Malware — CraftedSignal Threat Feed

Malicious mysten-metrics Crate Exfiltrates Build Machine Data

hello@craftedsignal.io — Mon, 04 May 2026 21:43:56 +0000

On April 20, 2026, a malicious crate named mysten-metrics was published to crates.io. This crate contained a build script designed to exfiltrate data from the machine during the build process. The crate was identified and removed from crates.io. At the time of removal, only one version of the crate had been published, and there was no evidence of actual usage. The crate had no dependencies on crates.io, limiting the potential spread. This incident highlights the risks associated with supply chain attacks targeting software build processes and the importance of verifying the integrity of third-party dependencies.

Attack Chain

Attacker publishes the mysten-metrics crate to crates.io.
A developer adds mysten-metrics as a dependency to their project.
The developer builds the project using cargo build.
As part of the build process, the malicious build script within mysten-metrics is executed.
The build script collects sensitive data from the build environment (e.g., environment variables, file contents, system information).
The build script attempts to exfiltrate the collected data to a remote attacker-controlled server. The exact exfiltration method is not specified, but could involve HTTP/S requests or DNS tunneling.
The attacker receives the exfiltrated data from the compromised build machine.

Impact

The successful execution of the malicious build script could lead to the exposure of sensitive information, including API keys, credentials, source code, and other confidential data present on the build machine. This data could be used to compromise the developer’s infrastructure, intellectual property, and customer data. Since there were no known usages, the impact was contained by its early removal.

Recommendation

Implement integrity checks for all third-party dependencies to identify and prevent the use of malicious packages.
Monitor network connections originating from build processes for suspicious outbound traffic, as this could indicate data exfiltration. Create network connection rules.
Implement file integrity monitoring on build machines to detect unauthorized modifications to files during the build process.

Malicious sui-execution-cut Crate Exfiltrates Build Machine Data

hello@craftedsignal.io — Mon, 04 May 2026 21:42:55 +0000

On April 20, 2026, a malicious crate named sui-execution-cut was published to crates.io. This crate included a build script that, when executed, attempted to exfiltrate data from the machine on which the crate was being built. The crate had no dependencies and only one version was ever published. The malicious package was quickly removed from crates.io after discovery. While the crate was available for a short period, there is no evidence of actual usage, however, supply chain compromises can have a wide impact if successful, and even this low-usage crate warrants monitoring.

Attack Chain

A developer adds the malicious sui-execution-cut crate as a dependency to their Rust project.
During the build process, the cargo build system executes the build script embedded within the sui-execution-cut crate.
The build script executes a series of commands designed to gather sensitive information from the build environment.
The script establishes an outbound network connection to a remote server controlled by the attacker.
The gathered data is transmitted to the attacker’s server via HTTP POST or a similar method.
The attacker receives the exfiltrated data, which could include environment variables, file contents, or other sensitive information.
The attacker analyzes the stolen data for valuable secrets, credentials, or intellectual property.

Impact

The sui-execution-cut crate, if used, could have compromised developer machines by exfiltrating sensitive data during the build process. Although the crate was quickly removed and showed no signs of usage, a successful attack of this nature could lead to the exposure of secrets, credentials, and intellectual property. The lack of usage limits the impact, but the nature of supply chain attacks makes even low-usage crates a potential risk.

Recommendation

Monitor for unexpected network connections originating from build processes, especially connections to unknown or suspicious domains. Use the “Detect Suspicious Outbound Connections from Build Processes” Sigma rule.
Implement strict dependency review processes to identify and prevent the introduction of malicious packages into your software supply chain.
Continuously monitor crates.io and other package repositories for reports of malicious packages and promptly remove them from your dependencies if identified.

Suspicious Windows PowerShell Arguments Detected

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

This detection rule identifies the execution of PowerShell with suspicious argument values on Windows systems. This behavior is frequently associated with malware installation and other malicious activities. PowerShell is a powerful scripting language, and adversaries often exploit its capabilities to execute malicious scripts, download payloads, and obfuscate commands. The rule focuses on detecting patterns such as encoded commands, suspicious downloads (e.g., using WebClient or Invoke-WebRequest), and various obfuscation techniques used to evade detection. The rule is designed to work with various data sources, including Elastic Defend, Windows Security Event Logs, Sysmon, and third-party EDR solutions like CrowdStrike, Microsoft Defender XDR, and SentinelOne, enhancing its applicability across different environments.

Attack Chain

An attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).
The attacker uses PowerShell to download a malicious payload from a remote server using commands like DownloadFile or DownloadString.
The downloaded payload is often encoded or obfuscated to evade detection. Common techniques include Base64 encoding, character manipulation, and compression.
PowerShell is then used to decode or deobfuscate the payload using methods like [Convert]::FromBase64String or [char[]](...) -join ''.
The deobfuscated payload is executed directly in memory using techniques like iex (Invoke-Expression) or Reflection.Assembly.Load.
The executed payload performs malicious actions, such as installing malware, establishing persistence, or exfiltrating data.
The attacker may use techniques like WebClient to download files from a remote URL.
Commands like nslookup -q=txt are used for command and control.

Impact

Successful exploitation can lead to malware installation, data theft, system compromise, and further propagation of the attack within the network. The detection of suspicious PowerShell arguments helps to identify and prevent these malicious activities before significant damage can occur. Without proper detection, attackers can maintain persistence, escalate privileges, and compromise sensitive data. The rule helps defenders identify and respond to these threats quickly, minimizing the impact of potential attacks.

Recommendation

Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious PowerShell activity.
Enable Sysmon process creation logging with command line arguments to ensure the necessary data is captured for the Sigma rules to function effectively.
Investigate any alerts generated by the Sigma rules to determine the legitimacy of the PowerShell activity and take appropriate remediation steps.
Continuously tune the Sigma rules based on your environment to reduce false positives and improve detection accuracy.

Malware Distribution via Hugging Face and ClawHub

hello@craftedsignal.io — Fri, 01 May 2026 08:41:57 +0000

Threat actors are leveraging AI distribution platforms like Hugging Face and ClawHub to distribute malware. This involves social engineering tactics to deceive users into downloading files that contain malicious code. Instead of directly compromising AI agents, the attackers abuse user trust by injecting indirect prompts into resources that the AI accesses. Acronis reported that on ClawHub, nearly 600 malicious skills across 13 developer accounts were identified distributing trojans, cryptominers, and information stealers targeting both Windows and macOS. On Hugging Face, attackers created repositories hosting malicious files designed to stage multi-step infection chains leading to infostealers, trojans, malware loaders, and other types of malware targeting Windows, Linux, and Android. This tactic allows attackers to bypass traditional security measures and leverage the platforms’ reputation for trusted AI tooling.

Attack Chain

Attacker creates a malicious repository or skill on Hugging Face or ClawHub.
The repository or skill contains files that appear legitimate but include malicious code.
The attacker uses social engineering to entice users to download the files.
Upon execution, the malicious code fetches additional payloads from external sources.
For macOS, the payload can be Atomic macOS Stealer (AMOS) Stealer.
The downloaded payload executes commands to install hidden dependencies.
The malware establishes persistence on the victim’s system.
The malware performs its intended malicious actions, such as stealing information or mining cryptocurrency.

Impact

Successful attacks can lead to the installation of various types of malware, including infostealers, trojans, cryptominers, and malware loaders. The targeted platforms include Windows, macOS, Linux, and Android, potentially impacting a wide range of users and systems. The abuse of trust in AI distribution platforms poses a significant risk, as users may be less likely to scrutinize files from these sources. Acronis identified close to 600 malicious skills on ClawHub alone, indicating the scale of this threat.

Recommendation

Monitor process creation events for execution of downloaded files from Hugging Face or ClawHub with unusual parent processes using the “Detect Suspicious Process Execution from AI Platforms” Sigma rule.
Implement network monitoring to detect connections to known malicious domains or IPs associated with malware distribution campaigns that originate from processes associated with AI platform tooling.
Educate users about the risks of downloading files from untrusted sources, even on trusted platforms like Hugging Face and ClawHub.
Regularly scan systems for known malware signatures and indicators of compromise associated with infostealers and trojans.

Compromised PyTorch Lightning Packages on PyPI Steal Developer Credentials

hello@craftedsignal.io — Fri, 01 May 2026 00:45:31 +0000

On April 30, 2026, two malicious versions (2.6.2 and 2.6.3) of the widely used pytorch-lightning package were published to the PyPI registry after the publisher account was compromised. These versions contain embedded malicious code designed to steal developer credentials and republish infected versions of repositories to which the stolen tokens have access. The attack is triggered upon importing the package, initiating a background process that silently harvests credentials from a wide array of services, including AWS, Azure, Google Cloud, and GitHub, as well as local environment variables and credential files. Version 2.6.3 was published just 13 minutes after 2.6.2, and was intended to evade detection.

Attack Chain

Attacker compromises the publisher account for the pytorch-lightning package on PyPI.
Attacker publishes malicious versions 2.6.2 and 2.6.3 to PyPI.
A modified __init__.py file within the package initiates a background process upon import.
The background process executes silently, without any visible output or indication of compromise to the user.
The malicious package downloads a runtime (Bun) from GitHub.
The package executes a large, obfuscated JavaScript file, targeting AWS, Azure, Google Cloud, GitHub, and local credential stores.
Stolen credentials, including cloud provider keys, API tokens, and secrets, are exfiltrated to attacker-controlled infrastructure.
The malware attempts to download and execute a second-stage payload from attacker-controlled infrastructure, expanding the scope of the attack.

