<ciso brief/>
Tag Banner

All news with #obfuscation tag

all tags →

Tue, November 11, 2025

GootLoader Returns Using Custom Font to Conceal Payload

#GootLoader #Backdoor Found #Ransomware #WordPress #Obfuscation

🔍 Huntress observed the return of GootLoader infections beginning October 27, 2025, with two cases leading to hands-on keyboard intrusions and domain controller compromise within 17 hours. The loader now embeds a custom WOFF2 font using Z85 encoding to substitute glyphs and render obfuscated filenames readable only in the victim browser. Actors deliver XOR-encrypted ZIPs via compromised WordPress comment endpoints and SEO-poisoned search results, and the archive is crafted to appear as benign text to many automated analysis tools while extracting a JavaScript payload on Windows.

read more →

Fri, October 3, 2025

Rhadamanthys Stealer Adds Fingerprinting, PNG Steganography

#Steganography #Obfuscation #Information Stealer #Malware-as-a-Service #AI Security

🛡️ Check Point researchers report that the Rhadamanthys information stealer (v0.9.2) has been updated to collect extensive device and browser fingerprints and to deliver payloads via steganography embedded in WAV, JPEG and PNG files. The operator—initially known as kingcrete2022 and now marketing as RHAD security/Mythical Origin Labs—offers the malware as a tiered MaaS product with subscription plans and enterprise options. The sample includes sandbox-evasion checks, an embedded Lua runner for plugins, obfuscated configurations, and a PNG-based payload decryption step that requires a shared secret.

read more →

Thu, August 7, 2025

New DarkCloud Stealer Infection Chain Uses ConfuserEx

#ConfuserEx #Infostealer #Obfuscation #Phishing #PowerShell #VB6

🔒 Unit 42 observed a new DarkCloud Stealer infection chain in early April 2025 that employs ConfuserEx-based obfuscation and a final Visual Basic 6 payload. Phishing TAR/RAR/7Z archives deliver obfuscated JavaScript or WSF downloaders which retrieve a PowerShell stage from open directories and drop a ConfuserEx-protected executable. The loaders are heavily protected with javascript-obfuscator and the variant follows prior AutoIt-based deliveries. Palo Alto Networks notes that Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, Cortex XDR and XSIAM can help detect and mitigate these stages and recommends contacting Unit 42 for incident response.

read more →