In recent weeks, security teams worldwide have observed a surge in covert operations orchestrated by a clandestine group known colloquially as the “Chinese Nexus” APT.

This actor has been tailoring highly targeted campaigns against organizations in the finance, telecommunication, and manufacturing sectors, exploiting spear-phishing emails and compromised VPN credentials to gain initial footholds.

Victims report receiving seemingly innocuous industry whitepapers with weaponized macros that, once enabled, unleash a payload designed to deliver the NET-STAR malware suite.

Early telemetry indicates that these lures have achieved a success rate of approximately 30 percent against high-value targets.

Following intrusion, the attackers employ living-off-the-land techniques, invoking Windows PowerShell to execute obfuscated scripts directly in memory.

Palo Alto Networks researchers identified that the initial PowerShell stager decodes a Base64 string, reconstructs a .NET binary, and then dynamically injects it into a legitimate process such as explorer.exe or svchost.exe to evade detection.

This process unfolds within seconds of macro activation, leaving scant forensic artifacts on disk. The stealthy nature of the loader has complicated triage efforts, allowing the adversary to proceed to reconnaissance and lateral movement undetected.

Once deployed, NET-STAR exhibits a modular design composed of three primary components: the loader, the backdoor, and the command-and-control (C2) communication module.

The loader’s primary responsibility is to decrypt and load the backdoor payload into memory. The backdoor itself provides a robust set of remote administration capabilities, including file transfer, process manipulation, and registry modification.

Finally, the C2 module establishes an encrypted HTTPS tunnel to a rotating list of compromised web servers.

Analysts observed that each communication session employs a custom framing protocol with 256-bit AES encryption, thwarting standard network-based intrusion detection systems.

In its initial wave of infections, NET-STAR has been linked to exfiltration of proprietary data, ranging from financial records to intellectual property.

Impact assessments indicate that the adversary’s goal extends beyond espionage, aiming to position implants for future sabotage or secondary payload deployment.

Incident responders have noted indicators of credential harvesting via in-memory Mimikatz execution, followed by lateral movement through SMB and RDP channels.

Affected organizations have reported operational disruption and data loss, underscoring the criticality of rapid detection and containment measures.

Infection Mechanism

A deep dive into NET-STAR’s infection mechanism reveals a sophisticated multi-stage process that begins with a malicious Word document. The embedded VBA macro (see Figure 1: “macro_decoder.png”) contains the following snippet:

$enc = "U3lzdGVtLkNvbnZlcnQuQ29tcHJlc3Npb24="  
$bytes = [Convert]::FromBase64String($enc)  
$asm = [Reflection.Assembly]::Load($bytes)  
$method = $asm.GetType("Loader.Main").GetMethod("Execute")  
$method.Invoke($null,$null)

This code decodes a Base64-encoded .NET assembly and invokes its entry point entirely in memory, leaving no executable on disk.

Palo Alto Networks analysts noted that the loader further employs Control Flow Flattening, obfuscating the assembly’s intermediate language to resist decompilation and prevent signature-based detection mechanisms.

Once loaded into a trusted process, the backdoor receives a second stage payload via HTTPS from the C2, completing the infection and solidifying persistence.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Chinese Nexus APT Hackers Attacking Organizations to Deliver NET-STAR Malware Suite appeared first on Cyber Security News.

A sophisticated phishing campaign has emerged targeting job seekers through fake Google career recruitment opportunities, leveraging social engineering tactics to harvest Gmail credentials and personal information.

The malicious operation exploits the trust associated with Google’s brand reputation, crafting convincing recruitment emails that direct victims to fraudulent login portals designed to capture authentication details.

The attack vector primarily relies on email-based social engineering, where cybercriminals impersonate Google HR representatives offering lucrative career opportunities.

These deceptive messages contain carefully crafted job descriptions and application processes that appear legitimate, complete with official-looking branding and professional communication styles that mirror genuine Google recruitment correspondence.

Cyber researcher g0njxa identified this campaign while investigating broader patterns of credential theft operations targeting major technology companies.

The researcher’s analysis revealed that the threat actors employ multiple attack variations, adapting their techniques to evade detection while maintaining high success rates against unsuspecting victims.

Certificate Abuse and Evasion Techniques

The malware campaign demonstrates sophisticated evasion capabilities through the abuse of Extended Validation certificates across multiple platforms.

Threat actors have obtained legitimate Apple Developer ID certificates under names such as “THOMAS BOULAY DUVAL” and “Alina Balaban,” enabling their malicious applications to bypass initial security screening mechanisms.

The signed DMG files appear completely undetected on VirusTotal, achieving full undetected status across security vendors.

Analysis of the malicious launchers reveals deliberate attempts to legitimize applications by incorporating signer names into identifier strings, following patterns like “thomas.parfums” corresponding to “Thomas Boulay Duval.”

The Mach-O binaries contain embedded references that connect to remote AppleScript payloads, utilizing the Odyssey Stealer framework for credential harvesting operations.

The campaign’s infrastructure includes compromised domains such as franceparfumes[.]org hosting malicious scripts, with command and control servers operating from IP address 185.93.89.62.

These certificates represent significant financial investments for cybercriminals, as Apple’s developer certification process involves substantial time and monetary costs, making their eventual revocation impactful to ongoing malware operations.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Posing as Google Careers Recruiter to Steal Gmail Login Details appeared first on Cyber Security News.