New
Collective
🎨✨💻 Stay ahead of the curve with handpicked, high-quality frontend development and design news, picked freshly every single day. No fluff, no filler—just the most relevant insights, inspiring reads, and updates to keep you in the know.
Prefer a weekly digest in your inbox? No problem, we got you covered. Just subscribe here.
Yesterday Online PNG Tools smashed through 6.31M Google clicks and today it’s smashed through 6.32M Google clicks! That’s 10,000 new clicks in a single day – the smash train keeps on rollin’!
Online PNG Tools offers a collection of easy-to-use web apps that help you work with PNG images right in your browser. It’s like a Swiss Army Knife for anything PNG-related. On this site, you can create transparent PNGs, edit icons, clean up logos, crop stamps, change colors of signatures, and customize stickers – there’s a tool for it all. The best part is that you don’t need to install anything or be a graphic designer. All tools are made for regular people who just want to get stuff done with their images. No sign-ups, no downloads – just quick and easy PNG editing tools.
Online PNG Tools were created by me and my team at Browserling. We’ve build simple, browser-based tools that anyone can use without needing to download or install anything. Along with PNG tools, we also work on cross-browser testing to help developers make sure their websites work great on all web browsers. Our mission is to make online tools that are fast, easy to use, and that are helpful for everyday tasks like editing icons, logos, and signatures.
Online PNG Tools and Browserling are used by everyone – from casual users to professionals and even Fortune 100 companies. Casual users often use them to make memes, edit profile pictures, or remove backgrounds. Professionals use them to clean up logos, design icons, or prepare images for websites and apps.
Smash too and see you tomorrow at 6.33M clicks! 📈
PS. Use coupon code SMASHLING for a 30% discount on these tools at onlinePNGtools.com/pricing. 💸
SEQRITE Labs APT-Team has been tracking and has uncovered a campaign targeting the Baltic State Technical University, a well-known institution for various defense, aerospace, and advanced engineering programs that contribute to Russia’s military-industrial complex. Tracked as Operation HollowQuill, the campaign leverages weaponized decoy documents masquerading as official research invitations to infiltrate academic, governmental, and defense-related networks. The threat entity delivers a malicious RAR file which contains a .NET malware dropper, which further drops other Golang based shellcode loader along with legitimate OneDrive application and a decoy-based PDF with a final Cobalt Strike payload.
Industries Affected
Geographical Focus
In the early months of 2025, our team found a malicious RAR archive file named as Исх 3548 о формировании государственных заданий на проведение фундаментальных и поисковых исследований БГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова.rar , which translates to Outgoing 3548 on the formation of state assignments for conducting fundamental and exploratory research at BSTU ‘VOENMEKH’ named after D.F. Ustinov.rar surfaced on Virus Total. Upon investigation, we determined that this RAR has been used as a preliminary source of infection, containing a malicious .NET dropper which contains multiple other payloads along with a PDF based decoy.
The RAR archive contains a malicious .NET executable functioning as a dropper, named “Исх 3548 о формировании государственных заданий на проведение фундаментальных и поисковых исследований БГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова” which also translates to Outgoing No. 3548 regarding the formation of state assignments for conducting fundamental and exploratory research at BSTU ‘VOENMEKH’ named after D.F. Ustinov. This dropper is responsible for deploying a legitimate OneDrive executable alongside a malicious shellcode loader written in Golang. Upon execution, the .NET executable performs several operations: one of them it deploys the Golang loader containing shellcode, injects the shellcode into the legitimate OneDrive process, and spawns a decoy document. Before delving into the technical details, let’s first examine the decoy document.
Upon looking into the decoy document, it turns out that this lure is a document related to the Ministry of Science and Higher Education of Russia, specifically concerning Baltic State Technical University “VOENMEKH” named after D.F. Ustinov. The document appears to be an official communication addressed to multiple organizations, potentially discussing state-assigned research projects or defense-related academic collaborations.
The above is a translated version of the initial sections of the decoy.
The contents and the entire decoy confirm that this PDF serves as a comprehensive guideline for the allocation of state-assigned research tasks, outlining the process for organizations to submit proposals for fundamental and applied research projects under the 2026-2028 budget cycle. It provides instructions for institutions, particularly those engaged in advanced scientific and technological research, on how to register their technological requests within the Unified State Information System for Scientific Research and Technological Projects (ЕГИСУ НИОКТР) before the specified deadline.
