I hadn’t planned on creating a fashion interface. I just needed a reboot. At the time, I was leading art direction at the studio, juggling multiple projects, and emotionally, I was simply exhausted. I joined an Awwwards Masterclass to rediscover the joy of playing with design. I wanted to learn Webflow. I wanted to explore GSAP. But more than that, I wanted to create something unapologetically weird and beautiful.
That seed grew into DICH™, Design Independent Creative House. What started as a design playground became a statement.
We began with light. Not darkness. No glitch, no noise. Just a breath of fresh air.
Designing the Unfuturistic Future
We made a conscious decision: no dark mode. No glitch filters. Most futuristic UIs feel cold. We wanted warmth, softness, a vision of the future that is poetic, not synthetic.
Each section had its own visual temperature. Soft gradients, air, pastel dust. Typography was crucial. The T-12 font had those strange numeric ligatures that felt alien but elegant. Video, color, typography — all speaking the same language.
Each color palette tells a chapter of DICH — sunlit, strange, alive.
We built moodboards, UX pillars, and rhythm plans. That process, taught in the Masterclass, changed how we approached layout. It wasn’t about grids. It was about flow.
Building the Entry Ritual (Preloader)
The preloader wasn’t just an aesthetic flex. It solved three key problems:
Our media-heavy site needed time to load
Browsers block autoplaying audio without user interaction
We wanted to introduce mood and rhythm before the scroll even began
It was animated in After Effects and exported to Lottie, then embedded into Webflow and animated using GSAP.
The Enter button also triggered sound. It was our “permission point” for browser playback.
Live coordinate HUD under the cursor — perfectly suited to our site’s theme, so we decided to include it.
document.addEventListener('DOMContentLoaded', function () {
if (window.innerWidth <= 768) return;
const xCoord = document.getElementById('x-coordinate');
const yCoord = document.getElementById('y-coordinate');
let mouseX = 0;
let mouseY = 0;
let lastX = -1;
let lastY = -1;
let ticking = false;
function formatNumber(num) {
return num.toString().padStart(4, '0');
}
function updateCoordinates() {
if (mouseX !== lastX || mouseY !== lastY) {
xCoord.textContent = formatNumber(mouseX % 10000);
yCoord.textContent = formatNumber(mouseY % 10000);
lastX = mouseX;
lastY = mouseY;
}
ticking = false;
}
document.addEventListener('mousemove', (event) => {
mouseX = event.clientX;
mouseY = event.clientY;
if (!ticking) {
ticking = true;
requestAnimationFrame(updateCoordinates);
}
});
});
Stones That Scroll
We placed a 3D stone (also from Blender) into Spline, gave it orbital motion, and connected it to scroll using Webflow Interactions.
It felt like motion with gravity — guided, yet organic.
Pixel Tracer
With coordinate tracking already in place, we easily applied it to our section and later enhanced it with a pixel tracer inspired by Jean Mazouni’s displacement effect.
Unicorn Everywhere
The cursor wasn’t just a pointer, it became a vibe.
We used Unicorn Studio to create custom cursor trails and animations that followed the user like echoes of intent. Three variations in total:
One for the landing screen — minimal, hypnotic.
One for the project case study — denser, electric.
One for transitions — barely-there glimmer, like a memory.
Each version added tension and curiosity. It wasn’t flashy for the sake of it — it gave rhythm to hovering, a pulse to the interaction. Suddenly, the cursor wasn’t just a tool. It was part of the interface’s voice.
Footer Letters with Physics
Our footer was a personal moment. We wanted the word “DICH” to be hidden inside animated lines and revealed on hover using canvas and brightness sampling.
This one took the longest. We tried Perlin noise, sine curves, and springs, but none worked as we’d hoped or produced results that were sufficiently readable — until we found an old Domestika course that showed getImageData() logic.
Every visual block was lazy-loaded using IntersectionObserver
Safari compatibility issues — reworked unsupported animations for Safari and added fallbacks for AVIF images (even lighter than WebP) to maximize optimization.
Heavy sections only rendered after the preloader finished
We treated the error page like a runway — not a dead-end, but an invitation. Instead of a sad emoji or a bland “page not found,” you get a full-screen glitch-dream: warped typography, soft scans, and a single message that flickers like a memory.
Technically, it was simple — a standalone Webflow page. But visually, it extended the DICH world: same typographic tension, same surreal softness. We even debated adding background audio, but silence won — it made the page feel like a moment suspended in time.
What We Learned
File formats matter more than you think
Glitches aren’t as magical as thoughtful motion
GSAP is our best friend
Webflow is powerful when paired with code
You don’t need a big plan to make something that matters
Closing
I almost gave up. More than once. But every time the team cracked a bug, designed a transition, or made a visual more strange — it reminded me why we build.
DICH™ was a challenge, a love letter, and a reset. And now it’s yours to explore.
Every six months, Shopify releases a new Edition: a broad showcase of tools, updates, and ideas that reflect both the current state of ecommerce and where the platform is headed. But these Editions aren’t just product announcements. They serve as both roadmap and creative statement.
Back in December, we explored the Winter ’25 Edition, which focused on refining the core. With over 150+ updates and a playfully minimalist interface, it was a celebration of the work that often goes unnoticed—performance, reliability, and seamless workflows. “Boring,” but intentionally so, and surprisingly delightful.
The new Summer ’25 Edition takes a different approach. This time, the spotlight is on design: expressive, visual, and accessible to everyone. At the center of it is Horizon, a brand-new first-party theme that reimagines what it means to build a storefront on Shopify.
Horizon offers merchants total creative control without technical barriers. It combines a modular design system with AI-assisted customization, giving anyone the power to create a polished, high-performing store in just a few clicks.
To understand how this theme came to life—and why Shopify sees it as such a turning point—we had the chance to speak with Vanessa Lee, Shopify’s Vice President of Product. What emerged was a clear picture of where store design is heading: more flexible, more intuitive, and more creatively empowering than ever before.
“Design has never mattered more,” Lee told us. “Great design isn’t just about how things look—it’s how you tell your story and build lasting brand loyalty. Horizon democratizes advanced design capabilities so anyone can build a store.”
A Theme That Feels Like a Design System
Horizon isn’t a single template. It’s a foundation for a family of 10 thoughtfully designed presets, each ready to be tailored to a brand’s unique personality. What makes Horizon stand out is not just the aesthetics but the structure that powers it.
