Social engineering methods are being put to the test to distribute malware.

During the past several months there have been numerous malware campaigns that use a technique something referred to as “ClickFix”. It often consists of a fake CAPTCHA or similar traffic validation page where visitors are instructed to paste and execute code in order to proceed.

We have started to see ClickFix attacks more and more via malicious Google ads as well. This is in contrast to typical phishing pages where victims download a so-called installer that contains malware.

In a recent malvertising campaign targeting the Notion brand, we observed these two techniques used at play. It’s quite possible the threat actors were collecting metrics to determine which one of the two gave them the most conversions via malware installs.

This blog post details this campaign that ultimately delivered the DarkGate malware loader.

**Overview**

**Web traffic view**

**Delivery #1: PowerShell code via “ClickFix”****Malicious ad and social engineering**

Threat actors created a Google ad for the popular utility application Notion. The first time we clicked on the ad, we were redirected to a site showing a “Verify you are human” page, also known as Cloudflare Turnstile. Except this was not the real Cloudflare, and merely a social engineering trick.

The HTML source code was obfuscated to only show gibberish interlaced with Russian comments, which we later determined was Rot13, a letter substitution cipher. This was likely used to hide the offending code from prying eyes and network rules:

After checking the box to verify we are human, we see new instructions, “Verification steps”, that involve pressing a number of key combinations. _Windows + R_ launches the run dialog while _Ctrl + V_ will paste whatever is in the clipboard. Supposedly this code is part of the verification process, but instead when pressing Enter, the victim will run a malicious command:

**PowerShell and payload**

The code copied into the clipboard is actually a command line that runs PowerShell:

The Base64 encoded string retrieves the following code from _hxxps\[:\]//s2notion\[.\]com/in.php?action=1_:

This downloads a binary from _hxxps\[:\]//s2notion\[.\]com/in.php?action=2_. and runs its. That file contains an AutoIt script that launches from:

"c:\\temp\\test\\Autoit3.exe" c:\\temp\\test\\script.a3x

The following DarkGate configuration was extracted from it:

{'DarkGate': {'C2': \[\['155.138.149.77'\]\], 'unknown\_8': \['No'\], 'name': \['DarkGate'\], 'unknown\_12': \['R0ijS0qCVITtS0e6xeZ'\], 'unknown\_13': \['6'\], 'unknown\_14': \['Yes'\], 'port': \['80'\], 'startup\_persistence': \['Yes'\], 'unknown\_32': \['No'\], 'check\_display': \['Yes'\], 'check\_disk': \['No'\], 'min\_disk\_size': \['100'\], 'check\_ram': \['No'\], 'min\_ram\_size': \['4096'\], 'check\_xeon': \['No'\], 'unknown\_21': \['No'\], 'unknown\_23': \['Yes'\], 'unknown\_31': \['No'\], 'unknown\_24': \['N-traff'\], 'campaign\_id': \['user1'\], 'unknown\_26': \['No'\], 'xor\_key': \['sDcGdADE'\], 'unknown\_28': \['No'\], 'unknown\_29': \['2'\], 'unknown\_35': \['No'\], 'tabla': \['a2THNyA\]7u6Kiv$8k.F\*ZrO"do1wL9P0 3}eCGDY{XVzctg,&EhJfsx=n)mpQUqljIW5SRMb4B(\['\]}}

**Delivery #2: signed executable****Malicious ad and decoy site**

We saw this scenario after revisiting the malicious ad for a second time. Notice how the URL path is now including “/download/”.

This is the more traditional approach to malvertising for software downloads that we’ve seen for a while now. Victims download an executable after being tricked with a lookalike site. The file was found hosted on Github under the user profile _herawtisabela1992_:

This fake Notion installer was digitally signed (now revoked) by KDL CENTRAL LIMITED. Similar to the other binary mentioned in the first delivery technique, this one also extracts an AutoIt payload, with the same DarkGate configuration.

It’s interesting to note that the same GitHub user account previously distributed a backdoor called Warmcookie (aka Badspace) from:

raw\[.\]\]githubusercontent\[.\]com/herawtisabela1992/check/refs/heads/main/920836164\_x64.exe

**Conclusion**

We were not surprised to see the ClickFix social engineering attack here, but what made this campaign interesting what that it alternated between ClickFix and the typical file download.

It’s quite likely someone is tracking stats and comparing numbers to see which of the two delivery methods yields the most successful installs. If we had to put our money on it, we would bet that ClickFix is ahead. The file download technique remains effective, especially if the payload is digitally signed, but it could be relegated to second place in the near future.

