Actor
TinyCC Masquerading as Svchost for Shellcode Execution
2 rules 2 TTPsAttackers rename TinyCC (tcc.exe) to svchost.exe and use it to compile and execute C source files containing shellcode, using the `-nostdlib` and `-run` flags, as observed in the Lotus Blossom Chrysalis backdoor campaign, indicating potential evasion and malicious code execution.
Suspicious Bluetooth Service Installation from Uncommon Location
2 rules 2 TTPsThe creation of a Windows service named 'BluetoothService' with a binary path in user-writable directories, such as %AppData%, indicates potential malware persistence, as seen in the Lotus Blossom Chrysalis backdoor campaign.
Rundll32 Execution with Log.DLL
2 rules 1 TTPDetects the execution of rundll32 with 'log.dll' as a command-line argument, indicative of Lotus Blossom Chrysalis backdoor activity and DLL sideloading attempts.
Bitdefender Submission Wizard DLL Sideloading
2 rules 2 TTPsDetection of potential DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) via loading a malicious log.dll from a non-standard path.