Threat Research

CHAMELEON_NET is a targeted malspam campaign delivering the DarkTortilla .NET loader to distribute FormBook. Infection starts with a phishing email and a .bz2 archive that drops an obfuscated JavaScript file. The JS launches a VB.NET loader that decrypts an embedded DLL via an index-based XOR and reflectively loads it in memory....

PhantomVAI Loader is a stealthy, multi-stage loader propagated via phishing that uses obfuscated scripts and steganography to hide payloads. Originally called Katz Stealer Loader for delivering Katz Stealer, it has evolved to deliver multiple infostealers (including Katz, AsyncRAT, XWorm, FormBook and DCRat) and is offered as malware-as-a-service....

QuirkyLoader is a newly observed malware loader, active since November 2024, used to deliver various infostealers and remote access trojans (RATs) like Agent Tesla, AsyncRAT, FormBook, Remcos, and others. The infection begins with phishing emails containing malicious archives. These archives include a legitimate executable, an encrypted payload, and a malicious DLL....

Our team recently identified a high-severity phishing campaign targeting users of outdated Microsoft Office applications through malicious email attachments. The emails contain an Excel file that exploits the CVE-2017-0199 vulnerability in the OLE (Object Linking and Embedding) feature of older Office versions....

We detailed the campaign’s launch through a phishing email that exploited the CVE-2017-11882 vulnerability to run a 64-bit DLL. This DLL then downloaded and decrypted a FormBook variant concealed in a fake PNG file. Finally, we explained how the DLL used process hollowing to inject the FormBook payload into ImagingDevices.exe and execute it....

We observed a phishing campaign in the wild distributing a malicious Word document attachment crafted to exploit the CVE-2017-11882 vulnerability. Upon deeper analysis, we identified that the campaign was delivering a new variant of Formbook malware....

This article explores obfuscation techniques in popular malware families and highlights opportunities for automating the unpacking process. We analyze observed samples, demonstrating how to extract configuration parameters by unpacking each stage. Automating this process would enable sandboxes performing static analysis to retrieve critical malware configuration data....