Malwarebytes detects both payloads as Trojan.Dropper and Backdoor.DarkGate.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malvertising infrastructure

notionbox\[.\]org  
s2notion\[.\]com

Payloads

6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea  
4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db

 ClickFix vs. traditional download in new DarkGate campaign 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued alerts about the presence of hidden functionality in Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors.
The vulnerability, tracked as CVE-2025-0626, carries a CVSS v4 score of 7.7 on a scale of 10.0. The flaw, alongside two other issues, was reported to CISA

CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data…

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data exfiltration, and advanced malware.

Bitdefender has shared its latest research with Hackread.com ahead of its release, revealing an active espionage campaign by Russia APT28-linked threat actor UAC-0063. According to Bitdefender’s investigation, the actor is specifically targeting high-value entities in Central Asia and European countries like Germany, the UK, Romania, and the Netherlands in a multi-stage attack process involving various malware components and techniques.

UAC-0063 has been active since at least 2021 and has targeted a variety of organizations, including government entities, diplomatic missions, and private companies. In this campaign, the actor employs malicious Microsoft Word documents, a HATVIBE malware loader, and custom-built malware to infiltrate networks. Their operations are characterized by persistence, focusing on maintaining long-term access to compromised systems.

The attack starts with compromised Microsoft Word documents containing malicious macros that, when enabled by the user, deliver the initial malware payload (HATVIBE loader). HATVIBE is an HTA (HTML Application) script that downloads and executes further malicious code from the attacker’s command-and-control (C2) server.

A blurred malicious MS Word document used in the attack prompts users to enable macros to reveal its contents. However, once enabled, it also allows attackers to deploy a malicious payload. (Via Bitdefender)

DownExPyer is used extensively throughout the UAC-0063 attack chain. It is deployed after the initial infection stage, likely by the HATVIBE loader or other malware components. This Python-based malware establishes persistent communication with the C2 server, receives commands, and executes malicious actions on the infected system. 

PyPlunderPlug is a separate script designed to collect files from removable drives connected to the infected system. It focuses on specific file types and copies them to a staging location for potential exfiltration.

The attackers also deploy keyloggers to capture keystrokes entered by the victim, potentially revealing sensitive information like passwords and login credentials. The stolen data is then compressed into smaller archives to facilitate exfiltration and evade detection.

Researchers noted that the actor leverages previously compromised victims to spread the infection. This means the weaponised documents exfiltrated from one victim are used to attack other targets. Moreover, they create scheduled tasks to ensure the persistence of their malware on the compromised system. These tasks automatically execute the malicious code at regular intervals.

Researchers hinted at the involvement of the Russian government in this campaign.

UAC-0063’s arsenal “featuring sophisticated implants like DownExPyer and PyPlunderPlug, combined with well-crafted TTPs, demonstrates a clear focus on espionage and intelligence gathering. The targeting of government entities within specific regions aligns with _potential Russian strategic interests_,” Bitdefender researchers wrote in the blog post.

To mitigate the risks posed by UAC-0063, organizations should enhance their threat intelligence by continuously monitoring feeds from reputable sources, tracking C2 domains and implementing DNS-based blocking mechanisms to prevent network traffic from reaching these malicious domains. Implementing application whitelisting policies and deploying Intrusion Detection and Prevention Systems (IDPS) are crucial for strengthening endpoint and network security. 

1.  **Ukrainian Hackers Breach Email of APT28 Leader**
2.  **Russian Hackers Exploit Firefox 0-Days to Deploy Backdoor**
3.  **Russian Hackers Hit Mail Servers in Europe for Military Intel**
4.  **Russian APT28 Exploiting Windows Flaw with GooseEgg Tool**
5.  **Russian Hackers Shift Tactics, Target Victims with Paid Malware**

Russian UAC-0063 Targets Europe and Central Asia with Advanced Malware

The threat actor is using a sophisticated network of VPNs and proxies to centrally manage command-and-control servers from Pyongyang.

Source: DC Studio via Shutterstock

An ongoing investigation into recent attacks by North Korea's Lazarus group on cryptocurrency entities and software developers worldwide has uncovered a hidden administrative layer that the threat actor has been using to centrally manage the campaign's command-and-control (C2) infrastructure.