Built on Shopify’s new Theme Blocks, Horizon is the first public theme to fully embrace this modular approach. Blocks can be grouped, repositioned, and arranged freely along both vertical and horizontal axes. All of this happens within a visual editor, no code required.
“The biggest frustration was the gap between intention and implementation,” Lee explains. “Merchants had clear visions but often had to compromise due to technical complexity. Horizon changes that by offering true design freedom—no code required.”
AI as a Creative Partner
AI has become a regular presence in creative tools, but Shopify has taken a more collaborative approach. Horizon’s AI features are designed to support creativity, not take it over. They help with layout suggestions, content generation, and even the creation of custom theme blocks based on natural language prompts.
Describe something as simple as “a banner with text and typing animation,” and Horizon can generate a functional block to match your vision. You can also share an inspirational image, and the system will create matching layout elements or content.
What’s important is that merchants retain full editorial control.
“AI should enhance human creativity,” Lee says. “Our tools are collaborative—you stay in control. Whether you’re editing a product description or generating a layout, it’s always your voice guiding the result.”
This mindset is reflected in tools like AI Block Generation and Sidekick, Shopify’s AI assistant that helps merchants shape messaging, refine layout, and bring content ideas to life without friction.
UX Shifts That Change the Game
Alongside its larger innovations, Horizon also delivers a series of small but highly impactful improvements to the store editing experience:
Copy and Paste for Theme Blocks allows merchants to reuse blocks across different sections, saving time and effort.
Block Previews in the Picker let users see what a block will look like before adding it, reducing trial and error.
Drag and Drop Functionality now includes full block groups, nested components, and intuitive repositioning, with settings preserved automatically.
These updates may seem modest, but they target the exact kinds of pain points that slow down design workflows.
“We pay close attention to small moments that add up to big frustrations,” Lee says. “Features like copy/paste or previews seem small—but they transform how merchants work.”
Built with the Community
Horizon is not a top-down product. It was shaped through collaboration with both merchants and developers over the past year. According to Lee, the feedback was clear and consistent. Everyone wanted more flexibility, but not at the cost of simplicity.
“Both merchants and developers want flexibility without complexity,” Lee recalls. “That shaped Theme Blocks—and Horizon wouldn’t exist without that ongoing dialogue.”
The result is a system that feels both sophisticated and intuitive. Developers can work with structure and control, while merchants can express their brand with clarity and ease.
More Than a Theme, a Signal
Each Shopify Edition carries a message. The Winter release was about stability, performance, and quiet confidence. This Summer’s Edition speaks to something more expressive. It’s about unlocking design as a form of commerce strategy.
Horizon sits at the heart of that shift. But it’s just one part of a broader push across Shopify. The Edition also includes updates to Sidekick, the Shop app, POS, payments, and more—each designed to remove barriers and support better brand-building.
“We’re evolving from being a commerce platform to being a creative partner,” Lee says. “With Horizon, we’re helping merchants turn their ideas into reality—without the tech getting in the way.”
Looking ahead, Shopify sees enormous opportunity in using AI not just for store creation, but for proactive optimization, personalization, and guidance that adapts to each merchant’s needs.
“The most exciting breakthroughs happen where AI and human creativity meet,” Lee says. “We’ve only scratched the surface—and that’s incredibly motivating.”
Final Thoughts
Horizon isn’t just a new Shopify theme. It’s a new baseline for what creative freedom should feel like in commerce. It invites anyone—regardless of technical skill—to build a store that feels uniquely theirs.
For those who’ve felt boxed in by rigid templates, or overwhelmed by the need to code, Horizon offers something different. It removes the friction, keeps the power, and brings the joy back into building for the web.
PHP 8.3 introduces several new features and improvements to enhance performance and the developer experience. Dive into the latest PHP 8.3 release and discover the new features set to revolutionize how developers build applications. From read-only properties to disjoint unions, learn how these enhancements can help you write more efficient and maintainable code while boosting overall performance.
Here are some of the most significant updates:
1. Readonly Properties for Classes.
Feature: PHP 8.3 introduces read-only properties that can only be assigned once, typically in the constructor.
Benefit: This enforces immutability for properties, which can help prevent accidental modifications and make the code easier to reason about.
Example
class User {
public readonly string $name;
public function __construct(string $name) {
$this->name = $name;
}
}
$user = new User("Alice");
// $user->name = "Bob"; // This will throw an error
Performance Impact: Immutable objects can lead to performance benefits by reducing the need for defensive copying and allowing for better optimization by the engine.
2. Disjoint Unions
Feature: PHP 8.3 introduces disjoint unions, allowing developers to declare that a property or return type can be of one type or another, but not a common subtype.
Benefit: This adds more precision in type declarations, improving type safety and reducing potential bugs.
Example
function process(mixed $input): int|string {
if (is_int($input)) {
return $input * 2;
}
if (is_string($input)) {
return strtoupper($input);
}
throw new InvalidArgumentException();
}
3. json_validate() Function
Feature: A new json_validate() function is introduced, which allows developers to check if a string contains valid JSON without decoding it.
Benefit: This is useful for validating large JSON strings without the overhead of decoding them.
Feature: PHP 8.3 allows class constants to have types, just like class properties.
Benefit: This feature enforces type safety for constants, reducing bugs caused by incorrect types.
Example
class Config {
public const int MAX_USERS = 100;
}
5. Improved Performance
JIT Improvements: PHP 8.3 includes enhancements to the Just-In-Time (JIT) compiler introduced in PHP 8.0. These improvements lead to faster execution of some workloads, especially those that are CPU-intensive.
Faster Hash Table Operations: Internal improvements have been made to how hash tables (the underlying structure for arrays and many other data structures) are handled, resulting in faster array operations and reduced memory usage.
6. Enhanced Error Reporting
Feature: Error reporting has been improved with more precise messages and additional context, helping developers diagnose issues faster.
Benefit: Better error messages lead to quicker debugging and a smoother development experience.
7. New Random\Engine Class
Feature: PHP 8.3 introduces the Random\Engine class, which provides a standard way to generate random numbers using different engines.
Benefit: This adds more control over random number generation and allows for better customization, especially in cryptographic or statistical applications.
