All news with #process injection tag

🔍 Securonix Threat Research has disclosed a multi-stage campaign named VOID#GEIST that leverages obfuscated batch scripts to stage a portable Python runtime and deploy encrypted RAT payloads including XWorm, AsyncRAT, and Xeno RAT. The chain retrieves ZIP archives from a TryCloudflare domain, extracts a Python loader (runn.py) and encrypted shellcode blobs, then decrypts and injects them directly into separate explorer.exe processes using Early Bird APC injection. The initial stage displays a decoy PDF while a hidden PowerShell relaunches the batch, and persistence is established at the user level via an auxiliary script placed in the Startup folder to minimize forensic artifacts.

🔍 Huntress Labs analyzed a multi-stage intrusion that began with a phishing ZIP and DLL sideloading and escalated to deployment of the commercial PureRAT backdoor. The operator combined bespoke Python loaders and a Python-based infostealer with compiled .NET loaders, process hollowing, AMSI/ETW tampering, and reflective DLL injection to evade detection. Final-stage configuration revealed a Vietnam-hosted C2 (157.66.26.209) and Telegram infrastructure linked to PXA Stealer, underscoring a shift from custom theft to a professional RAT.