SoullessRAT

The attack chain begins with a malicious MSI installer, disguised as a legitimate software application, delivered to targeted users through deceptive websites mimicking real developer tools.

A separate espionage campaign linked to the Eagle Werewolf cluster used Iraqi hosting on Regxa infrastructure to deploy multiple remote access tools via phishing lures based on Starlink registration and drone training themes.

used Iraqi hosting on Regxa infrastructure to deploy multiple remote access tools via phishing lures based on Starlink registration and drone training themes.

The loader then fetches the Node.js interpreter (if it is not present in the system) and the next stage obfuscated JS script. Upon downloading all the components, the Node.js interpreter executes the JS script.

run-script.ps1, a PowerShell script to load and execute code via PowerShell. The file contains: powershell -w hidden -ep bypass -c "I''E''X...DOWNLOADDaTa(...)"

helper.vbs, a VBS file ... that executes run-script.ps1.

Alongside the Fondue.exe-based attack path, the same threat cluster also deployed a separate JavaScript-based remote access trojan named SoullessRAT against other targets.

Upon execution, StarDebug_1.0.1.msi creates the directory %LOCALAPPDATA%\Star and extracts the following three files to it...

The URL hxxps://battleflight[.]org/download/installer hosted the executable BattleFlight-Install-v11.0.3.exe, a C# dropper disguised as an installer for a drone pilot training simulator.

The appwiz.cpl applet is packed with UPX and obfuscated with Oreans Code Virtualizer.

The dropper contains the EchoGather payload, which is Base64-encoded and XOR-encrypted.

The attack chain begins with a malicious MSI installer, disguised as a legitimate software application, delivered to targeted users through deceptive websites mimicking real developer tools.

the C# dropper contains the EchoGather payload, which is Base64-encoded and XOR-encrypted.

SoullessRAT was reportedly written using generative AI, and it supports a broad range of espionage capabilities including remote command execution, file uploads to the attacker’s server, screenshot capture, and harvesting of system information.

ScanFiles ... The following fields are sent to the endpoint /clients/files: fileName relativePath fullPath fileSize createdDate modifiedDate

Files, uploads a directory/file from the host to the C2 server.

SoullessRAT was reportedly written using generative AI, and it supports a broad range of espionage capabilities including remote command execution, file uploads to the attacker’s server, screenshot capture, and harvesting of system information.

Key capabilities of SoullessRAT ... downloads and runs modules for self-destruction, SSH, and data harvesting from the Outlook mail client

more than 1,350 active command-and-control (C2) servers were identified across 98 infrastructure providers in the region within just three months.

The C2 server is queried every 15 seconds.

The initial MSI installer drops a PowerShell script, a VBS helper file, and a .NET loader, which work together to download and execute the next-stage payload without triggering obvious alerts.

Once loaded into the memory space of Fondue.exe, the rogue control panel file deploys a Sliver post-exploitation framework implant. Sliver is an open-source adversary simulation tool that gives attackers a powerful foothold on the infected machine, allowing them to issue remote commands and move through compromised networks with ease.

SoullessRAT was reportedly written using generative AI, and it supports a broad range of espionage capabilities including remote command execution, file uploads to the attacker’s server, screenshot capture, and harvesting of system information.