All news with #fileless malware tag

XWorm Campaign Signals Rise in Fileless In-Memory Attacks

🔒 Forcepoint Labs describes a multi-stage phishing campaign that delivers the XWorm remote-access trojan via an Office .xlam attachment embedding an OLE native stream. An encrypted shellcode launches a .NET dropper that uses steganography and reflective DLL loading to unpack successive in-memory stages, minimizing on-disk artifacts. Attackers leverage API hashing, unhooked calls and layered encryption to evade sandboxes and traditional scanners; Forcepoint provides IoCs and detection recommendations.

SVG Phishing Targets Ukraine with Amatera Stealer, PureMiner

⚠️ FortiGuard Labs observed a targeted phishing campaign impersonating Ukrainian authorities that used malicious SVG attachments to initiate a fileless infection chain. The SVG redirected victims to a password-protected archive containing a CHM that executed a hidden HTA loader (CountLoader). The loader retrieved and ran in-memory payloads, deploying Amatera Stealer for data theft and PureMiner for cryptomining.

Fileless Malware Uses Legitimate Tools to Deploy AsyncRAT

🔍 Researchers uncovered a sophisticated fileless campaign that executes malicious code entirely in memory to deliver AsyncRAT. The attack began via a compromised ScreenConnect client and a VBScript that used WScript and PowerShell to download two payload blobs saved to C:\Users\Public\, which were never written as executables but loaded into memory via reflection. A .NET launcher (Obfuscator.dll) was used to orchestrate persistence, disable security logging and load the RAT, which exfiltrates credentials, browser artifacts and keystrokes.

Chinese APT Uses Fileless 'EggStreme' Against Military Firm

🔒 Bitdefender tracked a Chinese APT intrusion that used a novel, fileless framework dubbed EggStreme to compromise a Philippines-based military contractor. The multi-stage toolkit injects code directly into memory, leverages DLL sideloading and abuses legitimate Windows services for persistence, and delivers a gRPC-enabled backdoor, EggStremeAgent, with extensive reconnaissance and exfiltration capabilities. Bitdefender advises limiting use of high-risk binaries and deploying advanced detection and response to detect living-off-the-land operations and anomalous behavior.

Chinese APT Uses EggStreme Fileless Framework in Espionage

🛡️ Bitdefender attributed a campaign against a Philippines-based military contractor to a China-linked APT that deployed a previously undocumented fileless framework named EggStreme. The multi-stage operation begins with EggStremeFuel (mscorsvc.dll), which profiles systems, opens a C2 channel, stages loaders, and triggers in-memory execution of the core backdoor via DLL sideloading. EggStremeAgent functions as a central backdoor, injecting a session-specific keylogger (EggStremeKeylogger), communicating over gRPC, and exposing a 58-command toolkit for discovery, lateral movement, privilege escalation and data theft. An auxiliary implant, EggStremeWizard (xwizards.dll), provides reverse-shell access and resilient C2 options; Bitdefender warned that fileless execution and heavy DLL sideloading make detection and forensics difficult.