Example:
$engine = new Random\Engine\Mt19937();
$random = new Random\Randomizer($engine);
echo $random->getInt(1, 100); // Random number between 1 and 100
Conclusion
PHP 8.3 brings a mix of new features, performance improvements, and developer experience enhancements. These changes help developers write more robust, efficient, and maintainable code, while also taking advantage of performance optimizations under the hood. The introduction of readonly properties, disjoint unions, and typed class constants, along with improvements in JIT and error reporting, are particularly impactful in making PHP a more powerful and developer-friendly language.
A security researcher from Seqrite Labs has uncovered a malicious campaign targeting U.S. citizens as Tax Day approaches on April 15. Seqrite Labs has identified multiple phishing attacks leveraging tax-related themes as a vector for social engineering, aiming to exfiltrate user credentials and deploy malware. These campaigns predominantly utilize redirection techniques, such as phishing emails, and exploit malicious LNK files to further their objectives.
Each year, cybercriminals exploit the tax season as an opportunity to deploy various social engineering tactics to compromise sensitive personal and financial data. These adversaries craft highly deceptive campaigns designed to trick taxpayers into divulging confidential information, making fraudulent to counterfeit services, or inadvertently installing malicious payloads on their devices, thereby exposing them to identity theft and financial loss.
Infection Chain:
Fig 1: Infection chain
Initial analysis about campaign:
While tax-season phishing, attacks pose a risk to a broad spectrum of individuals, our analysis indicates that certain demographics are disproportionately vulnerable. Specifically, high-risk targets include individuals with limited knowledge of government tax processes, such as green card holders, small business owners, and new taxpayers.
Our findings reveal that threat actors are leveraging a sophisticated phishing technique in which they deliver files via email with deceptive extensions. One such example is a file named “104842599782-4.pdf.lnk,” which utilizes a malicious LNK extension. This tactic exploits user trust by masquerading as a legiti payments mate document, ultimately leading to the execution of malicious payloads upon interaction.
Decoy Document:
Threat actors are disseminating a transcript related to tax sessions, targeting individuals through email by sharing it as a malicious attachment. These cybercriminals are leveraging this document as a vector to deliver harmful payloads, thereby compromising the security of the recipients.
Fig 2: Decoy Document
Technical Analysis:
We have retrieved the LNK file, identified as “04842599782-4.pdf.lnk,” which was utilized in the attack. This LNK file embeds a Base64-encoded payload within its structure.
Fig 3: Inside LNK File
Upon decoding the string, we extracted a PowerShell command line that itself contains another Base64-encoded payload embedded within it.
Fig 4: Encoded PowerShell Command Line
Subsequently, upon decoding the nested Base64 string, we uncovered the final PowerShell command line embedded within the payload.
Fig 5: Decoded Command Line
The extracted PowerShell command line initiated the download of rev_pf2_yas.txt, which itself is a PowerShell script (Payload.ps1) containing yet another Base64-encoded payload embedded within it.
Fig 6: 2nd PowerShell command with Base64 Encoded
We have decoded the above Base64 encoded command line and get below final executable.
Fig 7: Decoded PowerShell Command
According to the PowerShell command line, the script Payload.ps1 (or rev_pf2_yas.txt) initiated the download of an additional file, revolaomt.rar, from the Command and Control (C2) server. This archive contained a malicious executable, named either Setup.exe or revolaomt.exe.
Detail analysis of Setup.exe / revolaomt.exe:
Fig 8: Detect it Easy
Upon detailed examination of the Setup.exe binary, it was identified as a PyInstaller-packaged Python executable. Subsequent extraction and decompilation revealed embedded Python bytecode artifacts, including DCTYKS.pyc and additional Python module components.
Fig 9: PyInstaller-packaged Python executableFig 10: In side DCTYKS.pyc
Upon analysis of the DCTYKS.pyc sample, it was determined that the file contains obfuscated or encrypted payload data, which is programmatically decrypted at runtime and subsequently executed, as illustrated in the figure above.
Fig 11: Encoded DCTYKS.pyc with Base64
Upon successful decryption of the script, it was observed that the sample embeds a Base64-encoded executable payload. The decrypted payload leverages process injection techniques to target mstsc.exe for execution. Further analysis of the second-stage payload revealed it to be a .NET-compiled binary.
Analysis 2nd Payload (Stealerium malware):
Fig 12: .NET Base Malware sample
The second-stage payload is identified as a .NET-based malware sample. Upon inspection of its class structures, methods, and overall functionality, the sample exhibits strong behavioural and structural similarities to the Stealerium malware family, specifically aligning with version 1.0.35.
Stealerium is an open-source information-stealing malware designed to exfiltrate sensitive data from web browsers, cryptocurrency wallets, and popular applications such as Discord, Steam, and Telegram. It performs extensive system reconnaissance by harvesting details including active processes, desktop screenshots, and available Wi-Fi network configurations. Additionally, the malware incorporates sophisticated anti-analysis mechanisms to identify execution within virtualized environments and detect the presence of debugging tools.
This AntiAnalysis class is part of malware designed to detect sandbox, virtual machines, emulators, suspicious processes, services, usernames, and more. It checks system attributes against blacklists fetched from online sources (github). If any suspicious environment is detected, it logs the finding and may trigger self-destruction. This helps the malware avoid analysis in controlled or security research setups.
Mutex Creation
Fig 16: Mutex Creation
This MutexControl class prevents multiple instances of the malware from running at the same time. It tries to create a system-wide mutex using a name from Config.Mutex (QT1bm11ocWPx). If the mutex already exists, it means another instance is running, so it exits the process. If an error occurs during this check, it logs the error and exits too.
Fig 17: Configuration of StringsCrypt.DecryptConfig
It configures necessary values by decrypting them with StringsCrypt.DecryptConfig. It handles the decryption of the server base URL and WebSocket address. If enabled, it also decodes cryptocurrency wallet addresses from Base64 and decrypts them using AES-256 encryption.
“hxxp://91.211.249.142:7816”
Radom Directory Creation
Fig 18: Random Directory Creation
The InitWorkDir() method generates a random subdirectory under %LOCALAPPDATA%, creates it if it doesn’t exist, and hides it for stealth purposes. This is likely used for storing data or maintaining persistence without detection.