Impact

Organizations that downloaded and used versions 2.6.2 or 2.6.3 of the pytorch-lightning package are at high risk of compromise. The malicious package is designed to steal a wide range of credentials, including cloud provider keys, API tokens, and secrets stored in environment variables. This can lead to unauthorized access to sensitive data and systems, potentially resulting in data breaches, financial losses, and reputational damage. The malware’s ability to download and execute secondary payloads further increases the potential impact.

Recommendation

Immediately remove versions 2.6.2 and 2.6.3 of the lightning package from all systems where they are installed (see overview).
Audit systems for unauthorized processes and review outbound network connections to detect potential compromises (see overview).
Rotate all cloud provider keys (AWS, Azure, GCP), API tokens (GitHub, CI/CD systems), and secrets stored in environment variables to prevent further unauthorized access (see Attack Chain).
Implement the Detect Suspicious PyPI Package Installation Sigma rule to identify potential malicious packages being installed in the future (see rules).
Implement the Detect Credential Harvesting via Bun Sigma rule to catch execution of the malicious JavaScript payload (see rules).
Pin dependencies to known-good versions and verify package integrity before use to prevent future supply chain attacks (see references).

ClickFix 'BackgroundFix' Campaign Delivers CastleLoader, NetSupport RAT, and CastleStealer

hello@craftedsignal.io — Thu, 30 Apr 2026 13:00:00 +0000

The BackgroundFix campaign is a social engineering scheme using fake “remove your photo background” services to deliver malware. Victims are lured to malicious sites mimicking legitimate image editing tools. The sites feature fake upload interfaces, progress bars, and download buttons to appear authentic. This campaign delivers a multi-stage payload, starting with CastleLoader. CastleLoader then drops NetSupport RAT, enabling remote access for the attackers, and CastleStealer, a custom .NET stealer designed to exfiltrate browser credentials, wallet extension data, and Telegram session files. This campaign appears to be active, with multiple domains sharing the same template.

Attack Chain

Victim searches for an online background removal tool and lands on a malicious BackgroundFix site.
The victim uploads an image to the fake website.
After clicking a checkbox, the site instructs the victim to copy a command to their clipboard.
The copied command executes finger.exe to query cheeshomireciple[.]com
finger.exe retrieves a batch script from the C2 server.
The batch script executes commands to download and execute further payloads.
CastleLoader is deployed, subsequently dropping NetSupport RAT and CastleStealer.
NetSupport RAT grants the attacker remote access, while CastleStealer exfiltrates sensitive data.

Impact

Successful attacks result in the installation of NetSupport RAT, granting attackers remote control over the compromised system. Additionally, CastleStealer exfiltrates sensitive information such as browser credentials, wallet extension data, and Telegram session files. This stolen data can be used for further malicious activities, including financial fraud, identity theft, and unauthorized access to sensitive accounts. The active nature of the campaign and the use of multiple domains suggest a broad targeting scope.

Recommendation

Monitor process creation events for the execution of finger.exe with command-line arguments pointing to external domains (IOC: cheeshomireciple[.]com).
Deploy the Sigma rule to detect the execution of finger.exe to identify potential initial access attempts.
Block the C2 domain cheeshomireciple[.]com at the DNS resolver to prevent initial payload delivery.
Monitor network connections for NetSupport RAT C2 communications on port 688 to detect compromised systems (IOCs: poronto[.]com:688, giovettiadv[.]com:688).

UNC6692 Combines Social Engineering, Malware, and Cloud Abuse

hello@craftedsignal.io — Tue, 28 Apr 2026 14:00:00 +0000

UNC6692 is a newly tracked, financially motivated threat group that employs a multi-stage intrusion campaign combining persistent social engineering and custom modular malware. The actor begins by flooding a target’s email inbox before contacting them via Microsoft Teams, posing as help desk personnel to resolve the issue. This leads to a phishing attack where victims are tricked into downloading and executing malicious payloads. UNC6692 abuses legitimate cloud infrastructure, specifically AWS S3 buckets, for payload delivery, command and control (C2), and data exfiltration, allowing them to bypass traditional network reputation filters. The group’s operations are focused on gaining access and stealing credentials for further actions, ultimately aiming to exfiltrate data of interest from compromised systems. The initial campaign was observed in late December.

Attack Chain

The attacker floods a target’s email inbox to create a sense of urgency.
The attacker contacts the target via Microsoft Teams, impersonating help desk personnel.
The attacker sends a phishing link via Teams, promising a local patch to fix the email spamming issue.
The target clicks the link, which downloads a renamed AutoHotKey binary and an AutoHotkey script from a threat actor-controlled AWS S3 bucket.
Execution of the AutoHotKey binary automatically runs the script, initiating reconnaissance commands and installing the SNOWBELT malicious Chromium browser extension.
SNOWBELT facilitates the download of additional tools, including the Snowglaze Python tunneler, the Snowbasin Python bindshell (used as a persistent backdoor), additional AutoHotkey scripts, and a portable Python executable with required libraries.
The attacker uses a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts.
The attacker uses a local administrator account to initiate an RDP session via Snowglaze from the compromised system to a backup server, then dumps LSASS process memory and uses pass-the-hash to move laterally to the domain controller.

Impact

The UNC6692 attack leads to the compromise of targeted systems, credential theft, and potential data exfiltration. If successful, the attacker gains control over the domain controller, allowing them to access sensitive information and potentially cause significant damage to the organization. The abuse of AWS S3 buckets allows the threat actor to blend in with legitimate cloud traffic, making detection more difficult. The financial motivation suggests that stolen credentials and data could be used for further malicious activities, such as ransomware attacks or sale on the dark web.

Recommendation

Monitor for AutoHotKey execution, especially when associated with downloads from unusual locations like AWS S3 buckets, to detect initial payload execution (see Sigma rule below).
Implement network monitoring to detect unusual RDP connections initiated from compromised systems to internal servers, as this is a key lateral movement technique used by UNC6692 (see Sigma rule below).
Monitor for the installation of new Chromium extensions, especially those not distributed through the Chrome Web Store, as this is how the SNOWBELT malware is deployed.
Monitor for the use of Python scripts to scan the local network for open ports (135, 445, 3389) and enumerate local administrator accounts.
Investigate any Microsoft Teams messages delivering links that promise to fix technical problems, as this is the initial social engineering tactic used by UNC6692.

CanisterSprawl: Self-Propagating npm Malware Campaign

hello@craftedsignal.io — Thu, 23 Apr 2026 16:18:33 +0000

The CanisterSprawl campaign, first disclosed in April 2026, is a self-propagating malware targeting npm packages. This campaign focuses on stealing sensitive information, such as API keys, authentication tokens, and crypto wallet data from developer environments. The malware attempts to automate the process of publishing malicious packages to the npm registry using compromised developer accounts. By hijacking trusted credentials, CanisterSprawl seeks to extend its reach within the open-source ecosystem, turning a single compromised machine into a potential source of widespread supply chain attacks. This campaign highlights the need for robust security measures to prevent the installation of malicious packages and detect unauthorized activity within developer environments.

Attack Chain

A developer installs a malicious npm package from the npm registry.
During installation, the package executes embedded code automatically.
The malware scans environment variables on the local system, looking for credentials and developer tokens.
The malware harvests browser credentials, crypto wallet data, and configuration files containing credentials.
The collected data is exfiltrated to an external server controlled by the attacker.
The malware attempts to locate an npm automation token on the infected machine.
If a token is found, the malware lists all packages to which the token grants “write” access.
The malware downloads the packages, injects the malicious script into them, and republishes them to the npm registry, spreading the infection to other projects.

Impact

Successful CanisterSprawl infections can lead to the exfiltration of sensitive data, including API keys, authentication tokens, and credentials, which can be used to gain unauthorized access to internal systems and services. The malware’s self-propagating nature allows it to spread through the npm ecosystem, potentially compromising numerous projects and developer accounts. If successful, attackers can inject malicious code into trusted packages, leading to supply chain attacks that affect a large number of downstream consumers. This can damage the reputation of affected developers and organizations, and result in significant financial losses.

Recommendation

Remove any identified malicious packages immediately to prevent further data theft and propagation.
Rotate potentially compromised credentials, tokens, and API keys that may have been exposed from affected hosts.
Review environment variables and local credentials on developer machines for potential compromise.
Audit account activity for unauthorized publishing or access to the npm registry, as highlighted in the Overview section.
Deploy the Sigma rule to detect suspicious processes attempting to access sensitive files related to credentials.
Enable file integrity monitoring for common credential storage locations and configuration files to detect unauthorized access and modifications.

Suspicious Processes Connecting to Large Language Model Endpoints

hello@craftedsignal.io — Wed, 22 Apr 2026 16:34:10 +0000

This detection identifies instances where suspicious processes are communicating with known Large Language Model (LLM) endpoints. The activity suggests potential command and control behavior, where malware or unauthorized scripts leverage LLMs to dynamically execute actions on compromised systems. This behavior emerged in late 2025 and continues to evolve. The rule focuses on detecting DNS queries originating from unsigned binaries or common scripting utilities like PowerShell, mshta.exe, and wscript.exe. The targeting scope includes both Windows and macOS systems. Defenders should be aware of this technique as attackers increasingly integrate LLMs to enhance malware capabilities and evade traditional detection methods.

