In this sample, the ISO contains four innocuous looking files. A security analyst might be instantly suspicious of a 3kb PDF file and the presence of a PowerShell script, but HR might simply not notice.The PDF is a link file that launches cmd.com. “It executes an obfuscated command that dynamically constructs and launches powershell.exe with hidden window settings and execution policy bypass enabled,” notes the report. It ultimately runs script.ps1 from within the mounted ISO.The script copies the PNG file to a separate location, loads it, and extracts hidden data from the image using least significant bit (LSB) steganography. This is decoded into a UTF-8 string representing a PowerShell which is executed in memory using Invoke-Expression.The new script downloads SumatraPDF.zip from an external domain, It extracts this into a temporary folder. The ZIP contains two files: SumatraPDF.exe and DWrite.dll. The script runs the EXE, which loads the DLL (a tampered version of the legitimate DLL) that is accepted as genuine.Once side-loaded, this tampered DLL collects basic system information, and user and host context by reading the USERNAME and COMPUTERNAME environment variables. Together, they provide the attacker with a single fingerprint string providing system and user context.Further payloads are delivered by the C2. It prepares the environment: exits if it recognizes a Russian or CIS locale or language, exits if it finds a debugger, introduces noise and delays if it finds a sandbox, and modifies the registry keys for Windows Defender.It then injects BlackSanta (a name found in its code), which Aryaka describes as a dedicated BYOVD-based component. “BlackSanta enumerates running processes, comparing each name against a hardcoded list of antivirus and EDR executables. When a match is found, it retrieves the process ID and uses its loaded drivers to unlock and terminate the targeted process at the kernel level, bypassing standard protections,” reports Aryaka.Sood describes BlackSanta as the campaign’s most alarming feature. “It disables antivirus and EDR protections at the kernel level, clearing the path for credential harvesting, system reconnaissance, and eventual data exfiltration with minimal resistance,” he says.Aryaka has found evidence that the campaign has been operational for a year, largely unnoticed, harvesting data and cryptocurrency artifacts. “It is not opportunistic malware,” says Sood. “It is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft.”Related:ClickFix Attack Uses Windows Terminal to Evade DetectionRelated:Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global AttacksRelated:RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India
The PDF is a link file that launches cmd.com. “It executes an obfuscated command that dynamically constructs and launches powershell.exe with hidden window settings and execution policy bypass enabled,” notes the report. It ultimately runs script.ps1 from within the mounted ISO.The script copies the PNG file to a separate location, loads it, and extracts hidden data from the image using least significant bit (LSB) steganography. This is decoded into a UTF-8 string representing a PowerShell which is executed in memory using Invoke-Expression.The new script downloads SumatraPDF.zip from an external domain, It extracts this into a temporary folder. The ZIP contains two files: SumatraPDF.exe and DWrite.dll. The script runs the EXE, which loads the DLL (a tampered version of the legitimate DLL) that is accepted as genuine.Once side-loaded, this tampered DLL collects basic system information, and user and host context by reading the USERNAME and COMPUTERNAME environment variables. Together, they provide the attacker with a single fingerprint string providing system and user context.Further payloads are delivered by the C2. It prepares the environment: exits if it recognizes a Russian or CIS locale or language, exits if it finds a debugger, introduces noise and delays if it finds a sandbox, and modifies the registry keys for Windows Defender.It then injects BlackSanta (a name found in its code), which Aryaka describes as a dedicated BYOVD-based component. “BlackSanta enumerates running processes, comparing each name against a hardcoded list of antivirus and EDR executables. When a match is found, it retrieves the process ID and uses its loaded drivers to unlock and terminate the targeted process at the kernel level, bypassing standard protections,” reports Aryaka.Sood describes BlackSanta as the campaign’s most alarming feature. “It disables antivirus and EDR protections at the kernel level, clearing the path for credential harvesting, system reconnaissance, and eventual data exfiltration with minimal resistance,” he says.Aryaka has found evidence that the campaign has been operational for a year, largely unnoticed, harvesting data and cryptocurrency artifacts. “It is not opportunistic malware,” says Sood. “It is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft.”Related:ClickFix Attack Uses Windows Terminal to Evade DetectionRelated:Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global AttacksRelated:RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India