Now, looking into the later part of the decoy it can be seen that the decoy document provides additional information on the submission process for state-assigned research tasks, emphasizing that financial support for these projects will come from budgetary allocations through the Ministry of Science and Higher Education of Russia. Also, the document mentions contact details for inquiries of Bogdan Evgenyevich Melnikov, a senior researcher in the Department of Fundamental and Exploratory Research, with an email address for communication.
Well, at the end of this decoy, it can be seen that it has been signed by A.E. Shashurin, who is identified as a Doctor of Technical Sciences (д.т.н.), professor, and acting rector (и.о. ректора) of the institution. Overall, this lure document serves as an official communication from the Ministry of Science and Higher Education of Russia, providing guidelines for organizations regarding state-funded research initiatives.
We will divide our analysis into four main sections. First, we will examine the malicious RAR archive. Second, we will delve into the malicious .NET dropper. Third, we will focus on analyzing the working of the malicious Golang based shellcode injector and at the end, we will look into the malicious Cobalt Strike payload. This detailed exploration will shed light on the methodologies employed and provide insights into the threat actor’s tactics within this particular campaign.
Upon examining the malicious RAR file, it contains another malicious executable named Исх 3548 о формировании государственных заданий на проведение фундаментальных и поисковых исследований БГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова. After initial analysis of the file’s artefacts it was revealed it is a 32-bit .NET-based executable. In the next section, we will explore the functionality of this.NET executable.
Now, let us look into the workings of the .NET file which was compressed inside the RAR archive. As in the previous section we found that the binary is basically a 32-bit.NET executable, it is also renamed as SystemUpdaters.exe while we loaded it into analysis tools.
Upon looking inside, the sample, we found three interesting methods. Now let us dive deep into them.
Looking into the first method we can see that the Main function, we can see that it calls another method MyCustomApplicationContext . Let us analyze the method.
Next, looking into the method, we found that the code initially checks whether the decoy PDF is present inside the C:\Users\Appdata\Roaming\Documents location, in case the PDF file is not present, it goes ahead and copies the decoy, which is stored under the resources section, and writes it into the location.
Next, looking into the code further, we found that it checks if the file OneDrive.exe which is basically the legitimate OneDrive application exists, in case it does not find it on the desired location, it goes ahead and copies the legitimate application stored under the resource section, and writes it into the location.
Looking into the later part of code, we found that it checks for a file named as OneDrives_v2_1.exe under the location C:\Users\Appdata\Roaming\Driver , in case it did not find the file, just like similar files, it copies the executable from the resources section and writes it to the location.
Then looking into one of the most intriguing aspects of this dropper is its use of a shortcut (.lnk) file named X2yL.lnk as a persistence mechanism by placing it in the Windows Startup folder to ensure execution upon system boot. Upon analyzing the H3kT7fXw method, we observed that it is responsible for creating this shortcut file. The method utilizes WshShell to generate the .lnk file and assigns it a Microsoft Office-based icon, making it less suspicious. Additionally, the target path of the shortcut is set to the location where the malicious payload I.e., OneDrives_v2_1.exe is stored, ensuring its execution whenever the shortcut is triggered upon booting.
At the end, it goes ahead and spawns the decoy PDF into the screen. As, we conclude the analysis of the malicious .NET dropper, in the next sections, we will analyze the malicious executable dropped by this dropper.
Initially, upon looking into the sample inside analysis tools. we can confirm that this executable is programmed using Golang. Next, we will look into the working of the shellcode loader and its injection mechanism.
Looking into the very first part of this shellcode loader, we found that the binary executes time_now function to initially capture the current system time, then it calls time_sleep which is also a Golang function with a hardcoded value, then again it calls the time_now function, which checks for the timestamp after the sleep. Then, it calls time_Time_Sub which checks the difference between the timestamp captured by the function and goes ahead and checks if the total sleep time is less then 6 seconds, in case the sleep duration is shorter, the program exits, this acts as a little anti-analysis technique.