The investigation by researchers at SecurityScorecard showed Lazarus using the newly discovered infrastructure to maintain direct oversight over compromised systems, control payload delivery on them, and efficiently manage exfiltrated data. Significantly, the threat actor is using the same Web-based admin platform in other campaigns, including one involving the impersonation of IT workers, the security vendor found.

**Elaborate Operational Security**

Though the threat actor has implemented elaborate operational security measures to try and evade attribution, SecurityScorecard said it was able to tie the campaign and infrastructure to North Korea with a high degree of confidence.

"\[The\] analysis makes it evident that Lazarus was orchestrating a global operation targeting the cryptocurrency industry and developers worldwide," SecurityScorecard said in a report this week. "The campaigns resulted in hundreds of victims downloading and executing the payloads, while, in the background, the exfiltrated data was being siphoned back to Pyongyang."

SecurityScorecard discovered "Phantom Circuit," the name by which it is tracking Lazarus group's newly discovered admin layer, while conducting followup investigations involving "Operation 99," a malicious campaign that it recently uncovered targeting the cryptocurrency industry and developers globally. In the campaign, members of the threat group have been posing as recruiters on LinkedIn and other online job forums to get software developers to engage in spurious project tests and code reviews.

Victims who fall for the scam are directed to clone a seemingly benign but harmful open source GitHub repository. The cloned repository connects to Lazarus group's C2 infrastructure, which the threat actor has then been using to sneak data-stealing malware into the victim's environment. As part of the campaign, Lazarus group actors have been inserting obfuscated backdoors into legitimate software products — including authentication apps and cryptocurrency software — and trying to trick developers into running them in their environments. SecurityScorecard estimates that more than 230 victims have downloaded the malicious payloads in the North Korean threat actor's latest campaign.

**Dual Motivations**

"The motivation is twofold: cryptocurrency theft and infiltration of corporate networks," Ryan Sherstobitoff, senior vice president of threat intelligence at SecurityScorecard says. More often than not, developers who fall victim to Lazarus group lures end up executing the cloned code on their corporate devices and in their work environments. "The payloads are designed to exfiltrate development secrets," he says.

SecurityScorecard uncovered the Phantom Circuit admin layer when trying to understand how Lazarus actors were managing the information they stole via Operation 99. What the company discovered was Lazarus members using what it described as a sophisticated network of Astrill VPNs and proxies to access Operation 99's C2 infrastructure in a highly concealed manner. Astrill, which has VPN servers in 142 cities and 56 countries, has a reputation for allowing users to browse the Web anonymously and bypass Internet restrictions in countries with heavy censorship.

SecurityScorecard researchers found Lazarus members using Astrill VPNs to connect to an intermediate proxy network registered with a freight company in Hasan, Russia. They then used the proxy network to connect to Operation 99's C2 infrastructure in an elaborate attempt to try and hide their tracks. The C2 servers themselves were hosted on infrastructure registered with a most likely fictional "Stark Industries, LLC."

"\[SecurityScorecard\] assesses with high confidence that the IPs used to connect to the C2s were merely a relay/proxy and used to obfuscate the true origin," the company wrote in its report this week. "The adversary was establishing a secondary session after connecting to the VPN with the proxy, thus obscuring the true origin of where they actually connected from." SecureScorecard said it was able to identify a total of six distinct IP addresses in Pyongyang that the threat actor used to initiate the Astrill VPN connections to Operation 99's C2 network.

"Phantom Circuit \[is the\] operational network behind the scenes that leads directly back to Pyongyang," Sherstobitoff says. It is also the same proxy network, he adds, that Lazarus used in another campaign where members used stolen identities to impersonate IT workers to try and secure jobs at organizations they wanted to infiltrate.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Researchers Uncover Lazarus Group Admin Layer for C2 Servers

China-based DeepSeek has exploded in popularity, drawing greater scrutiny. Case in point: Security researchers found more than 1 million records, including user data and API keys, in an open database.

The Chinese generative artificial intelligence platform DeepSeek has had a meteoric rise this week, stoking rivalries and generating market pressure for United States–based AI companies, which in turn has invited scrutiny of the service. Amid the hype, researchers from the cloud security firm Wiz published findings on Wednesday that show that DeepSeek left one of its critical databases exposed on the internet, leaking system logs, user prompt submissions, and even users’ API authentication tokens—totaling more than 1 million records—to anyone who came across the database.