\AppData\Local\e9d3e2dd2788c322ffd2c9defddf7728 random directory is created in hidden attribute.
BoT Registration
Fig 19: BOT Registration
The RegisterBot method initiates an HTTP POST request to register a bot instance, utilizing a unique hash identifier and an authorization token for authentication. It serializes the registration payload, appends the necessary HTTP headers, and logs the server response or any encountered exceptions. The method returns a boolean value—true upon successful execution, and false if an exception is raised during the process.
It extracts browser-related data (passwords, cookies, credit cards, history, bookmarks, autofill) from a given user data profile path.
FileZilla Credentials stealer activity
Fig 21: FileZilla Credential Stealer activity
The above code is part of a password-stealing component targeting FileZilla, an FTP client.
Gaming Platform Data Extraction Modules
Fig 22: Gaming platform data extraction
This component under bt.Stub.Target.Gaming is designed to collect data from the following platforms:
BattleNet
Minecraft
Steam
Uplay
Each class likely implements routines to extract user data, game configurations, or sensitive files for exfiltration.
Fig 23: Checks for a Minecraft installation
It checks for a Minecraft installation and creates a save directory to exfiltrate various data like mods, files, versions, logs, and screenshots. It conditionally captures logs and screenshots based on the Config.GrabberModule setting.
Messenger Data Stealer Modules
Itargets various communication platforms to extract user data or credentials from:
Discord
Element
ICQ
Outlook
Pidgin
Signal
Skype
Telegram
Tox
Below is one example of Outlook Credentials Harvesting
It targets specific registry keys associated with Outlook profiles to extract sensitive information like email addresses, server names, usernames, and passwords. It gathers data for multiple mail clients (SMTP, POP3, IMAP) and writes the collected information to a file (Outlook.txt).
Fig 24: Messenger Data Extraction
Webcam Screenshot Capture
Attempts to take a screenshot using a connected webcam, saving the image as a JPEG file. If only one camera is connected, it triggers a series of messages to capture the webcam image, which is then saved to the specified path (camera.jpg or a timestamped filename). The method is controlled by a configuration setting (Config.WebcamScreenshot).
Fig 25: Webcam Screen shot captures
Wi-Fi Password Retrieval
It retrieves the Wi-Fi password for a given network profile by running the command netsh wlan show profile and extracting the password from the output. The command uses findstr Key to filter the password, which is then split and trimmed to get the value
Fig 26: WI-FI Password Retrieval
VPN Data Extraction
It targets various VPN applications to exfiltrate sensitive information such as login credentials:
NordVpn
OpenVpn
ProtonVpn
For example, it extracts and saves NordVPN credentials from the user.config file found in NordVPN installation directories. It looks for “Username” and “Password” settings, decodes them, and writes them to a file (accounts.txt) in the specified savePath.
Fig 27: VPN Data Extraction
Porn Detection & Screenshot Capture
Fig 28: Porn Detection & Snapshot Captures.
It detects adult content by checking if the active window’s title contains specific keywords related to NSFW content (configured in Config.PornServices). If such content is detected, it triggers a screenshot capture.
Conclusion:
Based on our recent proactive threat analysis, we’ve identified that cybercriminals are actively targeting U.S. citizens around the tax filing period scheduled for April 15. These threat actors are leveraging the occasion to deploy Stealerium malware, using deceptive tactics to trick users.
Stealerium malware is designed to steal Personally Identifiable Information (PII) from infected devices and transmit it to attacker-controlled bots for further exploitation.
To safeguard your data and devices, we strongly recommend using Seqrite Endpoint Security, which provides advanced protection against such evolving threats.
Stay secure. Stay protected with Seqrite.
TTPS
Tactic
Technique ID
Name
Initial Access
T1566.001
Phishing: Spear phishing Attachment
Execution
T1059.001
Command and Scripting Interpreter: PowerShell
Evasion
T1140
Deobfuscate/Decode Files or Information
T1027
Obfuscated Files or Information
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
Credential Access
T1555.003
Credentials from Password Stores: Credentials from Web Browsers
T1539
Steal Web Session Cookie
Discovery
T1217
Browser Information Discovery
T1016
System Network Configuration Discovery: Wi-Fi Discovery
Collection
T1113
Screen Capture
Exfiltration
T1567.004
Exfiltration Over Web Service: Exfiltration Over Webhook
Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024. The group has expanded its scope of targeting beyond Indian government, defence, maritime sectors, and university students to now include entities under railway, oil & gas, and external affairs ministries. One notable shift in recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism.
Threat actors are continuously evolving their tactics to evade detection, and this shift is driven by their persistent use of DLL side-loading and multi-platform intrusions. This evolution also incorporates techniques such as reflective loading and repurposing open-source tools such as Xeno RAT and Spark RAT, following its trend with Async RAT to extend its capabilities. Additionally, a new payload dubbed CurlBack RAT has been identified that registers the victim with the C2 server.
Key Findings
Usernames associated with attacker email IDs are impersonating a government personnel member with cyber security background, utilizing compromised IDs.
A fake domain mimicking an e-governance service, with an open directory, is used to host payloads and credential phishing login pages.
Thirteen sub-domains and URLs host login pages for various RTS Services for multiple City Municipal Corporations (CMCs), all in the state of Maharashtra.
The official domain of National Hydrology Project (NHP), under the Ministry of Water Resources, has been compromised to deliver malicious payloads.
New tactics such as reflective loading and AES decryption of resource section via PowerShell to deploy a custom version of C#-based open-source tool XenoRAT.
A modified variant of Golang-based open-source tool SparkRAT, is targeting Linux platforms, has been deployed via the same stager previously used for Poseidon and Ares RAT payloads.
A new RAT dubbed CurlBack utilizing DLL side-loading technique is used. It registers the victim with C2 server via UUID and supports file transfer using curl.
Honey-trap themed campaigns were observed in January 2025 and June 2024, coinciding with the arrest of a government employee accused of leaking sensitive data to a Pakistani handler.
A previously compromised education portal seen in Aug 2024, became active again in February 2025 with new URLs targeting university students. These employ three different themes: “Climate Change”, “Research Work”, and “Professional” (Complete analysis can be viewed in the recording here, explaining six different clusters of SideCopy APT).