Next, moving ahead and checking the code, we found that the legitimate OneDrive executable, which was dropped by the.NET dropper, that similar process is being created using the CreateProcess API in Golang, and the process is being created in a suspended mode.
Then, the shellcode which is already embedded in this loader binary is being read by using Golang function embed_FS_ReadFile which returns the shellcode.
Next, the shellcode which was returned by the previous function in a base64 encoded format is being decoded using Golang native function base64.StdEncoding.DecodeString and returned.
Then, the code basically uses a hardcoded 13-byte sized key, which is basically used to decode the entire shellcode.
Then finally, the code performs APC Injection technique to inject the shellcode inside the memory, by first starting with the process in a suspended state, followed by decoding and decrypting the shellcode, followed by allocating memory on the suspended OneDrive.exe process, then once the memory is allocated, it goes ahead and writes the shellcode inside the memory using WriteProcessMemory , then it uses QueueUserAPC API to queue a function call inside the main thread of the suspended OneDrive.exe process. Finally using ResumeThread which causes the queued APC function (containing the shellcode) to execute, effectively running the injected malicious code within the context of OneDrive.exe. Now, let us analyze some key artifacts of the shellcode.
Upon looking inside, the malicious shellcode and analyzing it we found that the shellcode is actually a loader, which works by initially loading a Windows wwanmm.dll library.
Once, the DLL is loaded it zeroes out the .text section of the DLL. It uses a windows API DllCanUnloadNow which helps to prepare the beacon in memory. Thus, further facilitating the working of the shellcode which is a Cobalt Strike beacon.
Further analyzing it becomes quite evident that the beacon is connecting to the C2-server, hosted by the attacker using certain user-agent. As, this tool is quite commonly used, therefore, we will not delve in-depth on the workings of the malicious beacon. The configuration of the beacon can be extracted as follows.
Extracted Configuration:
Method : GETHost[Command & Control] : phpsympfony.comUser-Agent : “Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko”
Upon analysis of the shellcode injector programmed in Golang, we found little OPSEC related mistakes from the threat actor such as leaving Go-build ID along with the injector, which helped us to hunt for similar payloads, used by the same threat actor. The Go-build ID is as follows:
-_APqjT14Rci2qCv58VO/QN6emhFauHgKzaZvDVYE/3lVOVKh9ePO_EDoV_lSN/NL58izAdTGRId20sd3CJ
Now, looking into the infrastructural artefacts, the malicious command-and-control server which has been hosted at the domain phpsymfony[.]com , has been rotating the domain across multiples ASN services. Also, there has been a unique HTTP-Title which has also been rotated multiple times across the C2-server.
Looking into the response across the history we can see that the title Coming Soon – pariaturzzphy.makebelievercorp[.]com has been set up multiple times.
Upon further searching for the same HTTP-Title, we found that a lot of hosts are serving the same title, out of which some of them are serving malicious binaries such as ASyncRAT and much more.
Looking into the ASNs, the C2 server has been rotating since the date of activation. The list is as follows.
| ASN | Geolocation | Owner |
| AS13335 | United States | Cloudflare Net |
| AS35916 | United States | MULTA-ASN1 |
| AS135377 | Hong Kong | UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED |
| AS174 | United States | COGENT-174 |
| AS47846 | Germany | SEDO-AS |
| AS8560 | 🌍 Unknown | IONOS-AS |
We have found that a threat actor is targeting the Baltic Technical University using research themed lure where they have been using a.NET dropper to shellcode loader finally delivering a Cobalt Strike in-memory implant. Analyzing the overall campaign and TTPs employed by the threat actor, we can conclude that the threat actor has started targeting few months back since December 2024.