The script copies the PNG file to a separate location, loads it, and extracts hidden data from the image using least significant bit (LSB) steganography. This is decoded into a UTF-8 string representing a PowerShell which is executed in memory using Invoke-Expression.The new script downloads SumatraPDF.zip from an external domain, It extracts this into a temporary folder. The ZIP contains two files: SumatraPDF.exe and DWrite.dll. The script runs the EXE, which loads the DLL (a tampered version of the legitimate DLL) that is accepted as genuine.Once side-loaded, this tampered DLL collects basic system information, and user and host context by reading the USERNAME and COMPUTERNAME environment variables. Together, they provide the attacker with a single fingerprint string providing system and user context.Further payloads are delivered by the C2. It prepares the environment: exits if it recognizes a Russian or CIS locale or language, exits if it finds a debugger, introduces noise and delays if it finds a sandbox, and modifies the registry keys for Windows Defender.It then injects BlackSanta (a name found in its code), which Aryaka describes as a dedicated BYOVD-based component. “BlackSanta enumerates running processes, comparing each name against a hardcoded list of antivirus and EDR executables. When a match is found, it retrieves the process ID and uses its loaded drivers to unlock and terminate the targeted process at the kernel level, bypassing standard protections,” reports Aryaka.Sood describes BlackSanta as the campaign’s most alarming feature. “It disables antivirus and EDR protections at the kernel level, clearing the path for credential harvesting, system reconnaissance, and eventual data exfiltration with minimal resistance,” he says.Aryaka has found evidence that the campaign has been operational for a year, largely unnoticed, harvesting data and cryptocurrency artifacts. “It is not opportunistic malware,” says Sood. “It is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft.”Related:ClickFix Attack Uses Windows Terminal to Evade DetectionRelated:Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global AttacksRelated:RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India
The new script downloads SumatraPDF.zip from an external domain, It extracts this into a temporary folder. The ZIP contains two files: SumatraPDF.exe and DWrite.dll. The script runs the EXE, which loads the DLL (a tampered version of the legitimate DLL) that is accepted as genuine.Once side-loaded, this tampered DLL collects basic system information, and user and host context by reading the USERNAME and COMPUTERNAME environment variables. Together, they provide the attacker with a single fingerprint string providing system and user context.Further payloads are delivered by the C2. It prepares the environment: exits if it recognizes a Russian or CIS locale or language, exits if it finds a debugger, introduces noise and delays if it finds a sandbox, and modifies the registry keys for Windows Defender.It then injects BlackSanta (a name found in its code), which Aryaka describes as a dedicated BYOVD-based component. “BlackSanta enumerates running processes, comparing each name against a hardcoded list of antivirus and EDR executables. When a match is found, it retrieves the process ID and uses its loaded drivers to unlock and terminate the targeted process at the kernel level, bypassing standard protections,” reports Aryaka.Sood describes BlackSanta as the campaign’s most alarming feature. “It disables antivirus and EDR protections at the kernel level, clearing the path for credential harvesting, system reconnaissance, and eventual data exfiltration with minimal resistance,” he says.Aryaka has found evidence that the campaign has been operational for a year, largely unnoticed, harvesting data and cryptocurrency artifacts. “It is not opportunistic malware,” says Sood. “It is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft.”Related:ClickFix Attack Uses Windows Terminal to Evade DetectionRelated:Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global AttacksRelated:RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India