DeepSeek is a relatively new company and has been virtually unreachable to press and other organizations this week. In turn, the company did not immediately respond to WIRED’s request for comment about the exposure. The Wiz researchers say that they themselves were unsure about how to disclose their findings to the company and simply sent information about the discovery on Wednesday to every DeepSeek email address and LinkedIn profile they could find or guess. The researchers have yet to receive a reply, but within a half hour of their mass contact attempt, the database they found was locked down and became inaccessible to unauthorized users. It is unclear whether any malicious actors or authorized parties accessed or downloaded any of the data.

“The fact that mistakes happen is correct, but this is a dramatic mistake, because the effort level is very low and the access level that we got is very high,” Ami Luttwak, the CTO of Wiz tells WIRED. “I would say that it means that the service is not mature to be used with any sensitive data at all.”

Exposed databases that are accessible to anyone on the open internet are a long-standing problem that institutions and cloud providers have slowly worked to address. But the Wiz researchers note that the DeepSeek database they found was visible almost immediately with minimal scanning or probing.

“Usually when we find this kind of exposure, it’s in some neglected service that takes us hours to find—hours of scanning,” says Nir Ohfeld, the head of vulnerability research at Wiz. But this time, “here it was at the front door.” Ohfeld adds that the “technical difficulty of this vulnerability is the bare minimum.”

The researchers say that the trove they found appears to have been a type of open source database typically used for server analytics called a ClickHouse database. And the exposed information supported this, given that there were log files that contained the routes or paths users had taken through DeepSeek’s systems, the users’ prompts and other interactions with the service, and the API keys they had used to authenticate. The prompts the researchers saw were all in Chinese, but they note that it is possible the database also contained prompts in other languages. The researchers say they did the absolute minimum assessment needed to confirm their findings without unnecessarily compromising user privacy, but they speculate that it may even have been possible for a malicious actor to use such deep access to the database to move laterally into other DeepSeek systems and execute code in other parts of the company’s infrastructure.

“It's pretty shocking to build an AI model and leave the backdoor wide open from a security perspective,” says independent security researcher Jeremiah Fowler, who was not involved in the Wiz research but specializes in discovering exposed databases. “This type of operational data and the ability for anyone with an internet connection to access it and then manipulate it is a major risk to the organization and users.”

DeepSeek’s systems are seemingly designed to be very similar to OpenAI’s, the researchers told WIRED on Wednesday, perhaps to make it easier for new customers to transition to using DeepSeek without difficulty. The entire DeepSeek infrastructure appears to mimic OpenAI’s, they say, down to details like the format of the API keys.

The Wiz researchers say they don’t know if anyone else found the exposed database before they did, but it wouldn’t be surprising, given how simple it was to discover. Fowler, the independent researcher, also notes that the vulnerable database would have “definitely” been found quickly—if it wasn’t already—whether by other researchers or bad actors.

“I think this is a wake-up call for the wave of AI products and services we will see in the near future and how seriously they take cybersecurity,” he says.

DeepSeek has made a global impact over the past week, with millions of people flocking to the service and pushing it to the top of Apple’s and Google’s app stores. The resulting shock waves have wiped billions from the stock prices of US-based AI companies and spooked executives at firms across the country. On Wednesday, sources at OpenAI told the Financial Times that it was looking into DeepSeek’s alleged use of ChatGPT outputs to train its models.

At the same time, DeepSeek has increasingly drawn the attention of lawmakers and regulators around the world, who have started to ask questions about the company’s privacy policies, the impact of its censorship, and whether its Chinese ownership provides national security concerns.

Italy’s data protection regulator sent DeepSeek a series of questions asking about where it obtained its training data, if people’s personal information was included in this, and the firm’s legal grounding for using this information. As WIRED Italy reported, the DeepSeek app appeared to be unavailable to download within the country following the questions being sent.

DeepSeek’s Chinese connections also appear to be raising security concerns. At the end of last week, according to CNBC reporting, the US Navy issued an alert to its personnel warning them not to use DeepSeek’s services “in any capacity.” The email said Navy members of staff should not download, install, or use the model, and raised concerns of “potential security and ethical” issues.

However, despite the hype, the exposed data shows that almost all technologies relying on cloud-hosted databases can be vulnerable through simple security lapses. “AI is the new frontier in everything related to technology and cybersecurity,” Wiz’s Ohfeld says, “and still we see the same old vulnerabilities like databases left open on the internet.”