| MD5 | Filename |
| ab310ddf9267ed5d613bcc0e52c71a08 | Исх 3548 о формировании государственных заданий на проведение фундаментальных и поисковых исследований БГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова.rar |
| fad1ddfb40a8786c1dd2b50dc9615275 | SystemsUpdaters.exe |
| cac4db5c6ecfffe984d5d1df1bc73fdb | OneDrives_v2_1.exe |
| phpsymfony[.]com |
| hxxps://phpsymfony[.]com/css3/index2.shtml |
| Tactic | Technique ID | Name |
| Initial Access | T1566.001 | Phishing: Spear phishing Attachment
|
| Execution | T1204.002
T1053.005 |
User Execution: Malicious File
Scheduled Task. |
| Persistence | T1547.001 | Registry Run Keys / Startup Folder |
| Defense Evasion | T1036 T1027.009 T1055.004 T1497.003 |
Masquerading Embedded Payloads. Asynchronous Procedure Call Time Based Evasion |
| Command and Control | T1132.001 | Data Encoding: Standard Encoding |
HTML Editor Online with Instant Preview and Zero Setup
Source link
In past Developer Spotlights, we’ve featured devs who’ve pushed the craft of building award-winning websites. But web development is more than just translating great design—Max Barvian is one of those pioneering devs who have a deep understanding of the core mechanics of frontend development. In 2024, he shared one of the coolest CSS-powered, scroll-driven animations with us here on Codrops. We can’t shine the light enough on Max, as his work represents the next frontier in web development—one that merges deep technical knowledge with creative experimentation.
Hi! My name is Max Barvian. I’m a UI engineer currently working at Clerk.
NumberFlow is an animated number component for React, Vue, Svelte, and vanilla TS/JS. It was heavily inspired by the number animations in the wonderful Family app:
I built NumberFlow as a custom element with wrapper components for each framework. All the animations are powered by the Web Animations API (WAAPI). It uses the FLIP technique, registered custom CSS properties, spring-based linear() timings, new CSS math functions, and composited KeyframeEffects for better interruption handling.
The response to NumberFlow has been surreal. 𝕏 is currently using it for their analytics dashboard, and Elon Musk even retweeted this screenshot of it:
When it came time to rebuild my portfolio last year, my goal was to make some combination of Godly and the Apple TV home screen. I’d really wanted a site like that for years, with a grid of project videos that smoothly transitioned into detail pages, but never felt confident about pulling it off. Then I found the View Transitions API. Despite its shortcomings (i.e. no interruption handling), it felt like the perfect tool for the job. View Transitions using snapshots of “old” views seemed perfect for the video grid, and meant I wouldn’t have to worry about animating a bunch of <video> elements at the same time. Ultimately, I had to use a few more tricks to get decent performance during the transitions, but I still can’t imagine having built the site with anything else. I was honored when Googlers Addy Osmani and Una Kravets shared my little site as a demo for View Transitions.
I stumbled upon this incredible design by Kevin Pham on Dribbble a couple years ago and immediately fell in love with it. I had wanted to experiment with CSS Scroll Snapping and 3D scenes for a while, and this seemed like the perfect candidate. I ended up using React Three Fiber, Motion for React, and Tailwind to implement it. It’s not perfect (there’s a pesky bug with mobile Safari on the last slide that I haven’t been able to fix), but I’m pretty happy with how it turned out. I was honored when Guillermo Rauch, Paul Henschel, Matt Perry, and Three.js all reposted it.
This work is probably the most boring on the list but I’m still happy with it. I was working on a Tailwind plugin for CSS clamp() when I encountered some longstanding accessibility issues with fluid type. I didn’t want to bring those issues into my plugin, so I spent a whole Sunday watching math videos on YouTube and talking to my physicist brother to figure out how to work around them. I eventually published the results in Smashing Magazine with some help from their great editors there, and was honored to see Adrian Roselli reference the work in his original article. Utopia, a popular fluid clamp generator, also integrated the findings into their tool.
I got into creative development in a 7th grade journalism class, when my teacher made me the webmaster for our school newspaper. I asked my parents for Dreamweaver that year for Christmas and got my first freelance client a year after that. I’ve since moved on from Dreamweaver 🙂, but I’ve never wanted to do anything else professionally. I feel lucky that I’ve been able to make a career out of my passion.
At Clerk I’m working on building the component library we use for our dashboard. It’s been a fun challenge to try to build something that equally emphasizes UX and DX! I hope to share more on 𝕏 as it progresses. React Aria Components has been a huge inspiration here.
I basically live in VS Code writing React, Tailwind, and Motion code all day.
Someone I follow on 𝕏 thought NumberFlow was a good example of a quote by Charlie Munger:
“Take a simple idea and take it seriously.”