The parent group of SideCopy, APT36, has targeted Afghanistan after a long with a theme related to Office of the Prisoners Administration (OPA) under Islamic Emirate of Afghanistan. A recent campaign targeting Linux systems with the theme “Developing Leadership for Future Wars” involves AES/RC4 encrypted stagers to drop MeshAgent RMM tool.
Targeted sectors under the Indian Ministry
Railways
Oil & Gas
External Affairs
Defence
Phishing Emails
The campaign targeting the Defence sector beings with a phishing email dated 13 January 2025, with the subject “Update schedule for NDC 65 as discussed”. The email contains a link to download a file named “NDC65-Updated-Schedule.pdf” to lure the target.
Fig. 1 – NDC Phishing Email (1)
A second phishing email sent on 15 January 2025 with the subject “Policy update for this course.txt”, also contains a phishing link. This email originates from an official-looking email ID which is likely compromised. National Defence College (NDC) is a defence service training institute for strategic and practice of National Security located in Delhi, operates under the Ministry of Defence, India.
Fig. 2 – NDC Phishing Email (2)
The attacker’s email address “gsosystems-ndc@outlook[.]com”, was created on 10 January 2025 in UAE and was last seen active on 28 February 2025. OSINT reveals similar looking email ID “gsosystems.ndc-mod@nic[.]in” belonging to National Informatics Centre (NIC), a department under the Ministry of Electronics and Information Technology (MeitY), India. The username linked to the attacker’s email impersonates a government personnel member with cyber security background.
Fig. 3 – Attacker Email
Decoy Documents
The decoy is related to the National Defence College (NDC) in India and contains the Annual Training Calendar (Study & Activities) for the year 2025 for the 65th Course (NDC-65). Located in New Delhi, it is the defence service training institute and highest seat of strategic learning for officers of the Defence Service (Indian Armed Forces) and the Civil Services, all operating under the Ministry of Defence, India.
Fig. 4 – NDC Calendar Decoy [Defence]
Another phishing archive file observed with name “2024-National-Holidays-RH-PER_N-1.zip”, comes in two different variants targeting either Windows or Linux systems. Once the payload is triggered, it leads to a decoy document that contains a list of holidays for the Open Line staff for the year 2024 as the name suggests. This is an official notice from Southern Railway dated 19 December 2023, specifically for the Chennai Division. Southern Railway (SR) is one of the eighteen zones of Indian Railways, a state-owned undertaking of the Ministry of Railways, India.
Fig. 5 – Holiday List Decoy [Railways]
The third infection chain includes a document titled “Cybersecurity Guidelines” for the year 2024, which appears to be issued by Hindustan Petroleum Corporation Limited (HPCL). Headquarted in Mumbai, HPCL is a public sector undertaking in petroleum and natural gas industry and is a subsidiary of the Oil and Natural Gas Corporation (ONGC), a state-owned undertaking of the Ministry of Petroleum and Natural Gas, India.
Another document linked to the same infection is the “Pharmaceutical Product Catalogue” for 2025, issued by MAPRA. It is specifically intended for employees of the Ministry of External Affairs (MEA), in India. Mapra Laboratories Pvt. Ltd. is a pharmaceutical company with headquarters in Mumbai.
Fig. 7 – Catalogue Decoy [External Affairs]
OpenDir and CredPhish
A fake domain impersonating the e-Governance portal services has been utilized to carry out the campaign targeting railway entities. This domain was created on 16 June 2023 and features an open directory hosting multiple files, identified during the investigation.
Fig. 8 – Open directory
A total of 13 sub-domains have been identified, which function as login portals for various systems such as:
Webmail
Safety Tank Management System
Payroll System
Set Authority
These are likely used for credential phishing, actively impersonating multiple legitimate government portals since last year. These login pages are typically associated with RTS Services (Right to Public Services Act) and cater to various City Municipal Corporations (CMC). All these fake portals belong to cities located within the state of Maharashtra:
Chandrapur
Gadchiroli
Akola
Satara
Vasai Virar
Ballarpur
Mira Bhaindar
Fig. 9 – Login portals hosted on fake domain
The following table lists the identified sub-domains and the dates they were first observed:
Sub-domains
First Seen
gadchiroli.egovservice[.]in
2024-12-16
pen.egovservice[.]in
2024-11-27
cpcontacts.egovservice[.]in
cpanel.egovservice[.]in
webdisk.egovservice[.]in
cpcalendars.egovservice[.]in
webmail.egovservice[.]in
2024-01-03
dss.egovservice[.]in
cmc.egovservice[.]in
2023-11-03
mail.egovservice[.]in
2023-10-13
pakola.egovservice[.]in
pakora.egovservice[.]in
2023-07-23
egovservice[.]in
2023-06-16
All these domains have the following DNS history primarily registered under AS 140641 (YOTTA NETWORK SERVICES PRIVATE LIMITED). This indicates a possible coordinated infrastructure set up to impersonate legitimate services and collect credentials from unsuspecting users.
Fig. 10 – DNS history
Further investigation into the open directory revealed additional URLs associated with the fake domain. These URLs likely serve similar phishing purposes and host further decoy content.
hxxps://egovservice.in/vvcmcrts/
hxxps://egovservice.in/vvcmc_safety_tank/
hxxps://egovservice.in/testformonline/test_form
hxxps://egovservice.in/payroll_vvcmc/
hxxps://egovservice.in/pakora/egovservice.in/
hxxps://egovservice.in/dssrts/
hxxps://egovservice.in/cmc/
hxxps://egovservice.in/vvcmcrtsballarpur72/
hxxps://egovservice.in/dss/
hxxps://egovservice.in/130521/set_authority/
hxxps://egovservice.in/130521/13/
Cluster-A
The first cluster of SideCopy’s operations shows a sophisticated approach by simultaneously targeting both Windows and Linux environments. New remote access trojans (RATs) have been added to their arsenal, enhancing their capability to compromise diverse systems effectively.
Fig. 11 – Cluster A
Windows
A spear-phishing email link downloads an archive file, that contains double extension (.pdf.lnk) shortcut. They are hosted on domains that look to be legitimate:
The shortcut triggers cmd.exe with arguments that utilize escape characters (^) to evade detection and reduce readability. A new machine ID “dv-kevin” is seen with these files as we see “desktop-” prefix in its place usually.