Attack Chain

A user inadvertently executes a malicious script or binary, potentially delivered through social engineering or drive-by download.
The malicious script, such as a PowerShell script or JavaScript within mshta.exe, is launched.
The script executes code to perform reconnaissance, gathering system information or user credentials.
The script constructs a query for a Large Language Model (LLM) endpoint, such as api.openai.com, using a common scripting utility.
The DNS query is resolved, and a network connection is established to the LLM API endpoint, bypassing standard network security controls.
The malicious script sends data to the LLM API, requesting instructions or performing tasks such as code generation or data exfiltration.
The LLM responds with instructions or processed data, which the script then executes on the compromised system.
The attacker gains control over the compromised system by leveraging the LLM to perform various malicious activities, like lateral movement or data theft.

Impact

Compromised systems could be remotely controlled via LLM APIs, allowing attackers to perform data exfiltration, lateral movement, or deploy ransomware. Successful exploitation can lead to significant data breaches, financial loss, and reputational damage. The number of victims is currently unknown, but the attack vector affects organizations across all sectors.

Recommendation

Deploy the Sigma rules in this brief to your SIEM to identify suspicious processes querying LLM endpoints.
Enable DNS query logging on both Windows and macOS endpoints to provide the necessary data source for the detections.
Investigate any alerts generated by the Sigma rules, focusing on identifying the parent process and associated network activity.
Implement application control policies to restrict the execution of unsigned binaries and common scripting utilities from untrusted locations.
Review and update network firewall rules to restrict outbound connections to known malicious or suspicious domains.
Monitor process creation events for command-line arguments that indicate the use of scripting engines to perform DNS queries to LLM domains.

Notepad++ Updater (gup.exe) Creates Uncommon Files

hello@craftedsignal.io — Tue, 21 Apr 2026 10:34:51 +0000

The Notepad++ updater, gup.exe, is a component designed to automatically update the Notepad++ application. However, attackers can potentially exploit this updater to deliver malware or place unwarranted files on a system. This activity often begins with a compromised update server or a man-in-the-middle attack. Successful exploitation can lead to the installation of backdoors, credential access, and collection of sensitive information. The references provided highlight historical incidents involving the Notepad++ updater being abused in supply chain attacks. Defenders should monitor file creation events by gup.exe outside of expected program directories and temporary update locations.

Attack Chain

The user installs Notepad++ on their Windows system.
The gup.exe updater component, located within the Notepad++ installation directory, is executed to check for updates.
The updater connects to the Notepad++ update server to retrieve update information.
An attacker compromises the update server or performs a man-in-the-middle attack.
The compromised update server provides malicious instructions to gup.exe.
gup.exe creates a malicious executable or script in an unexpected location, such as the user’s temporary directory outside of normal update procedures.
The malicious file is executed, leading to further compromise such as installing a backdoor or stealing credentials.
The attacker gains initial access to the system and can perform collection and credential access.

Impact

A successful attack exploiting the Notepad++ updater can lead to the installation of malware, such as backdoors, allowing attackers to gain persistent access to the compromised system. This can lead to data theft, credential compromise, and further lateral movement within the network. The number of potential victims depends on the scope of the compromised update server or the success of the man-in-the-middle attack. Historically, supply chain attacks targeting widely used software have impacted thousands of users.

Recommendation

Deploy the Sigma rule “Notepad++ Updater (gup.exe) Creates Uncommon Files” to your SIEM and tune for your environment. This rule detects file creation events by gup.exe in suspicious locations (see rule configuration).
Monitor file_event logs for unusual file creation events initiated by gup.exe using the specified logsource.
Implement network monitoring to detect and prevent man-in-the-middle attacks against the Notepad++ update server.

Dragon Boss Solutions Adware Disabling Antivirus Protections

hello@craftedsignal.io — Thu, 16 Apr 2026 12:00:00 +0000

A digitally signed adware tool distributed by Dragon Boss Solutions LLC has been observed deploying payloads designed to disable antivirus protections. The campaign, discovered by Huntress on March 22, 2026, leverages signed executables initially classified as potentially unwanted programs (PUPs) to gain a foothold on victim machines. These PUPs, often disguised as browser tools like Chromstera Browser, Chromnius, WorldWideWeb, Web Genius, and Artificius Browser, use an advanced update mechanism to deliver malicious payloads. This update mechanism, powered by the commercial Advanced Installer, silently deploys MSI and PowerShell scripts with elevated SYSTEM privileges. This allows the threat actors to disable or remove antivirus software without user interaction. The campaign has impacted over 23,500 hosts across 124 countries, including high-value networks in the educational, utilities, government, and healthcare sectors.

Attack Chain

Initial infection occurs via the installation of signed adware tools (PUPs) from Dragon Boss Solutions LLC, such as Chromnius or WorldWideWeb.
The adware uses the Advanced Installer update mechanism to silently download and execute an MSI payload (Setup.msi) disguised as a GIF image.
The MSI payload is executed with SYSTEM privileges, allowing it to bypass user account control (UAC) restrictions.
The MSI installer performs reconnaissance, checking admin status, detecting virtual machines, verifying internet connectivity, and identifying installed antivirus products from Malwarebytes, Kaspersky, McAfee, and ESET.
A PowerShell script (ClockRemoval.ps1) is deployed to disable the detected security products by stopping services, killing processes, deleting installation directories and registry entries, silently running vendors’ uninstallers, and forcefully deleting files.
The ClockRemoval.ps1 script is scheduled to run at system boot, logon, and every 30 minutes to ensure persistent removal of antivirus products.
The hosts file is modified to block access to antivirus vendor domains, preventing reinstallation or updates of the security software.
With antivirus protections disabled, the compromised system becomes vulnerable to further exploitation and malware deployment.

Impact

This campaign has impacted over 23,500 hosts across 124 countries. Identified infected hosts include 221 academic institutions, 41 operational technology networks, 35 municipal governments and public utilities, 24 primary and secondary educational institutions, and 3 healthcare organizations. The disabling of antivirus software leaves systems vulnerable to further malware infections, data breaches, and other malicious activities. The potential exists for threat actors to leverage this established infrastructure to deploy far more dangerous payloads.

Recommendation

Deploy the Sigma rule detecting the ClockRemoval.ps1 script execution to your SIEM to identify affected systems.
Monitor for WMI event subscriptions containing “MbRemoval” or “MbSetup,” scheduled tasks referencing “WMILoad” or “ClockRemoval,” and processes signed by Dragon Boss Solutions LLC, as recommended by Huntress.
Review the hosts file for entries blocking AV vendor domains and check Microsoft Defender exclusions for suspicious paths such as “DGoogle,” “EMicrosoft,” or “DDapps.”
Block the C2 domains chromsterabrowser[.]com and worldwidewebframework3[.]com at the DNS resolver.
Investigate systems that have downloaded the Setup.msi payload, identified by its hash.

n8n AI Workflow Automation Platform Abused for Malware Delivery and Device Fingerprinting

hello@craftedsignal.io — Wed, 15 Apr 2026 10:03:05 +0000

Cisco Talos has observed a surge in the abuse of agentic AI workflow automation platforms, specifically n8n, in phishing campaigns between October 2025 and March 2026. Attackers are leveraging the trusted infrastructure of n8n to bypass traditional security filters and deliver malware or fingerprint devices. This involves embedding n8n webhook URLs in phishing emails, which redirect victims to malicious content served through the n8n platform. This technique effectively turns a productivity tool into a delivery mechanism for persistent remote access, highlighting the evolving tactics of threat actors exploiting legitimate services. Talos observed a 686% increase in emails containing n8n webhook URLs between January 2025 and March 2026, indicating the growing prevalence of this attack vector.

Attack Chain

The attacker crafts a phishing email containing a malicious link.
The link is an n8n webhook URL pointing to a workflow controlled by the attacker on a subdomain of tti.app.n8n[.]cloud.
The victim receives the email and clicks the embedded n8n webhook URL, believing it to be a legitimate service.
Clicking the link redirects the victim’s browser to the n8n platform, which triggers the pre-configured workflow.
The n8n workflow serves an HTML page containing a CAPTCHA to the victim’s browser.
After the victim completes the CAPTCHA, the webpage presents a download button, concealing the true source of the payload.
Clicking the download button initiates the download of a malicious executable (e.g., “DownloadedOneDriveDocument.exe”) from an external host.
The executable installs a modified version of Datto RMM, establishes a connection to a relay on centrastage[.]net, granting the attacker remote access and control over the compromised system.

Impact

The abuse of n8n for malware delivery and device fingerprinting can lead to significant compromise of targeted systems. Successful exploitation allows attackers to gain remote access via tools like the modified Datto RMM, enabling them to steal sensitive data, deploy ransomware, or conduct further malicious activities within the compromised network. The rise in n8n webhook URL usage in phishing emails, with a 686% increase in volume from January 2025 to March 2026, indicates a potentially widespread impact across various sectors.

Recommendation

Monitor email traffic for URLs containing tti.app.n8n[.]cloud and flag them as suspicious (IOC table).
Implement a detection rule to identify network connections to centrastage[.]net initiated by unusual processes (Sigma rule below).
Inspect process creation events for the execution of “DownloadedOneDriveDocument.exe” or similar filenames downloaded from n8n domains (Sigma rule below).
Block the domains tti.app.n8n[.]cloud and centrastage[.]net at the DNS resolver (IOC table).