—Charlie Munger
That’s stuck with me over the last few months, and I think it’s increased my enjoyment of projects I previously would’ve dismissed as too routine or boring.
It’s an honor to be featured on a site I’ve been reading my whole career. Thanks a lot, Manoela and the Codrops team!
Write and Test Code Instantly With an Online Python Editor
Source link
Yesterday Online PNG Tools smashed through 6.32M Google clicks and today it’s smashed through 6.33M Google clicks! That’s 10,000 new clicks in a single day – the smash train keeps on rollin’!
Online PNG Tools offers a collection of easy-to-use web apps that help you work with PNG images right in your browser. It’s like a Swiss Army Knife for anything PNG-related. On this site, you can create transparent PNGs, edit icons, clean up logos, crop stamps, change colors of signatures, and customize stickers – there’s a tool for it all. The best part is that you don’t need to install anything or be a graphic designer. All tools are made for regular people who just want to get stuff done with their images. No sign-ups, no downloads – just quick and easy PNG editing tools.
Online PNG Tools were created by me and my team at Browserling. We’ve build simple, browser-based tools that anyone can use without needing to download or install anything. Along with PNG tools, we also work on cross-browser testing to help developers make sure their websites work great on all web browsers. Our mission is to make online tools that are fast, easy to use, and that are helpful for everyday tasks like editing icons, logos, and signatures.
Online PNG Tools and Browserling are used by everyone – from casual users to professionals and even Fortune 100 companies. Casual users often use them to make memes, edit profile pictures, or remove backgrounds. Professionals use them to clean up logos, design icons, or prepare images for websites and apps.
Smash too and see you tomorrow at 6.34M clicks! 📈
PS. Use coupon code SMASHLING for a 30% discount on these tools at onlinePNGtools.com/pricing. 💸
India’s retail sector is undergoing a significant digital transformation, with e-commerce, loyalty programs, and personalized marketing becoming the norm. This evolution means retailers are collecting and processing vast amounts of customer data, making compliance with the Digital Personal Data Protection (DPDP) Act 2023 a business necessity.
This blog explores why the DPDP Act is critical for the Indian retail ecosystem, highlighting its role in strengthening customer trust, enhancing data security, and ensuring responsible data management. By aligning with this legislation, retailers can meet regulatory requirements and differentiate themselves through stronger data governance and transparency.
Customer trust is a critical business asset in today’s competitive retail landscape. The DPDP Act grants consumers (Data Principals) key rights over their data, including access, correction, and erasure under specific conditions. By aligning with the DPDP Act’s compliance framework, retailers can reinforce their commitment to data privacy and transparency, strengthening customer relationships.
These principles enhance brand credibility and foster long-term customer loyalty, positioning retailers as responsible data stewards in an evolving digital marketplace.
The retail sector faces growing cybersecurity risks, with data breaches potentially exposing sensitive customer information such as payment details and contact data. Under the DPDP Act, as Data Fiduciaries, retailers must implement robust security measures to prevent breaches and promptly notify the Data Protection Board of India and affected customers in case of an incident.
By prioritizing compliance-driven data security, retailers can mitigate cyber risks, protect customer information, and safeguard brand reputation, ensuring long-term business resilience in an increasingly digital landscape.
The DPDP Act enforces key principles like purpose limitation and data minimization. It requires retailers to collect only necessary data for defined purposes—such as processing transactions or personalizing offers—and retain it only as long as needed.
By adopting transparent data practices, retailers can ensure ethical data usage, reduce compliance risks, and enhance customer confidence. The Act also mandates clear customer notifications on data collection and usage, reinforcing trust and regulatory accountability in an increasingly data-driven retail landscape.
The DPDP Act establishes a comprehensive legal framework for data protection, which is crucial for India’s rapidly expanding retail industry. Compliance ensures that retailers meet regulatory standards for processing digital personal data, mitigating risks of penalties and legal liabilities.
By aligning with the Act’s requirements, retailers can reinforce their commitment to ethical data practices, enhance customer trust, and operate with greater transparency and accountability in the evolving digital marketplace.
The DPDP Act grants consumers the right to access, correct, and request the erasure of their digital personal data held by retailers. To ensure compliance, businesses must implement efficient mechanisms for handling these requests within the legal framework.