Fig. 12 – Shortcuts with double extension
Utility msiexec.exe is used for installing the MSI packages that are hosted remotely. It uses quiet mode flag with the installation switch.
The first domain mimics a fake e-governance site seen with the open directory, while the second one is a compromised domain that belongs to the official National Hydrology Project, an entity under the Ministry of Water Resources. The MSI contains a .NET executable ConsoleApp1.exe which drops multiple PE files that are base64 encoded. Firstly, the decoy document is dropped in Public directory and opened, whereas remaining PE files are dropped in ‘C:\ProgramData\LavaSoft\’. Among them are two DLLs:
Legitimate DLL: Sampeose.dll
Malicious DLL: DUI70.dll, identified as CurlBack RAT.
Fig. 13 – Dropper within MSI package
CurlBack RAT
A signed Windows binary girbesre.exe with original name CameraSettingsUIHost.exe is dropped beside the DLLs. Upon execution, the EXE side-loads the malicious DLL. Persistence is achieved by dropping a HTA script (svnides.hta) that creates a Run registry key for the EXE. Two different malicious DLL samples were found, which have the compilation timestamps as 2024-12-24 and 2024-12-30.
Fig. 14 – Checking response ‘/antivmcommand’
CurlBack RAT initially checks the response of a specific URL with the command ‘/antivmcommand’. If the response is “on”, it proceeds, otherwise it terminates itself thereby maintaining a check. It gathers system information, and any connected USB devices using the registry key:
“SYSTEM\\ControlSet001\\Enum\\USBSTOR”
Fig. 15 – Retrieving system info and USB devices
Displays connected and running processes are enumerated to check for explorer, msedge, chrome, notepad, taskmgr, services, defender, and settings.
Fig. 16 – Enumerate displays and processes
Next, it generates a UUID for client registration with the C2 server. The ID generated is dumped at “C:\Users\<username>\.client_id.txt” along with the username.
Fig. 17 – Client ID generated for C2 registration
Before registering with the ID, persistence is set up via scheduled task with the name “OneDrive” for the legitimate binary, which can be observed at the location: “C:\Windows\System32\Tasks\OneDrive”.
Fig. 18 – Scheduled Task
Reversed strings appended to the C2 domain and their purpose:
String
Functionality
/retsiger/
Register client with the C2
/sdnammoc/
Fetch commands from C2
/taebtraeh/
Check connection with C2 regularly
/stluser/
Upload results to the C2
Once registered, the connection is kept alive to retrieve any commands that are returned in the response.
Fig. 19 – Commands response after registration
If the response contains any value, it retrieves the current timestamp and executes one of the following C2 commands:
Command
Functionality
info
Gather system information
download
Download files from the host
persistence
Modify persistence settings
run
Execute arbitrary commands
extract
Extract data from the system
permission
Check and elevate privileges
users
Enumerate user accounts
cmd
Execute command-line operations
Fig. 20 – Checking process privilege with ‘permission’ command
Other basic functions include fetching user and host details, extracting archive files, and creating tasks. Strings and code show that CURL within the malicious DLL is present to enumerate and transfer various file formats:
Image files: GIF, JPEG, JPG, SVG
Text files: TXT, HTML, PDF, XML
Fig. 21 – CURL protocols supported
Linux
In addition to its Windows-focused attacks, the first cluster of SideCopy also targets Linux environments. The malicious archive file shares the same name as its Windows counterpart, but with a modification date of 2024-12-20. This archive contains a Go-based ELF binary, reflecting a consistent cross-platform strategy. Upon analysis, the function flow of the stager has code similarity to the stagers associated with Poseidon and Ares RAT. These are linked to Transparent Tribe and SideCopy APTs respectively.
Fig. 22 – Golang Stager for Linux
Stager functionality:
Uses wget command to download a decoy from egovservice domain into the target directory /.local/share and open it (National-Holidays-RH-PER_N-1.pdf).
Download the final payload elf as /.local/share/xdg-open and execute.
Create a crontab ‘/dev/shm/mycron’ to maintain persistence through system reboot for the payload, under the current username.
The final payload delivered by the stager is Spark RAT, an open-source remote access trojan with cross-platform support for Windows, macOS, and Linux systems. Written in Golang and released on GitHub in 2022, the RAT is very popular with over 500 forks. Spark RAT uses WebSocket protocol and HTTP requests to communicate with the C2 server.
Fig. 23 – Custom Spark RAT ‘thunder’ connecting to C2
Features of Spark RAT include process management and termination, network traffic monitoring, file exploration and transfer, file editing and deletion, code highlighting, desktop monitoring, screenshot capture, OS information retrieval, and remote terminal access. Additionally, it supports power management functions like shutdown, reboot, log-off, sleep, hibernate and lock screen functions.
Cluster-B
The second cluster of SideCopy’s activities targets Windows systems, although we suspect that it is targeting Linux systems based on their infrastructure observed since 2023.
Fig. 24 – Cluster B
The infection starts with a spear-phishing email link, that downloads an archive file named ‘NDC65-Updated-Schedule.zip’. This contains a shortcut file in double extension format which triggers a remote HTA file hosted on another compromised domain:
The machine ID associated with the LNK “desktop-ey8nc5b” has been observed in previous campaigns of SideCopy, although the modification date ‘2023:05:26’ suggests it may be an older one being reused. In parallel to the MSI stagers, the group continues to utilize HTA-based stagers which remain almost fully undetected (FUD).
Fig. 26 – Almost FUD stager of HTA
The HTA file contains a Base64 encoded .NET payload BroaderAspect.dll, which is decoded and loaded directly into the memory of MSHTA. This binary opens the dropped NDC decoy document in ProgramData directory and an addtional .NET stager as a PDF in the Public directory. Persistence is set via Run registry key with the name “Edgre” and executes as:
The dropped .NET binary named ‘Myapp.pdb’ has two resource files:
“Myapp.Resources.Document.pdf”
“Myapp.Properties.Resources.resources”
The first one is decoded using Caesar cipher with shift of 9 characters in backward direction. It is dropped as ‘Public\Downloads\Document.pdf’ (122.98 KB), which is a 2004 GIAC Paper on “Advanced communication techniques of remote access trojan horses on windows operating systems”.