OpenClaw Agent Suspicious Child Process Execution

hello@craftedsignal.io — Wed, 08 Apr 2026 12:07:54 +0000

OpenClaw (formerly Clawdbot, rebranded to Moltbot) is an AI coding assistant that can execute shell commands and scripts. Threat actors are exploiting the skill ecosystem (ClawHub) to distribute malicious skills, observed as early as January 2026, that execute download-and-execute commands, targeting cryptocurrency wallets and credentials. These skills are often obfuscated and distributed through public registries like ClawHub. The attacks leverage the AI agents’ ability to execute commands through skills or prompt injection. Defenders should monitor for suspicious child processes spawned by Node.js processes running OpenClaw/Moltbot, as these may indicate malicious activity originating from compromised or malicious skills. This activity has been observed across Linux, macOS, and Windows environments.

Attack Chain

A user installs the OpenClaw agent, potentially from a legitimate or typosquatted domain.
The user installs a malicious skill from ClawHub or is subject to a prompt injection attack.
The OpenClaw agent, running under Node.js, receives a command to execute a shell command.
The Node.js process spawns a shell process (e.g., bash, sh, cmd.exe, powershell.exe).
The shell process executes a command to download a payload from a remote server using tools like curl or certutil.
The downloaded payload is saved to disk, often with an obfuscated name.
The shell process executes the downloaded payload using chmod +x and ./, rundll32.exe, or powershell.exe.
The payload performs malicious actions such as credential theft or cryptocurrency wallet compromise.

Impact

Compromised OpenClaw agents can lead to cryptocurrency wallet theft, credential compromise, and potential data exfiltration. A successful attack allows threat actors to gain access to sensitive data and potentially pivot to other systems on the network. The number of victims is currently unknown, but the targeting of cryptocurrency wallets suggests financially motivated actors. The observed typosquatting activity indicates a campaign to impersonate the legitimate software and trick users into installing malicious versions.

Recommendation

Monitor process creation events for suspicious child processes of Node.js processes running OpenClaw/Moltbot, specifically shells and scripting interpreters, using the provided Sigma rule (Execution via OpenClaw Agent - Linux/macOS/Windows).
Block known typosquat domains (moltbot.you, clawbot.ai, clawdbot.you) at the DNS resolver based on the IOCs provided.
Implement application control policies to restrict the execution of unsigned or untrusted executables, mitigating the impact of downloaded payloads.
Review OpenClaw skill installation logs and user AI conversation history for signs of malicious activity or prompt injection attempts.
Enable process command-line auditing to capture the full command line of spawned processes, aiding in the identification of malicious commands.
Deploy the Sigma rule to detect execution of curl/certutil downloads (OpenClaw Download Activity).

Malicious NPM Packages Target Strapi Users

hello@craftedsignal.io — Tue, 07 Apr 2026 10:00:00 +0000

A threat actor has compromised the Strapi ecosystem by publishing 36 malicious NPM packages posing as legitimate Strapi plugins. This supply chain attack, discovered by SafeDep, targets users of the open-source headless CMS, Strapi, which is built on Node.js. The malicious packages contain a variety of payloads designed to compromise Strapi installations. These payloads include capabilities for Redis code execution, Docker container escape, credential harvesting, reverse shell deployment, and establishing persistent implants. The attackers specifically targeted the cryptocurrency payment gateway Guardarian, indicating a focus on financial gain and data exfiltration from this specific organization. The malicious activity was observed starting around April 6, 2026.

Attack Chain

The attacker publishes 36 malicious NPM packages to the NPM registry, using names that mimic legitimate Strapi plugins to entice Strapi developers to install them.
A Strapi developer installs one or more of the malicious NPM packages into their Strapi project using the npm install command.
Upon installation, the malicious package executes its payload, which may include Redis code execution by injecting crontab entries and deploying PHP/Node.js reverse shells.
The payload attempts to escape Docker containers via overlay filesystem discovery, writing shells to host directories and launching a reverse shell.
The malicious code harvests credentials from the compromised system, including database passwords, API keys, JWT secrets, Elasticsearch credentials, and wallet/key files.
The attacker gains a reverse shell on the compromised system, allowing them to execute arbitrary commands and further explore the network.
The malware exfiltrates Strapi configurations and Guardarian API module data to an external attacker-controlled server.
The attacker establishes persistent implants on the compromised system to maintain long-term access and control.

Impact

This supply chain attack can lead to severe consequences for Strapi users, particularly those in the cryptocurrency sector. If successful, the attack allows for unauthorized access to sensitive data, including API keys, database credentials, and customer information. The direct targeting of Guardarian suggests a high-value target with potential for significant financial loss. A successful attack could result in data breaches, financial theft, and reputational damage for affected organizations. The ability to escape Docker containers further broadens the attack surface, potentially compromising the host system and other containers running on the same infrastructure.

Recommendation

Deploy the “Detect Suspicious NPM Package Installation” Sigma rule to identify potentially malicious package installations (see rule below).
Enable process creation logging with command-line arguments to facilitate detection and investigation of suspicious activity.
Rotate all credentials, including database passwords, API keys, JWT secrets, and other secrets stored on systems where the malicious packages may have been installed, as recommended in the overview.
Monitor network connections for reverse shell activity originating from Strapi servers, as described in the Attack Chain (reference network_connection log source in Sigma rules).
Implement file integrity monitoring to detect unauthorized modifications to Strapi configuration files and other sensitive files (reference file_event log source in Sigma rules).

Malicious LiteLLM Versions Harvest Credentials

hello@craftedsignal.io — Thu, 26 Mar 2026 12:00:00 +0000

On March 25, 2026, two malicious versions of the litellm package (versions 1.82.7 and 1.82.8) were discovered on the PyPI repository. These versions were found to contain automatically activated malware. The malicious code was designed to harvest sensitive credentials and files from systems where the compromised packages were installed. This supply chain attack follows a previous API token exposure stemming from a compromised trivy dependency, indicating a potential escalation in targeting the litellm project. The compromised packages exfiltrate stolen data to a remote API controlled by the attacker.

Attack Chain

An attacker compromises the litellm PyPI package repository, likely leveraging exposed credentials.
The attacker injects malicious code into versions 1.82.7 and 1.82.8 of the litellm package. The malicious code is automatically activated upon installation.
A user installs either litellm version 1.82.7 or 1.82.8 via pip.
Upon execution, the malicious code begins harvesting credentials and files accessible to the litellm environment. This may include API keys, tokens, and other sensitive information.
The malware establishes a network connection to a remote API server controlled by the attacker.
The harvested credentials and files are exfiltrated to the attacker’s remote API server.
The attacker gains unauthorized access to services and data protected by the stolen credentials.

Impact

This supply chain attack directly impacts any user who installed the malicious litellm packages (versions 1.82.7 and 1.82.8). Successful credential harvesting allows attackers to pivot and compromise other systems and services accessible with the stolen credentials, potentially leading to data breaches, unauthorized access, and further lateral movement within victim environments. The number of affected users is currently unknown, but the popularity of litellm suggests a potentially wide impact.

Recommendation

Immediately revoke and rotate any credentials accessible to environments where litellm versions 1.82.7 or 1.82.8 were installed (description).
Deploy the following Sigma rule to detect installations of the affected litellm versions (Sigma rule).
Monitor network traffic for connections originating from litellm processes to external, untrusted APIs (network_connection).
Implement strong dependency management practices, including the use of software composition analysis tools, to identify and prevent the installation of malicious packages (overview).

TeamPCP Deploys CanisterWorm on NPM After Trivy Compromise

hello@craftedsignal.io — Sun, 22 Mar 2026 10:00:00 +0000

On March 21, 2026, it was reported that threat actor TeamPCP successfully deployed CanisterWorm, a malicious worm, onto the NPM package registry. This followed a compromise of Trivy, a widely-used open-source vulnerability scanner. The specifics of the Trivy compromise are not detailed in this brief, but it likely involved exploiting vulnerabilities within Trivy or its infrastructure to gain unauthorized access and the ability to publish malicious packages. The scope of this incident affects developers and organizations that rely on NPM packages and utilize Trivy in their software development lifecycle. Defenders should prioritize detecting and mitigating the spread of CanisterWorm within their environments, focusing on identifying compromised Trivy instances and monitoring for suspicious activity related to NPM package installations.

Attack Chain

Initial Compromise: TeamPCP gains unauthorized access to Trivy infrastructure, potentially exploiting a vulnerability or using stolen credentials.
Malware Injection: The attackers inject malicious code into a legitimate Trivy package or create a new package containing the CanisterWorm payload.
NPM Deployment: TeamPCP publishes the compromised or new package to the NPM registry, making it available for download by unsuspecting users.
Package Installation: Developers unknowingly download and install the malicious package through NPM, integrating CanisterWorm into their projects.
Worm Propagation: CanisterWorm begins to propagate itself by infecting other NPM packages and dependencies within the compromised project.
Lateral Movement: The worm replicates and spreads to other systems and projects that depend on the infected packages.
Persistence: The malware establishes persistence within infected systems to maintain its presence and continue spreading.
Payload Delivery: CanisterWorm executes its malicious payload, which could include data theft, code injection, or other harmful activities.

Impact

The deployment of CanisterWorm on NPM poses a significant threat to the software supply chain. Successful infection can lead to widespread compromise of applications and systems that rely on NPM packages. The specific number of victims and the full extent of damage is currently unknown, but the incident has the potential to affect numerous organizations across various sectors that utilize NPM and Trivy in their development processes. Successful exploitation could result in data breaches, service disruptions, and reputational damage.