Exposed DeepSeek Database Revealed Chat Prompts and Internal Data

Advanced phishing campaign targets Poland and Germany, delivering Agent Tesla, Snake Keylogger and newly identified TorNet backdoor via…

Advanced phishing campaign targets Poland and Germany, delivering Agent Tesla, Snake Keylogger and newly identified TorNet backdoor via .tgz attachments. All by leveraging PureCrypter and TOR network for stealthy C2.

A malicious campaign, discovered by Cisco Talos in July 2024, targeted users primarily in Poland and Germany through phishing emails containing malicious attachments disguised as.tgz files. These emails impersonate financial institutions and businesses, often with themes like money transfer confirmations or order receipts. They are primarily written in Polish and German and contain compressed.tgz files.

According to Cisco Talos’ research, shared with Hackread.com ahead of its publishing on Tuesday 28, the actor has deployed other payloads as well, including “Agent Tesla, Snake Keylogger and a new undocumented backdoor, which researchers dubbed TorNet. 

Phishing email in Polish and German language (Via: Cisco Talos)

When a user extracts an attachment from a file, a.NET executable file appears, which downloads the next stage of the attack, the PureCrypter malware, from a remote server or within the loader itself (decrypted using the AES algorithm and loaded into the targeted device’s memory). 

The PureCrypter malware is a Windows dynamic-link library obfuscated with Eziriz’s.NET Reactor obfuscator. It contains encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL, and the TorNet backdoor.

PureCrypter employs various evasion techniques, including disconnecting the victim’s machine from the network before dropping payloads, checking for a virtual machine, sandbox environment, or debugger status, and modifying Windows Defender settings. It ensures persistence by creating a scheduled task that runs every few minutes, even on low battery, and adding entries to the Windows registry to ensure the loader runs on startup. 

Moreover, it drops the TorNet backdoor, which is a relatively new .NET backdoor used in this attack to connect to a C2 server over the TOR network for stealthy communication. It anonymizes the communication with the C2 server, making detection harder. After establishing a connection, it sends identifying information and allows attackers to carry out remote code execution by sending arbitrary.NET assemblies to the C2 server, hence, expanding the attack surface substantially.

Attack flow (Via Cisco Talos)

The campaign uses advanced techniques like network disconnections, Tor network exploitation, and multi-stage payloads. The use of the Tor network further hinders tracking/disruption. This campaign highlights the need for continuous caution and network monitoring to address attackers’ growing threat tactics.

1.  **New WarmCookie Malware in Espionage Campaign**
2.  **23% of Tor browser relays found to be stealing Bitcoin**
3.  **Kronos Variant banking trojan spotted using Tor network**
4.  **Fake Tor Browser Installer Spreading Malware Via YouTube**
5.  **BlackByte Ransomware Exploits VMware Flaw in VPN Attacks**

New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack

A financially motivated threat actor has been linked to an ongoing phishing email campaign that has been ongoing since at least July 2024 specifically targeting users in Poland and Germany.
The attacks have led to the deployment of various payloads, such as Agent Tesla, Snake Keylogger, and a previously undocumented backdoor dubbed TorNet that's delivered by means of PureCrypter. TorNet is so

PureCrypter Deploys Agent Tesla and New TorNet Backdoor in Ongoing Cyberattacks

Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany.

Tuesday, January 28, 2025 06:00

*   Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language. 
*   The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware.  
*   The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence.  
*   The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions.  
*   We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion. 

**The campaign **

The intrusions start with a phishing email as the initial infection vector. The actor is impersonating financial institutions and manufacturing and logistics companies by sending fake money transfer confirmations and fake order receipts, respectively. The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English. We assess with medium confidence that the actor is financially motivated, based on the phishing email themes and the filenames of the email attachments.  

The phishing email has attachments with the file extension “.tgz”, indicating that the actor has used GZIP to compress the TAR archive of the malicious attachment file to disguise the actual malicious content of the attachment and evade email detections. 

Sample phishing email in Polish. 

Sample phishing email in German. 

When a user opens the compressed email attachment and manually unzips it and runs a .NET loader executable, it eventually downloads encrypted PureCrypter malware from a compromised staging server. The Loader decrypts the PureCrypter malware and runs it in the system memory.  

In a few intrusions in this campaign, we found that the PureCrypter malware drops and runs the TorNet backdoor. The TorNet backdoor establishes connection to the C2 server and also connects the victim machine to the TOR network. It has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions. 

**.NET loader implants PureCrypter **

Talos found that the compressed attachment files contain a large .NET executable file. The actor has instrumented the .NET executable to either download the next-stage malicious executables from a remote staging server or to reflectively load an embedded malicious binary.  