Fig. 27– Document with appended payload
Though it is not a decoy, an encrypted payload is appended at the end. The malware searches for the “%%EOF” marker to separate PDF data from EXE data. The PDF data is extracted from the start to the marker, while the EXE Data is extracted after skipping 6 bytes beyond the marker.
Fig. 28 – Extracting EXE after EOF marker
After some delay, the EXE data is dropped as “Public\Downloads\suport.exe” (49.53 KB) which is sent as an argument along with a key to trigger a PowerShell command.
Fig. 29 – Extracting resource and triggering PowerShell
PowerShell Stage
The execution of PowerShell command with basic arguments “-NoProfile -ExecutionPolicy Bypass -Command” to ignore policies and profile is seen. Two parameters are sent:
After some delay, the encryption key is decoded from Base64, and the first 16 bytes are treated as the IV for AES encryption (CBC mode with PKCS7 padding). This is done to load the decrypted binary as a .NET assembly directly into memory, invoking its entry point.
Fig. 30 – PowerShell decryption
Custom Xeno RAT
Dumping the final .NET payload named ‘DevApp.exe’ leads us to familiar functions seen in Xeno RAT. It is an open source remote access trojan that was first seen at the end of 2023. Key features include HVNC, live microphone access, socks5 reverse proxy, UAC bypass, keylogger, and more. The custom variant used by SideCopy has added basic string manipulation methods with C2 and port as 79.141.161[.]58:1256.
Fig. 31 – Custom Xeno RAT
Last year, a custom Xeno RAT variant named MoonPeak was used by a North Korean-linked APT tracked as UAT-5394. Similarly, custom Spark RAT variants have been adopted by Chinese-speaking actors such as DragonSpark and TAG-100.
Infrastructure and Attribution
Domains used for malware staging by the threat group. Most of them have registrar as GoDaddy.com, LLC.
Staging Domain
First Seen
Created
ASN
modspaceinterior[.]com
Jan 2025
Sept 2024
AS 46606 – GoDaddy
drjagrutichavan[.]com
Jan 2025
Oct 2021
AS 394695 – GoDaddy
nhp.mowr[.]gov[.]in
Dec 2024
Feb 2005
AS 4758 – National Informatics Centre
egovservice[.]in
Dec 2024
June 2023
AS 140641 – GoDaddy
pmshriggssssiwan[.]in
Nov 2024
Mar 2024
AS 47583 – Hostinger
educationportals[.]in
Aug 2024
Aug 2024
AS 22612 – NameCheap
C2 domains have been created just before the campaign in the last week of December 2024. With Canadian registrar “Internet Domain Service BS Corp.”, they resolve to IPs with Cloudflare ASN 13335 located in California.
C2 Domain
Created
IP
ASN
updates.widgetservicecenter[.]com
2024-Dec-25
104.21.15[.]163
172.67.163[.]31
ASN 13335 – Clouflare
updates.biossysinternal[.]com
2024-Dec-23
172.67.167[.]230
104.21.13[.]17
ASN 202015 – HZ Hosting Ltd.
The C2 for Xeno RAT 79.141.161[.]58 has a unique common name (CN=PACKERP-63KUN8U) with HZ Hosting Limited of ASN 202015. The port used for communication is 1256 but an open RDP port 56777 is also observed.
Fig. 32 – Diamond Model
Both C2 domains are associated with Cloudflare ASN 13335, resolved to IP range 172.67.xx.xx. Similar C2 domains on this ASN have previously been leveraged by SideCopy in attacks targeting the maritime sector. Considering the past infection clusters, observed TTPs and hosted open directories, these campaigns with new TTPs are attributed to SideCopy with high confidence.
Conclusion
Pakistan-linked SideCopy APT group has significantly evolved its tactics since late December 2024, expanding its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. The group has shifted from using HTA files to MSI packages as a primary staging mechanism and continues to employ advanced techniques like DLL side-loading, reflective loading, and AES decryption via PowerShell. Additionally, they are leveraging customized open-source tools like Xeno RAT and Spark RAT, along with deploying the newly identified CurlBack RAT. Compromised domains and fake sites are being utilized for credential phishing and payload hosting, highlighting the group’s ongoing efforts to enhance persistence and evade detection.
A robust social media presence is instrumental for any business, including holistic healthcare clinics, to thrive. Effective use of social media can significantly enhance a clinic’s visibility and build a respected reputation. By tapping into the vast online audience, clinics can connect with potential clients, offering educational content and showcasing their unique services in holistic healthcare.
How to Develop an Engaging Content Strategy
An engaging content strategy is vital in capturing the audience’s attention and establishing a meaningful connection. With over 60 to 70 million Americans suffering from gastrointestinal diseases, there is a substantial audience seeking alternative health solutions. By tailoring content to address these concerns, clinics can position themselves as valuable resources, providing knowledge and insights into holistic approaches.
In developing content, quality should always take precedence over quantity. Educating the audience about how holistic methods can aid in alleviating symptoms related to GI disorders can be highly effective. Sharing success stories, informative articles, and expert opinions not only engages but also builds trust, positioning the clinic as an authority in the holistic healthcare space.
By consistently providing useful, relatable content, clinics can cultivate a loyal following who value their expertise. Utilizing stories of triumph and improvement can humanize the clinic’s brand and foster a community of healing. A well-thought-out content strategy is essential in creating a strong, engaging online presence.
What Platforms Are Most Effective for Healthcare Promotion?
The choice of social media platforms can significantly influence the reach and impact of healthcare promotion. Each platform serves different demographics and types of content, making it crucial for clinics to select the most appropriate channels. Facebook, Instagram, and LinkedIn are among the top platforms where healthcare content is highly effective due to their vast and varied audiences.
Facebook allows clinics to connect with their audience through educational posts, live Q&A sessions, and community-building groups. For example, your practice could use Facebook to promote a free flu vaccine clinic, as it is among the top three most common routine vaccines. Additionally, Instagram is perfect for visual storytelling, showcasing the clinic’s environment, patient testimonials, and holistic lifestyle tips. Meanwhile, LinkedIn can be used to network with other healthcare professionals and share research and professional insights.
Selecting the right platform enables clinics to engage effectively with their target audience, increasing visibility and interaction. A strategic, multi-platform approach can maximize reach, as different segments of the audience can be engaged through their preferred social media channels. Ultimately, the goal is to build an interconnected online presence that enhances the clinic’s reputation and accessibility.
