< ciso
brief />
Tag Banner

All news with #process injection tag

4 articles

Dual‑RAT phishing targets India tax filers this season

🛡️ Researchers at Cyderes uncovered a phishing campaign impersonating the Indian Tax Department that delivers two remote access trojans via a multi-stage infection chain. Victims receive fake tax assessment emails that prompt them to download a seemingly legitimate ITR utility, which abuses signed Windows binaries to sideload malicious DLLs and perform in-memory execution and process injection. The campaign deploys a Gh0st RAT derivative and a .NET implant related to the QuasarRAT/AsyncRAT family, each communicating with separate C2 servers, providing redundant access even if one implant is blocked.
read more →

Fortinet Achieves AV-Comparatives Process Injection Win

🛡️ Fortinet announces that FortiEDR achieved AV-Comparatives 2026 Shellcode Execution/Process Injection certification by successfully preventing or detecting all 15 tested in-memory attack techniques. The evaluation focused on evasive shellcode execution and process injection methods mapped to MITRE ATT&CK T1055. Fortinet also confirmed these EDR capabilities are delivered through FortiEndpoint, and passed false-positive validation to avoid disrupting legitimate applications.
read more →

Multi-stage VOID#GEIST malware delivers multiple RATs

🔍 Securonix Threat Research has disclosed a multi-stage campaign named VOID#GEIST that leverages obfuscated batch scripts to stage a portable Python runtime and deploy encrypted RAT payloads including XWorm, AsyncRAT, and Xeno RAT. The chain retrieves ZIP archives from a TryCloudflare domain, extracts a Python loader (runn.py) and encrypted shellcode blobs, then decrypts and injects them directly into separate explorer.exe processes using Early Bird APC injection. The initial stage displays a decoy PDF while a hidden PowerShell relaunches the batch, and persistence is established at the user level via an auxiliary script placed in the Startup folder to minimize forensic artifacts.
read more →

From Infostealer to PureRAT: Dissecting an Escalating Attack

🔍 Huntress Labs analyzed a multi-stage intrusion that began with a phishing ZIP and DLL sideloading and escalated to deployment of the commercial PureRAT backdoor. The operator combined bespoke Python loaders and a Python-based infostealer with compiled .NET loaders, process hollowing, AMSI/ETW tampering, and reflective DLL injection to evade detection. Final-stage configuration revealed a Vietnam-hosted C2 (157.66.26.209) and Telegram infrastructure linked to PXA Stealer, underscoring a shift from custom theft to a professional RAT.
read more →