EvilAI is back at it again! Nothing significant has hanged with the payload or the Node abuse, but the campaign has developed a new Advanced Installer MSI lure that unpacks and executes a WebView2 .Net application loader. This loader creates a temporary directory and downloads the Inno Installer that contains the Node payload and configuration files. Like previous campaigns, the Node payload is executed via Scheduled Task.
Read more...Huorong is a Beijing based security company that offers an Endpoint Security Management Systems suite for enterprise and government customers. In newly observed ClickFix attacks, the Huorong EDR product is abused as an entry point into compromised systems. The Huorong Configuration Manager is bundled into an Advanced Installer MSI and installed on victim devices, giving malicious actors complete control over the device. The installer is deployed through compromised domains serving ClickFix (FakeCAPTCHA) lures.
Read more...KongTuke is a threat actor that has recently increased their usage of ClickFix and ClickFix-styled attacks. They’ve begun to utilize a branching infection path based on the domain status of an infected device. If the device is domain joined, it will receive a different payload from non-domain joined devices. As Huntress notes, this is likely to identify and target Active Directory environments (also go read that write up, it’s way better than this!).
Read more...In another episode of ChatGPT-ass malware, we have this beautiful sample from a Social Security Administration phishing page taken from an incident on January 8th, 2026. If this is your phishing page, you should probably feel bad.
The phishing page itself is hosted on a XAMPP (Apache + MariaDB + PHP + Perl) stack on a Windows server using a free Cloudflare tunnel. Of course, they didn’t put any effort into configuring their server, so the default pages are easily accesible.
Read more...Slides from the Introduction to Malware Analysis workshop held on January 3rd, 2026. Samples are linked in the slides, but can also be acquired at Introduction to Malware Analysis Workshop Samples.
AceLauncher is a Potentially Unwanted Program (PUP) similar to Wave Browser, OneStart, and OneLaunch. It’s a Chromium based browser that creates several tasks, AppData directories, and registry keys to maintain persistence on a device. While not overtly malicious, users will likely want to remove the browser as it does redirect and serve potentially malicious content. This includes functions that link to ManualsLib domains and references to Wave Browser and Recipe Lister. The browser also uses Yahoo’s Hosted Search platform to serve sponsored content driving revenue to the AceLauncher organization.
Read more...I recently analyzed the following phishing email. It contains a Microsoft account harvester and has some interesting anti-analysis functions. I didn’t do a full dive on it, but there’s some interesting stuff here.
Examining the email in a text editor revealed that the headers had been manipulated.
The QR code image was extracted from the email via the Base64 encoded string object. This was put into CyberChef for rasterization and analysis.
Read more...A user received a phishing email that redirected the to hxxps[://]popthecard[.]pages[.]dev. This page claimed that a friend had sent an invitation, and that the user must download and open it on a windows laptop or desktop to view it. The page automatically downloaded the file VelvetPaperCo.exe (in similar incidents, invitation.exe).
The page itself is rather basic, with the following JavaScript code handling the download function. It simply sets a timeout and executes a function that reaches out to a public CloudFlare R2 bucket that hosts the malicious RMM installer.
Read more...With the rise of AI, Vibe-Coded malware is now an existing threat. Sort of? In the way that a wet noodle could potentially kill you in the right circumstances, Vibe-Coded malware could also pose a threat. It’s just very unlikely. At least, with the current iterations out there.
Enter what I’m calling “Baby’s first malware” AKA “Fisher-Price Malware”. A Vibe-Coded sample found on a users’ device. It’s an “obfuscated” PowerShell loader that pulls a payload that… takes screenshots and uploads them? Kind of? Technically, it works. Sometimes. In perfect conditions.
Read more...Slides from BSides TC 2025 talk.