By prioritizing consumer data rights, retailers can enhance transparency, strengthen accountability, and foster trust, allowing customers to make informed decisions about the data they share—ultimately improving brand credibility and customer engagement.
Retailers must align with several critical obligations under the DPDP Act 2023 to ensure compliance and data protection:
Retailers must take a proactive approach to ensure compliance with the DPDP Act. This includes conducting a comprehensive assessment of current data processing practices and updating privacy policies to align with regulatory requirements.
Staff training on data privacy protocols and investing in data privacy management systems are essential. Additionally, retailers must establish clear procedures for obtaining and managing customer consent, ensuring compliance, transparency, and enhanced customer trust in the digital marketplace.
The Digital Personal Data Protection Act 2023 is pivotal in strengthening data security and trust in India’s retail sector. The Act enhances customer relationships and industry integrity by enforcing responsible data handling, empowering consumers, and prioritizing privacy compliance.
Retailers who proactively adopt DPDP Act compliance fulfill legal requirements and gain a competitive edge by showcasing their commitment to customer data protection. Seqrite offers comprehensive data protection solutions to help retailers navigate compliance complexities and implement robust security frameworks. Contact us or visit our website for information.
Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics
Contents
Introduction:
Security researchers at Seqrite Labs have recently uncovered two distinct campaigns carried out by the APT group “Kimsuky,” also known as “Black Banshee.” This group has been actively targeting South Korea using evolving tactics. In these campaigns, the threat actors delivered two South Korean government-themed documents as lures, specifically targeting government entities within South Korea.
In this blog, we will delve into the technical details of the campaigns uncovered during our analysis. We will examine the various stages of infection, starting with a phishing email containing an LNK (shortcut) file attachment. The LNK file was designed to drop an obfuscated VBA (Visual Basic for Applications) script, After de-obfuscating the script, we found that it was responsible for dropping two additional files: One Pdf file and One ZIP file The ZIP file contained four malicious files: two log files (1.log and 2.log), one VBA script (1.vba), and one PowerShell script (1.ps1). Both campaigns involved the same set of malicious files.
Infection Chain:
Initial Findings:
Campaign-1:
In the first campaign, we identified a document related to tax reduction and tax payment related to revenue, which contained the same malicious LNK attachment. This attachment subsequently deployed a malicious VBScript, facilitating further compromise.
Based on our initial findings, we discovered that the adversary utilized a different document containing the same LNK file content.
Campaign-2:
In campaign-2, it has come to our attention that South Korea has enacted a new policy aimed at preventing recidivism among sex offenders. The initiative involves circulating a detailed document outlining the regulations, which was shared with households, daycare centers, kindergartens, and various local administrative offices, including township and village authorities, as well as neighbourhood community centres. However, hackers, including cyber-criminals, are exploiting this dissemination process by sending deceptive emails containing harmful attachments. These emails are targeting residential recipients and key personnel at local offices.
The adversaries have exploited the distribution of this information and document by circulating it via email, disguised under the filename 성범죄자 신상정보 고지.pdf.lnk (Sex Offender Personal Information Notification.pdf.lnk). This attachment contains a malicious LNK file, which poses a cybersecurity threat to the recipients.
Technical Analysis and Methodology:
Campaign 1 & 2:
We have downloaded the file named 28f2fcece68822c38e72310c911ef007f8bd8fd711f2080844f666b7f371e9e1.lnk from campaign-1 and “성범죄자 신상정보 고지.pdf.lnk” from campaign-2 (Sex Offender Personal Information Notification.pdf.lnk) that was shared via email. During the analysis of this LNK file, it appears to be fetching additional files from an external C2 server, as shown in the snapshot below.
The file was downloaded from the URL provided above and saved into the Temp folder, as indicated below.
The file downloaded from the C2 server appears to be an obfuscated VBScript. Upon DE obfuscating the script, we discovered two additional files: one PDF and one ZIP file.
The first section of the file is encoded in Base64 strings.
After Decoding we have found one PDF file.
The second part of the VBScript is also encoded in Base64. After decoding it, we discovered a ZIP file.
Zip files contain the below numbers of files in it.