Recommendation

Monitor NPM package installations for suspicious activity and unexpected dependencies to identify potential CanisterWorm infections.
Implement integrity checks for NPM packages to verify their authenticity and prevent the installation of tampered packages.
Analyze process creation events for suspicious processes originating from NPM-related processes using the provided Sigma rules.
Regularly scan systems for known malware signatures to detect CanisterWorm and other potential threats.
Review and strengthen the security of your software supply chain to mitigate the risk of future attacks.

GhostLoader Malware Targeting macOS via GitHub and AI Workflows

hello@craftedsignal.io — Sat, 21 Mar 2026 13:03:03 +0000

GhostLoader is a malware campaign observed using GitHub repositories and AI-assisted development workflows to deliver malicious payloads specifically designed to steal credentials from macOS systems. The threat leverages the trust associated with software repositories and the increasing adoption of AI tools in development to potentially bypass security measures. While the exact start date of the campaign is not specified, the report from Jamf highlights its recent emergence as a notable threat. Defenders should prioritize monitoring for suspicious activity related to GitHub repositories and unusual AI-driven development processes. The targeted scope appears to be macOS users who engage with software development resources and AI-related tools.

Attack Chain

The attacker creates a seemingly legitimate software repository on GitHub.
The repository contains a project with files that may appear benign or related to AI workflows.
A malicious script or binary, named GhostLoader, is included within the repository or downloaded as a dependency.
A user downloads or clones the repository, potentially enticed by AI-assisted development features or other seemingly useful functionality.
The user executes the GhostLoader script or binary on their macOS system.
GhostLoader executes, initiating the credential-stealing process.
Stolen credentials are collected and potentially exfiltrated to a remote server controlled by the attacker.
The attacker uses the stolen credentials to gain unauthorized access to user accounts or sensitive systems.

Impact

The GhostLoader malware directly targets macOS systems and focuses on credential theft. Successful attacks can lead to unauthorized access to sensitive user accounts, intellectual property, and confidential data. The number of victims and specific sectors targeted remain unclear, but the use of GitHub and AI workflows suggests a focus on developers or users involved in AI-related activities. The compromise of credentials can have severe consequences, including financial loss, data breaches, and reputational damage.

Recommendation

Monitor process creation events on macOS for execution of unusual or unsigned binaries in user directories, potentially indicative of GhostLoader execution (see process creation rule).
Implement network monitoring to detect connections to known malicious infrastructure or unusual data exfiltration patterns after the execution of scripts from cloned GitHub repositories.
Educate developers and users about the risks of downloading and executing code from untrusted sources, particularly those related to AI-assisted workflows.
Enable and review macOS system logs for suspicious activity related to credential access and keychain modifications.

Speagle Malware Hijacks Cobra DocGuard for Data Exfiltration

hello@craftedsignal.io — Sat, 21 Mar 2026 00:38:59 +0000

A new malware strain dubbed “Speagle” has been discovered leveraging the legitimate Cobra DocGuard software to exfiltrate sensitive data. This malware infects systems and then uses compromised Cobra DocGuard servers as a C2 to receive stolen data. By masquerading as legitimate DocGuard client-server communication, Speagle seeks to evade detection. First reported in March 2026, the malware represents a sophisticated approach to data theft. The threat actors are exploiting trust in a legitimate software product to conceal their activities, making detection more challenging for defenders. The targeting scope is currently unknown, but any organization utilizing Cobra DocGuard should be considered potentially at risk.

Attack Chain

Speagle infects a target machine through an unknown initial access vector.
The malware identifies and hooks into the Cobra DocGuard application.
Speagle harvests sensitive information from the compromised system, focusing on documents and other valuable data.
The gathered data is prepared for exfiltration, likely compressed and encrypted.
Speagle establishes a connection to a compromised Cobra DocGuard server.
The stolen data is transmitted to the compromised server, disguised as legitimate DocGuard client-server traffic.
The attackers retrieve the exfiltrated data from the compromised Cobra DocGuard server.

Impact

Successful Speagle infections can lead to significant data breaches, resulting in the loss of sensitive documents, intellectual property, and confidential information. The number of affected organizations is currently unknown, but any company using Cobra DocGuard is potentially at risk. The impact of a successful attack can range from financial losses and reputational damage to legal and regulatory penalties, depending on the type of data compromised.

Recommendation

Monitor network traffic for unusual communication patterns associated with Cobra DocGuard, even if it appears legitimate (see rules below).
Implement strict access controls and monitoring on Cobra DocGuard servers to detect unauthorized access or data manipulation.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
Investigate any Cobra DocGuard client machines exhibiting suspicious behavior, such as unusual file access or network activity.

SnappyClient Malware Delivered via HijackLoader

hello@craftedsignal.io — Fri, 20 Mar 2026 05:19:06 +0000

SnappyClient is a sophisticated malware delivered via HijackLoader, a known malware distribution platform. The malware exhibits a wide array of capabilities, indicative of its intent to compromise systems and exfiltrate sensitive data. These capabilities include screenshot capture, keylogging, establishing a remote terminal for interactive command execution, and targeted data theft from web browsers, browser extensions, and other applications. The combination of these functions points towards a threat actor focused on credential harvesting, data collection, and maintaining persistent access through remote command and control. Defenders should prioritize detection and prevention measures to mitigate the risk of SnappyClient infections. The initial report of this activity was published in March 2026.

Attack Chain

Initial Access: HijackLoader infects the system (delivery mechanism unspecified).
Persistence: HijackLoader establishes persistence to ensure SnappyClient is executed upon system reboot.
Malware Deployment: HijackLoader deploys and executes the SnappyClient malware.
Screenshot Capture: SnappyClient begins capturing screenshots of the user’s desktop activity using built-in OS functions.
Keylogging: SnappyClient logs keystrokes to capture sensitive information such as usernames, passwords, and financial details.
Browser Data Theft: SnappyClient targets web browsers and their extensions to steal cookies, saved credentials, and browsing history.
Remote Terminal: SnappyClient establishes a remote terminal, granting the attacker interactive command execution capabilities.
Data Exfiltration: Stolen data is exfiltrated to a command and control server controlled by the attacker.

Impact

Successful SnappyClient infections can result in significant data breaches, including the compromise of sensitive credentials, financial information, and personal data. The remote terminal functionality allows attackers to perform arbitrary actions on compromised systems, potentially leading to further damage or lateral movement within the network. While the number of victims and specific sectors targeted are unknown, the malware’s capabilities make it a high-risk threat to organizations of all sizes.

Recommendation

Enable Sysmon process-creation logging to enhance visibility into HijackLoader and SnappyClient execution (logsource: process_creation).
Implement network monitoring to detect and block connections to known HijackLoader command and control infrastructure.
Deploy the Sigma rules in this brief to your SIEM to detect SnappyClient activity and tune for your environment.
Monitor registry modifications for persistence mechanisms used by HijackLoader to launch SnappyClient (logsource: registry_set).

StoatWaffle Malware Used by WaterPlum Actor

hello@craftedsignal.io — Thu, 19 Mar 2026 05:35:27 +0000

The threat brief addresses the StoatWaffle malware associated with the threat actor WaterPlum. Specific details regarding the malware’s capabilities, deployment methods, and targeted sectors are currently limited based on the available source material. Further analysis is required to determine the exact scope and impact of StoatWaffle and WaterPlum’s operations. Defenders should prioritize gathering additional intelligence on this threat to implement appropriate detection and mitigation strategies. Understanding the malware’s functionality is crucial for effective defense.

Attack Chain

Initial Access: The initial access vector is currently unknown. Further investigation is needed to determine how WaterPlum deploys StoatWaffle.
Execution: StoatWaffle executes on the compromised system, but the specific method is unknown.
Persistence: The method StoatWaffle uses to maintain persistence is not described in the available information.
Privilege Escalation: Any privilege escalation techniques are presently unknown.
Defense Evasion: Any defense evasion techniques are unknown.
Credential Access: Credential access methods used by StoatWaffle are unknown.
Discovery: The information gathering activities of StoatWaffle post-compromise are unknown.
Command and Control: Command and control channels used by StoatWaffle are unknown.

Impact

The precise impact of StoatWaffle malware is currently undetermined. Without more information, it is difficult to determine the number of potential victims, sectors targeted, or potential damage resulting from successful exploitation. The consequences of a successful attack remain unclear, pending further analysis of the malware and the threat actor’s objectives.

Recommendation

Conduct further research on StoatWaffle malware and the WaterPlum threat actor to gather more specific intelligence about their tactics, techniques, and procedures.
Monitor threat intelligence feeds for updated information on StoatWaffle IOCs or detection signatures.
Implement generic malware detection rules that identify suspicious process behavior, network traffic, or file modifications.

GlassWorm Campaign Deploying Wave 3 Windows Payload

hello@craftedsignal.io — Mon, 16 Mar 2026 15:00:22 +0000

The GlassWorm campaign has been identified deploying a Wave 3 Windows payload. This indicates a continuation of the threat actor’s operations, with an updated payload targeting Windows systems. The specifics of the delivery mechanism and the exact functionality of the Wave 3 payload are currently unknown. Defenders should be aware of the ongoing GlassWorm activity and implement detections for suspicious Windows executables. Further analysis is required to fully understand the capabilities of the Wave 3 payload and the scope of the campaign.

Attack Chain

Initial Access: The initial access vector is unknown.
Payload Delivery: A Wave 3 Windows payload is delivered to the system.
Execution: The Windows payload is executed.
Persistence: The payload establishes persistence on the system.
Command and Control: The payload connects to a command and control server for instructions.
Data Collection: The payload gathers sensitive data from the system.
Exfiltration: The collected data is exfiltrated to the attacker.

