DarkGate

Volt Typhoon has obtained the victim's system current location.

TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020. More recently, they have delivered Pikabot and DarkGate malware.

TA571 email lure. In this campaign, emails contained an HTML attachment that displayed a page resembling Microsoft Word.

We’ve been observing an initial access technique that tricks users into copying, pasting, and executing malicious PowerShell code... users are presented with the typical Verify You Are Human prompt... Clicking the button silently copies an obfuscated PowerShell command to the clipboard and presents the user with “Verification Steps” instructing them to: Press Windows Button + R... Press CTRL + V... Press Enter. | One technique we’ve recently seen lead to LummaC2 involves tricking users into copying a PowerShell script from a pop-up message, pasting it into the Windows Run dialogue box, and executing malicious PowerShell code.

the malicious PowerShell/CMD script is copied to the clipboard via browser-side JavaScript

On August 2023, the security researcher 0xToxin documented an infection chain leveraging AutoIT scripts to deliver the DarkGate malware

Bumblebee’s injection module ( dij command for DLL Injection) dynamically resolves NtQueueApcThread at runtime and uses it to inject a payload DLL... While the static import of NtQueueApcThread is flagged by multiple scanners, a runtime GetProcAddress lookup on ntdll.dll is invisible to import-table analysis.

On Tuesday, the agency added CVE-2024-29988 to the list. The vulnerability was unveiled by Microsoft as part of the Patch Tuesday releases in April and affects Microsoft SmartScreen ... He added that the bug is popular among attackers that use a file download as part of their attack techniques for gaining initial access because they “want to find ways to bypass the security features such as SmartScreen.”

DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded... TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives.

Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders. | Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.'

в архивах находились... а также LNK-файл... Если пользователь решит его открыть, то выполнится прописанная в нем команда

Process injection sits at the top of the MITRE ATT&CK heap for the second year running. Picus Labs’ Red Report 2025 found T1055 in roughly 31% of the million-plus malware samples they examined.

Attackers spawn a process suspended, queue an APC into its main thread before the AV/EDR’s user-mode hooks have loaded, then resume. The payload runs before the security product begins. | Hence APC injection was formed as a technique, they’d find a process with a thread in an alertable wait and get a handle to it, call VirtualAllocEx and WriteProcessMemory to plant shellcode and then call QueueUserAPC pointed at the shellcode, the thread would eventually wake up and execute the shellcode.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders. | Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.'

в архивах находились... а также LNK-файл... Если пользователь решит его открыть, то выполнится прописанная в нем команда

The content contains many examples of base64, XOR, RC4, AES, Rijndael, custom ciphers, rolling XOR, and multi-layer obfuscation used to hide payloads, strings, scripts, and C2 data.

CVE-2024-21412 was used as part of a DarkGate campaign that leveraged fake software installers impersonating Apple’s iTunes, Notion, NVIDIA and more.

Process injection sits at the top of the MITRE ATT&CK heap for the second year running. Picus Labs’ Red Report 2025 found T1055 in roughly 31% of the million-plus malware samples they examined.

Attackers spawn a process suspended, queue an APC into its main thread before the AV/EDR’s user-mode hooks have loaded, then resume. The payload runs before the security product begins. | Hence APC injection was formed as a technique, they’d find a process with a thread in an alertable wait and get a handle to it, call VirtualAllocEx and WriteProcessMemory to plant shellcode and then call QueueUserAPC pointed at the shellcode, the thread would eventually wake up and execute the shellcode.

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

An encoded PowerShell command then leverages Microsoft HTML Application Host (mshta.exe) to download and execute a malicious payload from a remote resource... Detection opportunity: mshta.exe utility making external network connections.

Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.

Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

DarkGate searches for stored credentials associated with cryptocurrency wallets... StrelaStealer attempts to identify and collect mail login data from Thunderbird and Outlook... Valak can download a module to search for and build a report of harvested credential data.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.

Agent Tesla can steal data from the victim’s clipboard. APT38 used a Trojan called KEYLIME to collect data from the clipboard. APT39 has used tools capable of stealing contents of the clipboard.

Agrius used a custom tool, sql.net4.exe, to query SQL databases and then identify and extract personally identifiable information... AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration... Ember Bear engages in mass collection from compromised systems during intrusions.

во вредоносном архиве лежал только один исполняемый файл... в архивах находились карточка предприятия... PDF... а также LNK-файл

downloading a remote PowerShell script and execute it in-memory. The second PowerShell script was essentially used to download yet another PowerShell script.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.