Within the ZIP archive, four files were identified: a VBScript, a PowerShell script, and two Base64-encoded text files. These encoded text files house obfuscated data, which, upon further dissection, may yield critical intelligence regarding the malware’s functionality and objectives. The following figures illustrate the encoded content of the two text files, which will be subsequently decoded and analysed to elucidate the next phase in the attack chain.
The 1.vbs file employs advanced obfuscation techniques, utilizing the chr() and CLng() functions to dynamically construct characters and invoke commands at runtime. This strategy effectively circumvents signature-based detection mechanisms, allowing the script to evade detection during execution.
Upon script termination, the concatenated characters form a complete command, which is subsequently executed. This command is likely designed to invoke the 1.ps1 PowerShell script, passing 1.log as an argument for further processing.
Upon attempting to DE-obfuscate the VBScript, we uncovered the following command-line execution, which subsequently triggers the PowerShell script for further processing.
Upon executing the 1.vbs file, it triggered the invocation of the 1.ps1 file, as illustrated in the snapshot below.
The 1.ps1 script includes a function designed to decode Base64-encoded data from the 1.log file and execute the resulting script.
The 1.ps1 script retrieves the BIOS serial number, a unique system identifier, from the compromised host. This serial number is subsequently used to create a dedicated directory within the system’s temporary folder, ensuring that attack-related files are stored in a location specific to the compromised machine, as shown in above snapshot.
As a VM-aware sample, the script checks if it is executing within a virtual machine environment. If it detects a virtual machine, it will delete all four files associated with the attack (1.vbs, 1.ps1, 1.log, and any payload files stored in the directory named after the serial number), effectively halting its execution, as illustrated.
The script encompasses 11 functions that define the subsequent phases of the malware’s operation, which include data exfiltration, cryptocurrency wallet information theft, and the establishment of Command-and-Control (C2) communications. These functions are integral to the attack’s execution, facilitating the malware’s objectives and ensuring persistent communication with the threat actor.
List of malicious function retrieved from 1 log file:
The upload function exfiltrates data by transmitting it to the server in 1MB chunks, allowing it to handle large file sizes efficiently. The script awaits a response from the server, and if it receives an HTTP status code of “200,” it proceeds with further execution. If the response differs, the script terminates its operation. Each chunk is sent via an HTTP POST request, with the function verifying the success of each upload iteration before continuing.
The GetExWFile function iterates through a set of predefined hash tables containing cryptocurrency wallet extensions. When a match is found, it identifies the associated”.ldb” and ”.log” files linked to those extensions for exfiltration. These files are subsequently transferred to the specified destination folder, as indicated by the $Storepath variable.
The script checks whether any of the following browsers—Edge, Firefox, Chrome, or Naver Whale—are actively running, to extract user profile data, including cookies, login credentials, bookmarks, and web data. Prior to collecting this information, the script terminates the browser processes to ensure uninterrupted access. It then proceeds to retrieve data on installed extensions and cache files, such as webcacheV01.dat, for each identified browser. For certain browsers, it also performs decryption operations to unlock encrypted keys, allowing it to extract sensitive information, which is then stored alongside the decrypted master encryption key.
The download file function downloads any file based on the C2 command.
It creates persistence for the files “1.log” and “1.vbs”.
The send () function uploads all the collected information to the server after compressing the data into a ZIP file named “init.zip”. It then renames the ZIP file to “init.dat” and deletes all backup files from the system after uploading.
The execution flow of the functions follows a sequence where several actions are carried out within the attack. Among these functions, one triggers another PowerShell command that calls the 2.log file, which is responsible for performing keylogging activities.
The decoded content of the 2.log file is shown above. It contains a script that imports essential Windows API functions for detecting key presses, retrieving window titles, and managing keyboard states. The script executes actions such as clipboard monitoring, keystroke logging, and recording window titles.
Conclusion
As observed, threat actors are utilizing time-consuming, multi-component techniques that are interlinked to enhance their evasiveness. Unlike other stealers, this one primarily focuses on network-related information, which could be leveraged for active reconnaissance. Given that the stealer targets sensitive user data, it is crucial to protect yourself with a reputable security solution such as Seqrite Antivirus in today’s digital landscape. At Seqrite Lab, we provide detection capabilities for such stealers at various stages of infection, along with protection against the latest threats.