Impact

The successful deployment of the GlassWorm Wave 3 payload could lead to data theft, system compromise, and potential financial loss. The impact depends on the specific objectives of the threat actor and the sensitivity of the data compromised. The lack of specific information about victimology makes determining the overall scope impossible.

Recommendation

Monitor process creation events for unknown or unsigned executables, especially those with network connections (reference: process_creation and network_connection log sources).
Investigate any alerts related to the execution of potentially malicious Windows executables.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Malware Spreading Through Fake 'Claude Code' Google Ads

hello@craftedsignal.io — Sun, 15 Mar 2026 15:31:12 +0000

A malware campaign is underway, leveraging deceptive advertisements on Google that masquerade as legitimate ‘Claude Code’ software. The attackers are using these ads to direct unsuspecting users to malicious websites hosting malware payloads for both Windows and macOS systems. While specific details on the malware are limited, the campaign’s reliance on search engine advertisement poisoning indicates a broad targeting strategy aimed at users actively seeking ‘Claude Code’ related software or tools. This campaign highlights the increasing sophistication of threat actors in using search engine optimization (SEO) poisoning techniques to distribute malware. Defenders should be aware of the potential for users to be directed to malicious sites through search results.

Attack Chain

The attacker creates malicious advertisements on Google that mimic legitimate ‘Claude Code’ software or related tools.
Users searching for ‘Claude Code’ or related terms encounter the malicious advertisements in their search results.
Unsuspecting users click on the malicious advertisement, believing it to be a legitimate source for ‘Claude Code’.
The advertisement redirects the user to a malicious website controlled by the attacker.
The malicious website hosts malware payloads tailored for both Windows and macOS operating systems.
Upon visiting the site, the user is tricked into downloading and executing the malware, potentially through social engineering or drive-by download techniques.
The malware executes on the victim’s system, establishing persistence and potentially disabling security controls.
The malware performs its intended malicious activities, such as data theft, credential harvesting, or further malware deployment.

Impact

The impact of this campaign could be widespread, affecting both individual users and organizations who rely on ‘Claude Code’. Successful infection can lead to data theft, financial loss, and reputational damage. Given the use of Google Ads, the number of potential victims is substantial. The cross-platform nature of the attack further amplifies the risk, as it targets a broader range of users regardless of their operating system.

Recommendation

Implement browser security extensions and ad blockers to reduce the likelihood of users clicking on malicious advertisements.
Educate users about the risks of clicking on advertisements in search results and encourage them to verify the legitimacy of websites before downloading software.
Monitor network traffic for connections to newly registered domains or known malicious IP addresses associated with malware distribution.
Deploy endpoint detection and response (EDR) solutions to detect and prevent malware execution on both Windows and macOS systems.
Enable and review web proxy logs for user visits to suspicious domains.
Configure intrusion detection systems (IDS) to identify and block malicious traffic originating from advertisement networks.

Glassworm Malware Hidden in Unicode Characters Affecting GitHub Repositories

hello@craftedsignal.io — Sun, 15 Mar 2026 15:30:24 +0000

The Glassworm malware is a newly discovered threat that leverages the presence of invisible Unicode characters within source code to inject malicious payloads into software projects. Discovered in early 2026, this malware has already compromised over 150 repositories on GitHub. The attack focuses on injecting these invisible characters into popular repositories, particularly those related to JavaScript and Node.js development, potentially impacting a wide range of applications and services. The delivery mechanism involves contributors with malicious intent adding these characters or compromised accounts injecting them. This sophisticated approach allows the malware to remain undetected during code reviews and traditional security scans, making it a significant threat to the software supply chain.

Attack Chain

A malicious actor gains commit access to a target GitHub repository through either direct contribution or compromised credentials.
The actor injects invisible Unicode characters into source code files, such as JavaScript or package.json files.
These Unicode characters are strategically placed within the code to be innocuous visually but alter the program’s execution when interpreted.
The altered code, containing the Unicode characters, is committed to the repository, potentially passing initial code review checks due to the characters’ invisibility.
When a developer clones or downloads the compromised repository, the Unicode characters are included in their local copy of the code.
During the build process (e.g., npm install), the malicious code embedded within the Unicode characters is executed.
This execution leads to the download and execution of a secondary payload from a remote server, potentially installing malware, backdoors, or exfiltrating sensitive data.
The final objective is to compromise the developer’s system or to inject malicious code into applications built using the compromised repository, thus propagating the malware further.

Impact

The successful deployment of Glassworm can lead to widespread supply chain compromise, potentially affecting thousands of developers and end-users. Over 150 GitHub repositories have already been identified as infected, and the actual number could be much higher. Successful exploitation leads to arbitrary code execution on developer machines and within deployed applications. The compromised code can steal credentials, inject backdoors, and exfiltrate sensitive data, leading to significant financial and reputational damage. The lack of visibility makes remediation challenging.

Recommendation

Implement static analysis tools capable of detecting invisible Unicode characters in source code repositories (reference: Overview).
Deploy the Sigma rules provided below to identify suspicious process executions originating from build processes that may indicate Glassworm activity.
Educate developers about the risks associated with invisible Unicode characters and the importance of careful code review (reference: Attack Chain).
Implement multi-factor authentication on all developer accounts to prevent account compromise (reference: Attack Chain).
Monitor network traffic for connections to suspicious or unknown domains originating from build processes (reference: Attack Chain).
Utilize file integrity monitoring (FIM) to track changes to critical files within repositories and development environments (reference: Attack Chain).

GlassWorm V2 Infrastructure Rotation and GitHub Injection Analysis

hello@craftedsignal.io — Sun, 15 Mar 2026 13:51:21 +0000

This threat brief summarizes an analysis of GlassWorm V2, focusing on its infrastructure rotation and GitHub injection techniques. While specific details regarding the threat actor and initial attack vectors are not provided in this analysis, the report highlights the malware’s ability to dynamically change its command and control (C2) infrastructure and potentially leverage GitHub for code injection or storage. Understanding these techniques is crucial for defenders to develop robust detection and mitigation strategies against this evolving threat. The full analysis is available on Codeberg.

Attack Chain

Initial Access: Specific initial access vector is unknown.
GitHub Injection: The malware leverages GitHub to host malicious code or configurations, potentially obfuscating its activities within legitimate traffic.
Infrastructure Rotation: GlassWorm V2 employs techniques to rotate its C2 infrastructure, making it more difficult to track and block.
Communication: The malware establishes communication with its C2 server using the dynamically updated infrastructure.
Command Execution: The C2 server issues commands to the infected host.
Persistence: Unknown persistence mechanism is used.
Data Exfiltration/Lateral Movement/Impact: The ultimate goal is currently unknown.

Impact

The impact of a successful GlassWorm V2 infection could range from data theft and system compromise to disruption of services, depending on the specific objectives of the attacker. The use of infrastructure rotation makes it harder to block attacker infrastructure. The GitHub injection may also lead to supply chain concerns.

Recommendation

Monitor network traffic for connections to unusual or newly registered domains, even if they initially appear benign.
Implement file integrity monitoring on systems to detect unauthorized modifications to critical system files.
Consider using tools that specifically analyze and detect malicious use of GitHub repositories.

Maltrail IOCs Report: Tracking Multiple Threat Actors

hello@craftedsignal.io — Fri, 27 Feb 2026 23:00:14 +0000

This threat brief is based on an IOC feed from Maltrail, dated February 27, 2026, which aggregates indicators related to various threat actors and malware campaigns. The tracked actors include APT_UNC2465, Lazarus Group, Gorat, APT_Bitter, Android_Joker, PowerShell Injector, SmokeLoader, and FakeApp. The IOCs primarily consist of domains and IP addresses associated with these groups’ network infrastructure and malware distribution. These campaigns are likely targeting a wide range of victims across multiple sectors, employing diverse techniques to achieve their objectives, including initial access, command and control, and potentially data exfiltration or deployment of malicious payloads. The data suggests ongoing malicious activity necessitating proactive monitoring and detection efforts.

Attack Chain

Initial Compromise: An unsuspecting user visits a compromised website or interacts with a malicious advertisement, potentially leading to the download of a malware loader such as those associated with SmokeLoader or FakeApp.
Malware Installation: The initial loader executes on the victim’s system, establishing persistence and preparing the environment for further malicious activities. This may involve creating scheduled tasks or modifying registry keys for auto-start.
Command and Control (C2) Communication: The malware establishes communication with a command-and-control server, using domains such as dax.estate (SmokeLoader) or resistantmusic.shop (PowerShell Injector) to receive instructions and transmit data.
PowerShell Injection: The PowerShell Injector, utilizes multiple techniques to inject malicious code into running processes, allowing it to evade detection and maintain persistence within the system. Domains such as apostile.zapto.org and googletranslate.zapto.org may resolve to infrastructure involved in command and control of compromised hosts.
Lateral Movement: The attackers leverage compromised systems to move laterally within the network, potentially using stolen credentials or exploiting vulnerabilities to gain access to additional systems.
Data Exfiltration: Sensitive data is collected from compromised systems and exfiltrated to attacker-controlled servers, potentially using domains such as ashersoftlib.com (APT_Bitter) for staging or exfiltration.
Android Exploitation: In the case of Android_Joker, malicious applications distributed through unofficial channels or app stores communicate with petitle.cloud for command and control, potentially leading to data theft or installation of further malware.
Final Objective: The final objective of the attack may vary depending on the actor and the target, ranging from data theft and espionage (APT_UNC2465, Lazarus Group, APT_Bitter) to financial gain (Android_Joker) or widespread malware distribution (SmokeLoader, FakeApp, PowerShell Injector).

