Tag: process-hollowing

22 Attack Reports | 0 Vulnerabilities

Attack reports

Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT

A malicious Visual Studio Code extension named 'prettier-vscode-plus' was discovered on the official VSCode Marketplace, impersonating the legitimate Prettier formatter. This extension served as the entry point for a multi-stage malware chain, starting with the Anivia loader, which decrypted and ex…
supply-chain
developers
process-hollowing
extension
multi-stage
vscode
uac-bypass
2025-12-04
remote-access-toolkit
anivia
octorat
Published: December 4, 2025
Downloadable IOCs: 8

Analysis of the Lumma infostealer

The Lumma infostealer is a sophisticated malware distributed as Malware-as-a-Service, targeting Windows systems. It primarily steals sensitive data such as browser credentials, cryptocurrency wallets, and VPN/RDP accounts. Lumma is often used in the initial stages of multi-vector attacks, including…
phishing
windows
infostealer
credential theft
autoit
nsis
lumma
maas
process hollowing
2025-11-27
Published: November 27, 2025
Downloadable IOCs: 7

Suspected APT-C-00 Delivers Havoc Trojan

A recent analysis of a suspicious trojan loader reveals similarities to the APT-C-00 (Ocean Lotus) group, a government-backed hacker organization targeting East Asian companies and government agencies. The sample, a DLL file with excellent evasion capabilities, uses hash algorithms to dynamically o…
apt
persistence
trojan
dll sideloading
process hollowing
east asia
2025-09-22
havoc rat
Published: September 22, 2025
Downloadable IOCs: 0

Unveiling a New Variant of the DarkCloud Campaign

A new DarkCloud campaign was observed in July 2025, targeting Windows users with a sophisticated infection chain. The attack begins with a phishing email containing a RAR archive, which leads to the execution of obfuscated JavaScript and PowerShell code. This code downloads and deploys a fileless .…
powershell
credential-theft
anti-analysis
process-hollowing
fileless
information-stealer
2025-08-08
darkcloud
Published: August 8, 2025
Downloadable IOCs: 2

New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

Unit 42 researchers have observed changes in the distribution and obfuscation techniques of DarkCloud Stealer. The new infection chain, first seen in April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with a phishing email containing an arch…
obfuscation
infostealer
anti-analysis
infection chain
process hollowing
confuserex
darkcloud stealer
2025-08-07
visual basic 6
runpe
2025-08-08
Published: August 8, 2025
Downloadable IOCs: 10

Spear Phishing Campaign Delivers VIP Keylogger via Email Attachment

A sophisticated spear phishing campaign has been identified, distributing the VIP keylogger through email attachments. The malware is delivered via a ZIP file containing a malicious executable disguised as a PDF. Once executed, an AutoIt script drops two encrypted files, which are then decrypted an…
obfuscation
data theft
exfiltration
persistence
autoit
process hollowing
spear phishing
2025-07-30
vip keylogger
Published: July 30, 2025
Downloadable IOCs: 1

Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry

A sophisticated variant of the Masslogger credential stealer malware has been identified spreading through .VBE files. This multi-stage fileless malware heavily relies on Windows Registry to store and execute its malicious payload. The infection begins with a .VBE file, likely distributed via spam …
obfuscation
persistence
windows registry
vbscript
data exfiltration
process hollowing
credential stealer
fileless malware
2025-06-18
masslogger
Published: June 18, 2025
Downloadable IOCs: 1

Threat Analysis: DCRat presence growing in Latin America

Hive0131 is conducting email campaigns targeting users in Colombia with fake electronic notifications of criminal proceedings, purportedly from The Judiciary of Colombia. The campaigns deliver DCRat, a banking trojan operated as Malware-as-a-Service, through embedded links or PDF lures. DCRat's pre…
phishing
dcrat
banking trojan
maas
process hollowing
colombia
2025-06-06
vmdetectloader
Published: June 6, 2025
Downloadable IOCs: 3

Katz Stealer Threat Analysis

Katz Stealer is a sophisticated credential-stealing malware-as-a-service that targets multiple browsers, cryptocurrency wallets, and communication platforms. It employs advanced evasion techniques like geofencing, VM detection, and process hollowing. The infection chain involves obfuscated JavaScri…
cryptocurrency
process-hollowing
credential-stealer
2025-05-26
katz stealer
uac-bypass
browser-targeting
discord-hijacking
evasion-techniques
Published: May 26, 2025
Downloadable IOCs: 34

Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT

A new PowerShell-based shellcode loader has been discovered, designed to execute a variant of Remcos RAT. The attack chain begins with malicious LNK files in ZIP archives, using mshta.exe for initial execution. The loader employs fileless techniques, executing code directly in memory to evade tradi…
powershell
keylogger
process hollowing
remcos rat
evasion techniques
uac bypass
shellcode loader
2025-05-15
tls communication
fileless execution
Published: May 15, 2025
Downloadable IOCs: 5

