Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland

July 14, 2025, 2:13 p.m.

Description

A malicious CHM file targeting Poland was discovered, containing an infection chain that drops and executes a C++ downloader. The CHM file displays a decoy image while executing obfuscated JavaScript to extract and run a DLL. The downloader retrieves a payload from a domain associated with previous Belarus-linked threat activities. The payload is encrypted and appended to an image file. The infection process involves multiple stages, including the use of LOLbins and the creation of a scheduled task for persistence. This campaign shows similarities to activities attributed to threat actors like FrostyNeighbor and UNC1151, known for targeting Eastern European countries.

External References

https://dmpdump.github.io/posts/Belarus-nexus_Threat_Actor_Target_Poland
https://otx.alienvault.com/pulse/6874f04a68b34778c485cb14
Tags
steganography
downloader
2025-07-14
scheduled-task

Date

  • Created: July 14, 2025, 11:55 a.m.
  • Published: July 14, 2025, 11:55 a.m.
  • Modified: July 14, 2025, 2:13 p.m.

Indicators

  • f55e06a87e2a20989ddb76d9f2e3ebb303659ad306ba54e3ed7f8dcc4456d71b
  • d3f0f747e56431c6d7c0259bc2afa2769898810140e8382af55d8297142a8529
  • be5a40b5622d21b46cbc87fd6c3f8ebcb536ec8480491a651c1625ee03ae2c6f
  • 4d09fad2630ec33ab6bb45b85455c6a6ac7b52f8dae9b90736db4a5f00f72ea9
  • 156ad4975e834355b2140d3c8fe62798fe6883364b8af1a1713f8b76c7b33947
  • 1286aa5c73cf2c8058c52271869a5727d71ca5bd4dd0854be970d2a25cb52bf8
  • 0d3dbaa764acb2b87ae075aa2f5f924378991b39587b0c5e67a93b10db39ddd9
  • 0631696f484633f4aeb8f817af2a668806ab4dca70f006dc56fc9cd9dcda4dbe
  • https://rustyquill.top/shw/the-magnus-protoco1.jpg
Download all indicators here!

Attack Patterns

  • net32.dll
  • uNT32.dll
  • FrostyNeighbor

Additional Informations

  • Finance
  • Government
  • Latvia
  • Lithuania
  • Poland
  • Germany
  • Ukraine