Investigation of email-based attack delivering MediaFire ZIP file with execution chain analysis

June 16, 2026, 4:48 p.m.

Description

An investigation revealed a malicious email campaign directing victims to download a ZIP file from MediaFire. The infection chain began with a Python setup executable (Setu.exe) that side-loaded a malicious 400 MB python37.dll containing repeated byte padding. The DLL performed process injection into dllhost.exe, establishing communication with a C2 server at 138.124.186.2:7000. The threat actor deployed three persistence mechanisms: a PowerShell-based path, a fake EdgeUpdate Python executable with scheduled task, and NetSupport RMM as a third access method. The analysis highlights the importance of comparing file timestamps during triage to identify malicious artifacts within compressed archives.

External References

https://x.com/Kostastsale/status/2066545189137629302
https://otx.alienvault.com/pulse/6a30df4495796498a192312a
Tags
remote access
process injection
dll hijacking
mediafire
scheduled task persistence
2026-06-16
email delivery
netsupport rmm
python side-loading

Date

  • Created: June 16, 2026, 5:29 a.m.
  • Published: June 16, 2026, 5:29 a.m.
  • Modified: June 16, 2026, 4:48 p.m.

Indicators

  • 138.124.186.2
  • 185.76.243.85
Download all indicators here!

Attack Patterns

  • NetSupport RMM

Additional Informations

  • bsc.blockrazor.xyz
  • xn--fiqq24b9hejs1c.clickvector.tech