Seqrite Protection:
MITRE ATT&CK:
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment |
| Execution | T1059.001
T1059.005 |
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Visual Basic |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
| Credential Access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers |
| Discovery | T1082 | System Information Discovery |
| Collection | T1056.001 | Input Capture: Keylogging |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
IoCs:
| MD5 | File Name |
| 1119A977A925CA17B554DCED2CBABD8 | *.lnk |
| 64677CAE14A2EC4D393A81548417B61B | 1.log |
| F0F63808E17994E91FD397E3A54A80CB | 2.log |
| A3353EA094F45915408065D03AE157C4 | prevenue.hta |
| CE4549607E46E656D8E019624D5036C1 | 1.vbs |
| 1B90EFF0B4F54DA72B19195489C3AF6C | *.lnk |
| 1D64508B384E928046887DD9CB32C2AC | 성범죄자 신상정보 고지.pdf.lnk |
C2
Dixit Panchal
Kartik Jivani
Soumen Burma
Meet Stephanie Bruce, an Independent Designer and Webflow Developer based in London, UK. She has been designing for over 2 years, previously working in Finance.
She loves editorial layouts, photography and visually creative web designs. She works closely with agencies and clients worldwide.
In this spotlight, Stephanie shares a selection of her favorite projects — a window into her creative process, inspirations, and evolution as a designer.
This is my latest project where I did the art direction, photography direction, web design and development for Freewrite Valentine. The main purpose of the website is to promote their latest Freewrite Valentine, playing tribute to the original Olivetti Valentine typewriter.
I used retro ads and posters as the main inspiration for the web design and photography direction. We decided to go with a bold red colour throughout the website to emphasise the retro red vibes. I had a two weeks deadline to design and build, as well as photography direction.
A web design project I did at MOD agency, with creative director Matt Jumper. My role was to design the website and create data visuals. It was my first time designing data visuals and I was pretty happy with how fun they turned out. Huge thanks to Mod agency for bringing me along for this project.
SP28K was an exploration website I did on the Flow Party On Demand course. For this design I decided to explore brutalist design with a touch of editorial layout. This project challenged me to go for a bold approach using expressive typography and high-contrast fonts. Photoshoot of the speaker was done in Spline.
Outside of client work, I love spending time creating my own concepts and web design explorations. By creating concept work, I learnt how much I love editorial, photography based websites and how I hope to attract similar work in the near future.
Especially being a relatively new designer, these concepts have helped me get noticed on social media and led to many opportunities.
I switched careers from Finance to Design over two years ago. I wanted to find a job that I loved, and once I discovered the world of Digital Design, I became pretty obsessed. I feel like I found my calling.
When I worked in Finance, I spent a lot of my spare time immersed in the creative world. I would go to exhibitions, galleries, theatre plays, etc. I also studied Photography, which helped me develop an eye for detail and composition. I feel that the combination of my exposure to the arts and my photography skills has played a big role in developing a strong visual eye for design.
Since changing careers, I’ve had some amazing opportunities to work with leading designers and agencies — from a six-month internship with Fons Mans to collaborations with designers like Dann Petty and Benten Woodring.
I’ve been freelancing since the beginning of my design career and am very grateful that my work and network have led to multiple collaborations with international clients and agencies.
I find that most of my inspiration comes from looking at design outside of web design. I often look at magazine layouts, prints/posters, and branding assets. Exploring these areas challenges me to create things you don’t typically see on websites.
I also draw a lot of inspiration from visiting art galleries and exhibitions around London, as well as from films and video games like Firewatch and Before Your Eyes.
Currently, I’m focused on working with agencies, as I enjoy collaborating and learning as much as possible from them.
In the near future, I’d love to work with lifestyle and e-commerce clients, and maybe team up with someone to create a purposely small, boutique agency.
Put in the time to practice design, and get comfortable with sharing your work online and networking — it can lead to so many opportunities and collaborations.
I’d also say it’s totally fine to explore different skills at the beginning, but I recommend committing to mastering one or two that truly excite you. Stay open to learning and keep pushing yourself to improve, no matter how many years of experience you have.
Feel free to reach out to me on Twitter or Instagram — whether you have a project in mind or just want to grab a coffee, in person or online!