How to Measure the Success of Social Media Campaigns
Measuring the success of social media campaigns requires a strategic approach. Key performance indicators (KPIs) such as engagement rates, reach, and conversion metrics provide insights into the effectiveness of content. Regularly monitoring these metrics helps refine strategies and ensures the clinic remains aligned with its business goals.
Analytical tools, native to platforms like Facebook and Instagram, offer valuable data on audience interactions and content performance. This data-driven approach enables holistic healthcare clinics to understand what resonates with their audience and adjust their strategies accordingly. A successful campaign enhances audience engagement, boosts brand awareness, and ultimately drives patient appointments.
Beyond quantitative metrics, social media success is also reflected in qualitative aspects such as brand perception and audience loyalty. Building an online community centered around support and education leads to stronger patient relationships. In essence, the success of social media campaigns is multifaceted, encompassing both measurable outcomes and more intangible benefits such as increased trust and brand credibility.
How Can Partnerships Amplify Your Reach?
Forming strategic partnerships is a powerful way to extend a clinic’s reach and impact. Collaborations with wellness influencers, other healthcare providers, or businesses in related fields can amplify messages and broaden audiences. Early on, nearly one million people live with significant mental health disorders, presenting an opportunity for partnerships linking mental health with holistic care.
By partnering with influencers in the health and wellness space, clinics can tap into established communities that align with their values. These collaborations bring authenticity and credibility, as trusted voices within the community vouch for the clinic’s services. Simultaneously, partnerships with companies offering complementary services facilitate a seamless integration of holistic solutions for clients.
Successful partnerships are built on shared goals and a mutual understanding of audience needs. They can result in joint content creation, shared events, and cross-promotional strategies that greatly increase the clinic’s business visibility. These partnerships not only expand reach but also enhance the clinic’s reputation as a collaborative and holistic health provider.
What Role Does Authenticity Play in Creating Trust?
Authenticity is a cornerstone of building trust with an online audience. Patients are more likely to engage with clinics that present themselves transparently and genuinely. Sharing real stories, challenges, and successes in holistic care creates a relatable narrative that resonates with the audience.
Authentic content, such as patient testimonials and behind-the-scenes looks at clinic operations, helps potential clients understand and trust the clinic’s mission and values. An honest portrayal of how holistic methods improve patient well-being strengthens the bond between the clinic and its community. This connection fosters a sense of belonging, encouraging patients to choose holistic healthcare for their needs.
A clinic that consistently demonstrates authenticity is likely to cultivate a loyal following. This leads to positive word-of-mouth recommendations, further solidifying the clinic’s standing in the holistic healthcare business. Ultimately, by prioritizing authenticity, clinics can build lasting relationships with patients and sustain a thriving online presence.
Crafting an effective social media strategy is essential for holistic healthcare clinics aiming to foster community engagement and elevate their visibility. These insights provide a roadmap for clinics to enhance their online presence, building a trusted and esteemed reputation that resonates with their audience’s needs and values.
New York City, often referred to as the business capital of the world, offers unique opportunities for family businesses. While the allure of this vibrant metropolis goes beyond sparkling skyscrapers and bustling streets, it plays host to a web of advantages that can serve as the perfect backdrop for your business. From the accessibility of diverse resources to a regulatory environment that promotes growth and innovation, New York is undoubtedly a compelling choice for relocating your family business. Here’s a deeper dive into why moving your unique family business to the Big Apple could be one of the best decisions you make.
You Can Make Connections With the Big Dogs
New York City is truly a networking powerhouse, with ample opportunities to rub shoulders with industry leaders and influencers. While vibrant networking events and conferences are regular affairs, they are just the beginning. The city’s reputation as a hub for top-tier professionals creates a unique atmosphere where collaborations are not only possible but often encouraged.
With 38% of moves undertaken by corporations, New York’s strategic importance cannot be overstated. The business landscape here is uniquely competitive yet collaborative, fostering an environment where innovation thrives. Family businesses in particular can find themselves in the advantageous position of being able to learn from and partner with some of the best in their industry.
The chance to form partnerships with high-level businesses is one of New York’s undeniable benefits. Whether it’s through formal business councils or casual networking gatherings, access to these connections is amplified exponentially. The shared experiences and insights gained can fuel growth and transformation for your family business, taking it to new heights.
You’re Near an Endless Supply of Materials
Being in New York means having access to a consistent and diverse supply chain, essential for any thriving business. The logistics network in this city is unparalleled, ensuring that businesses are never far from the vital resources they need. This logistical advantage gives family businesses easy access to both local and global markets.
With 20 million shipping containers crossing our oceans every year, the availability of materials is almost guaranteed. The city’s numerous ports and proximity to major trade routes simplify the importing and exporting processes. For businesses relying on unique materials or varying supplies, this constant flow is invaluable.
Additionally, being close to such a vast network of suppliers means having the flexibility to pivot as market demands change. Family businesses often benefit from this agility, allowing them to adapt and grow efficiently. The ease of sourcing helps in maintaining consistent production rates and meeting customer expectations, further cementing New York’s position as an ideal business locale.
You’re Protected Under Many Laws and Regulations
New York is known for its robust legal framework that supports and protects businesses, making it a safe haven for entrepreneurial ventures. With an array of state and federal laws in place, businesses can flourish in a well-regulated environment. This comprehensive legal protection fosters trust and security for both business owners and consumers.
There are about 1,050 federal laws involving benefits or status for married couples, underscoring the city’s commitment to inclusivity and diversity. For family-run businesses, such a legal ecosystem can be especially beneficial, providing the peace of mind needed to focus on growth and innovation. These laws also ensure fair practices, which can be vital in maintaining a business’s reputation.
The city’s legal environment is further supported by institutions dedicated to assisting businesses navigate regulations efficiently. This guidance is crucial for family businesses seeking to expand or enhance their operations. As New York continues to evolve, it remains a favorable place to operate a business with its commitment to equitable and sustainable business practices.
Relocating your family business to New York is an investment in its future. The city offers unparalleled networking opportunities, an endless logistical supply, and protective regulations that work together to create an environment conducive to success. Family businesses have much to gain by embracing the dynamic and resource-rich environment that New York provides, reinforcing the city’s reputation as a hub of opportunity and innovation.