SnakeKeylogger – A Multistage Info Stealer Malware Campaign

This analysis explores a sophisticated malware campaign utilizing SnakeKeylogger, a credential-stealing threat. The attack begins with malicious spam emails containing disguised attachments. The infection chain involves multiple stages, including encrypted payload delivery, process hollowing, and s…
obfuscation
process-hollowing
snakekeylogger
info-stealer
2025-04-24
Published: April 24, 2025
Downloadable IOCs: 5

Infostealer Malware FormBook Spread via Phishing Campaign – Part I

A phishing campaign delivering a malicious Word document exploiting CVE-2017-11882 was observed spreading a new FormBook variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downlo…
phishing
infostealer
formbook
CVE-2017-11882
process hollowing
2025-04-22
fileless malware
microsoft equation editor
Published: April 22, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 7

New Evasive Campaign Delivers LegionLoader via Fake CAPTCHA & CloudFlare Turnstile

A new malicious campaign has been discovered targeting users searching for PDF documents online. The attack uses fake CAPTCHAs and CloudFlare Turnstile to deliver LegionLoader malware, which then installs a malicious browser extension. The infection chain involves a drive-by download, execution of …
phishing
drive-by download
captcha
process hollowing
legionloader
2025-04-05
browser extension
cloudflare turnstile
Published: April 5, 2025
Downloadable IOCs: 5

SnakeKeylogger: Multistage Info Stealer Malware Analysis & Prevention

SnakeKeylogger is a highly active credential-stealing malware targeting individuals and businesses. It employs a multi-stage infection chain, starting with malicious spam emails containing .img files. The malware uses sophisticated techniques like process hollowing and obfuscation to evade detectio…
obfuscation
credential-theft
process-hollowing
multi-stage
snakekeylogger
info-stealer
2025-03-25
spam-email
apache-server
Published: March 25, 2025
Downloadable IOCs: 2

New Steganographic Campaign Distributing Multiple Malware Variants

A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HT…
obfuscation
phishing
remcos
steganography
asyncrat
dcrat
CVE-2017-0199
process hollowing
remote access trojan
agenttesla
vipkeylogger
2025-03-17
Published: March 17, 2025
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 13

Evolving Snake Keylogger Variant

A new variant of Snake Keylogger, identified as AutoIt/Injector.GTY!tr, has been detected by FortiSandbox v5.0. This malware has attempted over 280 million infections, primarily targeting China, Turkey, Indonesia, Taiwan, and Spain. Snake Keylogger steals sensitive information from popular web brow…
credential theft
autoit
keylogging
snake keylogger
process hollowing
2025-02-20
fortisandbox
ai detection
404 keylogger
paix
Published: February 20, 2025
Downloadable IOCs: 3

Formbook Phishing Campaign with old Payloads

A recent phishing campaign has been observed delivering Formbook stealers through email attachments. The malware uses multiple stages and steganography to hide malicious files inside images. The infection chain involves three stages before the final payload: Purchase Order.exe, Arthur.dll, and Mont…
phishing
steganography
process-hollowing
2025-01-07
xml
formbook stealer
Published: January 7, 2025
Downloadable IOCs: 1

Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation

This analysis examines HeartCrypt, a new packer-as-a-service (PaaS) used to protect malware. Developed since July 2023 and launched in February 2024, HeartCrypt charges $20 per file to pack Windows x86 and .NET payloads. It is primarily used by malware operators of families like LummaStealer, Remco…
xworm
rhadamanthys
remcos
quasar rat
vidar stealer
redline stealer
process hollowing
anti-sandbox
lummastealer
2024-12-14
heartcrypt
packer-as-a-service
Published: December 14, 2024
Downloadable IOCs: 0

New Campaign Uses Remcos RAT to Exploit Victims

A phishing campaign utilizing Remcos RAT has been detected. The attack begins with an email containing a malicious Excel document that exploits CVE-2017-0199. When opened, it downloads and executes an HTA file, which in turn downloads and runs a malicious EXE. This EXE uses PowerShell to load and e…
rat
phishing
powershell
remcos
CVE-2017-0199
process hollowing
2024-11-08
Published: November 8, 2024
Downloadable IOCs: 2

Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA

Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
powershell
cryptocurrency
lumma stealer
information-stealing
data exfiltration
fileless
maas
process hollowing
fake captcha
2024-10-21
Published: October 21, 2024
Downloadable IOCs: 23

Exploring AsyncRAT and Infostealer Plugin Delivery Through…

This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
phishing
powershell
infostealer
asyncrat
vbscript
2024-09-02
process hollowing
cryptocurrency wallets
browser data theft
Published: September 2, 2024
Linked vulnerabilities : CVE-2024-7593 (CVSS 9.8), CVE-2024-28986
Downloadable IOCs: 8

RemcosRAT Distributed Using Steganography

Security researchers have discovered a campaign distributing RemcosRAT through a sophisticated infection chain involving steganography techniques. The attack starts with a malicious Word document exploiting template injection, leading to the download of an RTF file that leverages an equation editor…
obfuscation
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
steganography
remcosrat
process-hollowing
malicious-documents
Published: May 8, 2024
Downloadable IOCs: 4
Click here to see more Attack Reports