Impact

Compromised systems can be used for a variety of malicious purposes, including data theft, financial fraud, and further propagation of malware. Victims may experience data breaches, financial losses, and reputational damage. The wide range of threat actors involved suggests that various sectors and organizations are at risk. If successful, these attacks can lead to significant financial losses and disruption of business operations.

Recommendation

Block the identified malicious domains and IP addresses at the network perimeter to prevent communication with command-and-control servers (IOC table).
Implement a web proxy filter to block access to URLs associated with malware downloads and phishing campaigns (IOC table).
Monitor network traffic for connections to known malicious domains and IP addresses associated with APT_Bitter, PowerShell Injector, SmokeLoader, and FakeApp (IOC table).
Deploy the Sigma rule to detect network connections to domains associated with PowerShell Injector infrastructure. Tune the rule for your environment (Sigma Rule).
Deploy the Sigma rule to detect network connections to infrastructure associated with FakeApp campaigns, adjusting the rule as needed for your environment (Sigma Rule).
Investigate and remediate any systems that exhibit suspicious network activity or have been identified as compromised based on the IOCs provided (IOC table).

Suspicious PowerShell Script Using Cryptography Namespace

hello@craftedsignal.io — Wed, 03 Jan 2024 18:00:00 +0000

This threat brief focuses on detecting suspicious PowerShell activity involving the System.Security.Cryptography namespace, excluding common hashing algorithms like SHA and MD5. The detection leverages Windows PowerShell Script Block Logging (EventCode 4104) to identify scripts using cryptographic functions. This is significant because malware often uses cryptography to decrypt or decode additional malicious payloads, which can lead to further code execution, privilege escalation, or persistence within the compromised environment. The technique is commonly used by malware families like AsyncRAT, XWorm, and VIP Keylogger. Defenders should investigate the parent process of such scripts, the decrypted data, network connections established by the script, and the user context in which the script is executed.

Attack Chain

An attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.
The attacker executes a PowerShell script on the compromised system.
The PowerShell script utilizes the System.Security.Cryptography namespace to perform cryptographic operations.
The script decrypts or decodes a malicious payload (e.g., a second-stage executable or configuration file).
The decrypted payload is written to disk or loaded directly into memory.
The attacker executes the decrypted payload, potentially establishing persistence via registry keys or scheduled tasks.
The malware leverages the established persistence mechanism for long-term access.
The attacker performs malicious actions such as data exfiltration, lateral movement, or remote command execution.

Impact

Successful exploitation allows attackers to bypass security measures by hiding malicious code within encrypted payloads. This can lead to data theft, system compromise, and further propagation within the network. Malware families like AsyncRAT, XWorm, and VIP Keylogger use this technique to maintain persistence and perform malicious activities undetected. The impact can range from individual workstation compromise to large-scale data breaches depending on the attacker’s objectives and the compromised system’s role within the organization.

Recommendation

Enable PowerShell Script Block Logging on all endpoints to generate the necessary logs (EventCode 4104) for detection.
Deploy the Sigma rule Detect Suspicious PowerShell Cryptography Namespace Usage to your SIEM to detect the described activity.
Investigate any alerts generated by the Sigma rule by examining the parent process, decrypted data, network connections, and the user executing the script.
Review and tune the Sigma rule Detect Suspicious PowerShell Cryptography Namespace Usage based on your environment’s specific needs and known-good PowerShell usage to reduce false positives.
Implement application control policies to restrict the execution of unsigned or untrusted PowerShell scripts.

Non-Firefox Process Accessing Firefox Profile Directory

hello@craftedsignal.io — Wed, 03 Jan 2024 15:22:32 +0000

This detection focuses on identifying unauthorized access to Firefox profile directories. The Firefox profile directory stores sensitive user data, including login credentials, browsing history, and cookies. When a non-Firefox process accesses this directory, it could be an indicator of malicious activity, such as a Remote Access Trojan (RAT) or other malware attempting to steal user information. The analytic leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This is relevant because successful credential theft can lead to account compromise, data breaches, and further propagation of malware within the network. The threat encompasses a broad range of malware families, including stealers (Azorult, RedLine Stealer, 0bj3ctivity Stealer), RATs (Remcos, Quasar RAT, Warzone RAT), keyloggers (Snake Keylogger, VIP Keylogger), and other malware like DarkGate, NjRAT, AgentTesla, and Lokibot. The activity has been observed in campaigns such as CISA AA23-347A and the 3CX Supply Chain Attack.

Attack Chain

The user executes a malicious file, potentially delivered via phishing or drive-by download (not covered in source).
The malicious file executes and establishes persistence on the system.
The malware attempts to access the Firefox profile directory, located at *\AppData\Roaming\Mozilla\Firefox\Profiles*.
Windows Security Event 4663 is generated, logging the access attempt to the Firefox profile directory.
The malware reads sensitive data, such as login credentials, cookies, and browsing history, from the profile directory.
The stolen data is exfiltrated to a command-and-control (C2) server.
The attacker uses the stolen credentials to gain unauthorized access to user accounts and sensitive systems.

Impact

Successful exploitation and credential theft can lead to a wide range of negative outcomes, including unauthorized access to sensitive data, financial fraud, and further compromise of systems within the organization. The impact can range from individual user account compromise to large-scale data breaches affecting thousands of users. Industries heavily reliant on web-based applications and sensitive user data, such as finance, healthcare, and e-commerce, are particularly vulnerable. The consequences include financial losses, reputational damage, and legal liabilities.

Recommendation

Enable “Audit Object Access” in Group Policy and configure it to log both success and failure events for object access to activate the underlying log source required for this detection.
Deploy the provided Sigma rule to your SIEM to detect non-Firefox processes accessing Firefox profile directories.
Investigate any alerts generated by the Sigma rule, paying close attention to the ProcessName and ObjectName to identify potentially malicious processes and the specific profile data being accessed.
Review and update your organization’s security policies to restrict unauthorized access to sensitive user data.

Windows Time-Based Evasion via Choice Exec

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

This brief focuses on the detection of choice.exe being used within batch files as a time-delay tactic, a technique notably employed by the SnakeKeylogger malware. The analysis leverages data from Endpoint Detection and Response (EDR) agents, scrutinizing process names and command-line executions. This behavior is significant because it suggests the implementation of time-based evasion techniques designed to circumvent detection mechanisms. Successful evasion could enable attackers to execute malicious code covertly, remove incriminating files, and establish persistent access on compromised systems. The use of choice.exe for such purposes warrants immediate investigation by security operations center (SOC) analysts due to the potential for significant system compromise and data exfiltration.

Attack Chain

The attacker gains initial access via an unknown vector.
A batch script is executed on the target system.
The batch script uses choice.exe with the /T and /N parameters to introduce a time delay. The /T parameter specifies a timeout period, and the /N parameter suppresses the display of choices.
This delay allows the malware to evade time-sensitive detection mechanisms.
After the delay, the script executes further commands, potentially downloading and executing a payload.
The payload executes, installing a keylogger such as SnakeKeylogger or 0bj3ctivity Stealer.
The keylogger captures sensitive information such as keystrokes and clipboard data.
The stolen data is exfiltrated to a remote server.

Impact

Compromised systems can lead to data theft, intellectual property loss, and financial fraud. SnakeKeylogger and similar malware have been used to steal credentials and sensitive information from various targets. Successful exploitation could result in significant financial losses, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the attacker’s objectives and the compromised systems’ value.

Recommendation

Deploy the Sigma rule Detect Choice.exe Time Delay to your SIEM to detect the use of choice.exe with time-delay parameters (log source: process_creation).
Enable Sysmon process creation logging (Event ID 1) to capture the necessary process execution data for the Sigma rule.
Investigate any instances of choice.exe being used with the /T and /N parameters to determine if it is part of a malicious script.
Block the execution of unsigned or untrusted batch scripts to prevent the initial execution of the malicious code.
Monitor endpoint activity for suspicious processes and network connections originating from systems where choice.exe has been detected.

Suspicious Child Processes Spawned by WScript or CScript

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

This detection identifies suspicious child processes spawned by Windows Script Host (WScript) or CScript. Adversaries commonly leverage WScript and CScript to execute malicious scripts, LOLBINs (Living Off The Land Binaries), and PowerShell, or inject code into suspended processes as a form of defense evasion. While some legitimate scripts may utilize tools detected by this analytic, it serves as a valuable indicator that a script may be executing suspicious code. Notably, the WhisperGate malware and campaigns by FIN7 have employed similar techniques. This activity has been observed since at least 2022, and continues to be relevant for defenders.

Attack Chain

A user (unknowingly or through social engineering) executes a malicious script.
The malicious script is interpreted by either wscript.exe or cscript.exe.
The script executes a LOLBIN such as regsvr32.exe, rundll32.exe, winhlp32.exe, certutil.exe, msbuild.exe, cmd.exe, powershell.exe, pwsh.exe, wmic.exe, or mshta.exe.
The LOLBIN executes further commands or downloads additional payloads. Certutil.exe may be used to decode and install malicious binaries.
The attacker gains control over the compromised system.
The attacker uses the compromised system as a pivot for lateral movement.
The attacker attempts to escalate privileges and establish persistence.
The attacker may exfiltrate data or deploy ransomware.

