keys and scheduled tasks. The RAT communicates with DDNS-based C2 infrastructure on non-standard ports, performs system reconnaissance including GPU enumeration possibly for crypto mining, and can deliver additional payl...
Pulse ID: 6a20299eb75a686b68713273
Pulse Link: https://otx.alienvault.com/pulse/6a20299eb75a686b68713273
Pulse Author: AlienVault
Created: 2026-06-03 13:18:22
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CryptoMining #CyberSecurity #DNS #DoubleClick #ELF #Email #Google #HTML #InfoSec #MSBuild #MalSpam #Malware #Microsoft #NET #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Spam #bot #AlienVault
A csv formatted list of #malspam campaigns that crossed my path in May to include #malware, subjects, hashes, c2's, and email exfil addresses:
https://gist.github.com/silence-is-best/9b7365532f5ceb3b963bbc2dc3d8e876
An on time (yay) csv formatted list of #malspam campaigns that crossed my path in April to include #malware type, c2, hash, subject, and email exfil addresses:
https://gist.github.com/silence-is-best/bc95a949f272f8c5487d057bbd74d14f
When your #malspam threat actor forgets to properly configure their #remcos ....ya "Juniorer" indeed π€£
https://app.any.run/tasks/1ff77354-94ca-4d30-b6f7-a86aff32e1af
OTX Bot
James_inthe_box