All news with #lolbins tag

🛡️ Bitdefender reports that Microsoft’s MSHTA (Microsoft HTML Application Host), a remnant from Internet Explorer, is actively abused as a living-off-the-land binary in ongoing malware campaigns. Attackers use it to execute obfuscated HTA content, launch PowerShell, and fetch loaders and stealers such as CountLoader, LummaStealer, Amatera and PurpleFox. Campaigns rely on fake downloads, cracked apps, SEO-poisoned pages and Discord phishing to trick victims into executing payloads. Because MSHTA is Microsoft-signed and preinstalled, it remains implicitly trusted and attractive to adversaries.

⚠️ Attackers increasingly bypass classic defenses by abusing trusted, built-in tools such as PowerShell, WMIC, and Certutil to move laterally, escalate privileges, and maintain persistence without dropping new malware. These Living Off The Land (LOTL) techniques mimic routine admin tasks and produce minimal alerts, creating stealthy blind spots for detection-focused teams. A data-driven Internal Attack Surface Assessment reveals unnecessary access, maps realistic attack paths, and prioritizes low-impact remediations so organizations can harden systems without disrupting workflows.

📄 Forcepoint X‑Labs researchers have uncovered a Phorpiex‑backed phishing campaign that weaponizes Windows shortcut (.lnk) files to deploy Global Group ransomware. Attackers send messages with the subject "Your Document" and attachments like "Document.doc.lnk", exploiting hidden file extensions and a Word‑style icon to trick recipients. The .lnk uses built‑in utilities (cms.exe and PowerShell) and heavily obfuscated commands to fetch and run a second‑stage payload, leveraging Living‑off‑the‑Land techniques so the ransomware executes locally without external C2 communication.

🔒 CrowdStrike highlights how attackers increasingly weaponize trusted software—RMM tools, built-in Windows utilities, and admin binaries—to evade detection and operate within networks. The Falcon platform layers behavioral IOAs, custom controls, and Exposure Management and now adds APEX, a machine-learning model that analyzes command-line syntax, parameters, process lineage, timing, and context to detect LOLbin abuse. APEX is generally available for Windows and aims to raise detection while reducing false positives.