Impact

Successful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. Organizations across various sectors are vulnerable, as this technique is commonly used by both commodity malware and advanced persistent threat (APT) groups. The WhisperGate malware targeting Ukrainian organizations in 2022 demonstrated the destructive potential of this technique.

Recommendation

Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (4688) to capture process execution events necessary for the provided rules.
Deploy the Sigma rule Suspicious Child Processes Spawned by WScript or CScript to your SIEM to detect suspicious child processes. Tune the rule based on your environment’s baseline activity, filtering out any legitimate use cases.
Investigate any alerts generated by this rule, focusing on the parent and child processes involved and the commands executed.
Monitor endpoint logs for unusual or unexpected process executions originating from WScript or CScript.
Block execution of the LOLBINs (regsvr32.exe, rundll32.exe, winhlp32.exe, certutil.exe, msbuild.exe, cmd.exe, powershell.exe, pwsh.exe, wmic.exe, or mshta.exe) if they are not required in your environment.

Suspicious Script Interpreter Execution from Environment Variable Folders

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

Attackers may attempt to execute malicious scripts from suspicious directories or folders accessible by environment variables. This technique leverages script interpreters such as cscript.exe, wscript.exe, mshta.exe, and powershell.exe to run scripts from locations like the Temp directory, the Public user folder, or other user profile directories. The use of these locations can help attackers evade detection, as security tools may not thoroughly inspect files executed from these typically benign locations. This activity has been associated with threat actors such as Shuckworm, known to target Ukraine military.

Attack Chain

The attacker gains initial access, potentially through phishing or exploiting a software vulnerability.
A malicious script is dropped into a suspicious folder such as C:\Users\Public\, %TEMP%, or C:\Users\\AppData\Local\Temp.
The attacker uses cscript.exe, wscript.exe, or mshta.exe to execute the dropped script. The command line may contain flags to bypass execution policies (e.g., -ExecutionPolicy bypass) or hide the window (e.g., -w hidden).
Alternatively, PowerShell may be invoked with the -ep bypass or -ExecutionPolicy Bypass flags, along with a command to execute the script located in the temporary folder.
The script executes, performing malicious actions such as downloading additional payloads, establishing persistence, or exfiltrating data.
The script may leverage built-in Windows utilities for further malicious activities.
The attacker achieves their objective, such as data theft or system compromise.

Impact

Successful exploitation can lead to a range of damaging outcomes, including system compromise, data theft, and further propagation of malware within the network. Organizations may experience data breaches, financial losses, and reputational damage. The compromise of systems can also disrupt business operations and require extensive recovery efforts.

Recommendation

Deploy the Sigma rule Script Interpreter Execution From Suspicious Folder to your SIEM to detect suspicious script executions.
Monitor process creation events with a focus on script interpreters (cscript.exe, wscript.exe, mshta.exe, powershell.exe) executing from suspicious directories, using the logsource and detection sections of the Sigma rule as a guide.
Tune the filters in the Sigma rule based on your environment to reduce false positives, as described in the falsepositives section.
Review and block any observed malicious command lines containing flags like -ep bypass, -ExecutionPolicy bypass, or -w hidden, as detailed in the selection_proc_flags section of the Sigma rule.

Braodo Stealer Screen Capture in TEMP Directory

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

The Braodo stealer malware is known for capturing screenshots of a victim’s desktop as part of its data theft activities. This malware, often distributed through malicious campaigns, targets sensitive information by creating image files of the user’s active screen. These screenshots are typically saved in directories that are easily accessible and commonly used by malware, such as temporary folders. This technique allows attackers to gather credentials, financial information, or other confidential data displayed on the screen. The stealer has been observed in campaigns originating from Vietnam, targeting users in the United States with malware, fraud, and dropshipping schemes. Detecting and responding to these types of screen capture attempts is crucial for preventing sensitive data from being compromised and exfiltrated.

Attack Chain

The user unknowingly downloads and executes a malicious file, potentially delivered through a phishing email or drive-by download.
The Braodo stealer malware is executed on the victim’s system.
The malware begins capturing screenshots of the victim’s desktop using Windows APIs.
The screenshots are saved as .png, .jpg, or .bmp files.
The files are saved in the user’s TEMP directory (e.g., C:\Users\\AppData\Local\Temp\).
The malware may compress or encrypt the captured screenshots.
The malware exfiltrates the captured data to a command-and-control server.
The attacker gains access to sensitive information displayed on the victim’s screen, such as credentials or financial data, and uses it for malicious purposes.

Impact

Successful exploitation can lead to the theft of sensitive information, including credentials, financial data, and personally identifiable information (PII). This can result in financial loss, identity theft, and reputational damage for the victim. The Braodo stealer has been observed targeting users in the United States, indicating a broad scope of potential victims. The malware’s ability to capture screenshots allows attackers to bypass multi-factor authentication and other security measures that rely on information displayed on the screen.

Recommendation

Enable Sysmon Event ID 11 (FileCreate) logging to monitor file creation events on endpoints (required for the Sigma rules below).
Deploy the provided Sigma rule Detect Screen Capture Files Created in TEMP Directory to identify potential screen capture activity in temporary directories.
Investigate any alerts generated by the Sigma rule, focusing on processes creating image files in the TEMP directory.
Review and update endpoint security policies to prevent the execution of malware from temporary directories.
Monitor network traffic for suspicious outbound connections from processes creating screen capture files (T1071).

Masquerading Business Application Installers

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

Attackers often attempt to trick users into downloading and executing malicious executables by disguising them as legitimate business applications. This tactic is used to bypass security measures and gain initial access to a system. These malicious executables, often distributed via malicious ads, forum posts, and tutorials, mimic the names of commonly used applications such as Slack, WebEx, Teams, Discord, and Zoom. The executables are typically unsigned or signed with invalid certificates to further evade detection. This allows the attacker to execute arbitrary code on the victim’s machine, potentially leading to further compromise. This campaign aims to target end-users who are less security-aware, and this makes social engineering attacks like this very effective.

Attack Chain

The user visits a compromised website or clicks on a malicious advertisement.
The user is prompted to download an installer file masquerading as a legitimate business application (e.g., Slack, Zoom, Teams) from a download directory.
The downloaded executable is placed in the user’s Downloads folder (e.g., C:\Users*\Downloads*).
The user executes the downloaded file.
The executable, lacking a valid code signature, begins execution.
The malicious installer may drop and execute additional malware components.
The malware establishes persistence, potentially using techniques such as registry key modification.
The malware performs malicious activities, such as data exfiltration or lateral movement.

Impact

Successful execution of a masqueraded business application installer can lead to a complete system compromise. The attacker gains initial access and can deploy various malware payloads, including ransomware, keyloggers, and data stealers. This can result in data breaches, financial loss, and reputational damage. Although the specific number of victims and sectors targeted are not detailed, the widespread use of the applications being spoofed (Slack, Zoom, etc.) suggests a broad potential impact.

Recommendation

Implement the Sigma rule Potential Masquerading as Business App Installer to detect unsigned executables resembling legitimate business applications in download directories.
Enable process creation logging to capture the execution of unsigned executables.
Educate users on the risks of downloading and executing files from untrusted sources.
Implement application whitelisting to restrict the execution of unauthorized applications.
Regularly update endpoint detection and response (EDR) tools to detect and prevent the execution of known malware.
Monitor process execution events for processes originating from the Downloads folder that lack valid code signatures.

Suspicious MS Outlook Child Process

hello@craftedsignal.io — Tue, 02 Jan 2024 10:00:00 +0000

This detection identifies suspicious child processes of Microsoft Outlook, often associated with spear phishing activity and the execution of malicious attachments. Attackers may leverage malicious documents delivered via email to execute arbitrary code on a victim’s machine. The rule focuses on identifying processes such as cmd.exe, powershell.exe, and other system binaries being spawned by Outlook, suggesting the potential execution of malicious attachments or exploitation for initial access. This activity is designed to bypass traditional security measures and gain an initial foothold within the targeted environment. The rule is designed for data generated by Elastic Defend, but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.

Attack Chain

A user receives a spear phishing email with a malicious attachment (e.g., a Microsoft Office document or PDF).
The user opens the attachment, unknowingly triggering embedded malicious code (e.g., macros or exploits).
The malicious code executes within the context of Microsoft Outlook (outlook.exe).
The malicious code spawns a suspicious child process, such as cmd.exe, powershell.exe, mshta.exe, or wscript.exe.
The spawned process executes commands to download and execute further malicious payloads from external sources.
The downloaded payload establishes persistence on the compromised system.
The attacker gains initial access and begins reconnaissance activities.
The attacker moves laterally within the network, escalating privileges and compromising additional systems.

Impact

A successful attack can lead to initial access, allowing attackers to gain a foothold within the network, escalate privileges, and potentially exfiltrate sensitive data, deploy ransomware, or conduct other malicious activities. While specific victim counts and sectors are unavailable, similar attacks have targeted a wide range of industries.

Recommendation

Deploy the Sigma rule “Suspicious MS Outlook Child Process Spawning Command Interpreter” to your SIEM to detect potential initial access attempts (see rule below).
Enable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rules.
Block the execution of commonly abused system binaries (e.g., cmd.exe, powershell.exe, wscript.exe) as child processes of Outlook using application control policies where possible.
Implement and enforce strict macro policies in Microsoft Office applications to prevent the execution of malicious code within documents.
Regularly review and update email security policies to prevent spear phishing emails from reaching users.