Once side-loaded, this tampered DLL collects basic system information, and user and host context by reading the USERNAME and COMPUTERNAME environment variables. Together, they provide the attacker with a single fingerprint string providing system and user context.Further payloads are delivered by the C2. It prepares the environment: exits if it recognizes a Russian or CIS locale or language, exits if it finds a debugger, introduces noise and delays if it finds a sandbox, and modifies the registry keys for Windows Defender.It then injects BlackSanta (a name found in its code), which Aryaka describes as a dedicated BYOVD-based component. “BlackSanta enumerates running processes, comparing each name against a hardcoded list of antivirus and EDR executables. When a match is found, it retrieves the process ID and uses its loaded drivers to unlock and terminate the targeted process at the kernel level, bypassing standard protections,” reports Aryaka.Sood describes BlackSanta as the campaign’s most alarming feature. “It disables antivirus and EDR protections at the kernel level, clearing the path for credential harvesting, system reconnaissance, and eventual data exfiltration with minimal resistance,” he says.Aryaka has found evidence that the campaign has been operational for a year, largely unnoticed, harvesting data and cryptocurrency artifacts. “It is not opportunistic malware,” says Sood. “It is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft.”Related:ClickFix Attack Uses Windows Terminal to Evade DetectionRelated:Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global AttacksRelated:RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India
Further payloads are delivered by the C2. It prepares the environment: exits if it recognizes a Russian or CIS locale or language, exits if it finds a debugger, introduces noise and delays if it finds a sandbox, and modifies the registry keys for Windows Defender.It then injects BlackSanta (a name found in its code), which Aryaka describes as a dedicated BYOVD-based component. “BlackSanta enumerates running processes, comparing each name against a hardcoded list of antivirus and EDR executables. When a match is found, it retrieves the process ID and uses its loaded drivers to unlock and terminate the targeted process at the kernel level, bypassing standard protections,” reports Aryaka.Sood describes BlackSanta as the campaign’s most alarming feature. “It disables antivirus and EDR protections at the kernel level, clearing the path for credential harvesting, system reconnaissance, and eventual data exfiltration with minimal resistance,” he says.Aryaka has found evidence that the campaign has been operational for a year, largely unnoticed, harvesting data and cryptocurrency artifacts. “It is not opportunistic malware,” says Sood. “It is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft.”Related:ClickFix Attack Uses Windows Terminal to Evade DetectionRelated:Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global AttacksRelated:RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India
It then injects BlackSanta (a name found in its code), which Aryaka describes as a dedicated BYOVD-based component. “BlackSanta enumerates running processes, comparing each name against a hardcoded list of antivirus and EDR executables. When a match is found, it retrieves the process ID and uses its loaded drivers to unlock and terminate the targeted process at the kernel level, bypassing standard protections,” reports Aryaka.Sood describes BlackSanta as the campaign’s most alarming feature. “It disables antivirus and EDR protections at the kernel level, clearing the path for credential harvesting, system reconnaissance, and eventual data exfiltration with minimal resistance,” he says.Aryaka has found evidence that the campaign has been operational for a year, largely unnoticed, harvesting data and cryptocurrency artifacts. “It is not opportunistic malware,” says Sood. “It is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft.”Related:ClickFix Attack Uses Windows Terminal to Evade DetectionRelated:Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global AttacksRelated:RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India
Sood describes BlackSanta as the campaign’s most alarming feature. “It disables antivirus and EDR protections at the kernel level, clearing the path for credential harvesting, system reconnaissance, and eventual data exfiltration with minimal resistance,” he says.Aryaka has found evidence that the campaign has been operational for a year, largely unnoticed, harvesting data and cryptocurrency artifacts. “It is not opportunistic malware,” says Sood. “It is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft.”Related:ClickFix Attack Uses Windows Terminal to Evade DetectionRelated:Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global AttacksRelated:RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India
Aryaka has found evidence that the campaign has been operational for a year, largely unnoticed, harvesting data and cryptocurrency artifacts. “It is not opportunistic malware,” says Sood. “It is operationally disciplined intrusion engineering. This operation reflects a mature adversary capable of blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft.”Related:ClickFix Attack Uses Windows Terminal to Evade DetectionRelated:Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global AttacksRelated:RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India
Related:ClickFix Attack Uses Windows Terminal to Evade DetectionRelated:Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global AttacksRelated:RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India
Source: SecurityWeek