Some of the loader samples we analyzed in this campaign download the AES-encrypted binary of the PureCrypter malware hosted on compromised websites in paths “/filescontentgalleries/pictorialcoversoffiles/” and “/post-postlogin/” using a hardcoded URL. The encrypted PureCrypter binaries were stored with the arbitrary filenames using different file extensions, including .pdf, .dat, .wav, .vdf, .mp3 and .mp4. The loader decrypts the PureCrypter binary and loads reflectively. 

Snippet of the loader program that downloads the encrypted PureCrypter malware.

Network traffic showing the encrypted PureCrypter malware downloaded from the hosting site. 

In a few other loader samples, we found that the encrypted PureCrypter sample was embedded in the loader, which is decrypted using the AES algorithm and reflectively loaded into the victim machine’s memory.  

Snippet of the loader with embedded PureCrypter binary. 

**PureCrypter drops the TorNet backdoor **

The PureCrypter malware found in this intrusion is a Windows dynamic-link library obfuscated with Eziriz’s .NET Reactor obfuscator. It has resources of encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL along with the TorNet backdoor.  

PureCrypter initially creates a mutex on the victim machine and executes the command to release the currently assigned DHCP IP address of the victim machine, establishes persistence, performs various anti-analysis and detections tasks, drops and runs the payload, and finally executes a command to renew the IP address of the victim machine.  

Cmd /c ipconfig /release 
Cmd /c ipconfig /renew 

The threat actor is likely using this technique to evade detections from the cloud-based anti-malware programs by disconnecting the victim machine from the network and connects back to the network after dropping and running the backdoor.  

The PureCrypter malware performs various anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine as described below: 

*   It checks if the process is debugged using the function “CheckRemoteDebuggerPresent”. 
*   It checks for the Sandboxie and Cuckoo sandbox environments by enumerating processes to look for “sbieDLL.dll” and “cuckoomon.dll”. 
*   It checks if the DLL is running in the virtual environment by executing the WMI queries and searches for the strings “VMware”, “VIRTUAL”, “AMI”, and “Xen”.  

Select \* from Win32\_BIOS 
Select \* from Win32\_ComputerSystem 

*   It also checks if the process running is associated with “vmGuestLib.dll” to detect the VMWare environment. 
*   It checks if the victim machine username is “john” or “anna” or “xxxxxxxx”.  
*   It checks for the strings “amsi.dll” and “amsiscanbuffer” in the running processes modules of the victim machine.  
*   It checks if the Event Tracing for Windows (ETW) is configured for the victim machine by attempting to check if any processes point to the function “EtwEventWrite” of “ntdll.dll”.  
*   It modifies the Windows Defender settings by executing the PowerShell commands to add its process and the path of the dropped backdoor to the exclusion lists.

Add-MpPreference –ExclusionPath 
Add-MpPreference –ExclusionProcess 

After the evasion checks, PureCrypter decrypts the encrypted backdoor from its resource and drops it to the user profile application temporary folder with a random file name. It also decrypts another file resource using a custom string decryption algorithm, generating the arbitrary filename strings and the task name strings for the Windows Task scheduler.  

PureCrypter establishes the persistence in the Run registry key by adding the path of the loader. It also creates a Windows task using a task name gained by decrypting the strings from the resource file and executes the loader every two to four minutes with no execution time limit. The task can run if the machine switches to battery power and will not stop if it runs on a low battery power. The threat actor has instrumented this technique to possibly ensure an uninterrupted infection avoiding the victim machine operating system to deprioritize the process when a victim machine is running on low battery power mode.  

Code snippet of creating the Windows schedule task. 

PureCrypter drops a Visual Basic script in the Windows startup folder with the instructions to load and execute the dropped backdoor. 

Code Snippet showing the command to drop and execute a VB Script.

After establishing persistence, PureCrypter loads the dropped backdoor by accessing it through a URL scheme “file\[://\]<Path of the dropped backdoor>” and injects the backdoor into the .NET runtime executable process in the victim machine. The threat actor is using this technique to possibly masquerade the file access activity as a web request in the victim machine logs and to bypass detections for loading a file from suspicious file paths on the victim machine.  

Code snippet showing the process injection.

**Payload TorNet creates a backdoor on the victim machine **

Talos discovered a new .NET backdoor as the payload in the recent intrusions of this campaign, which we call TorNet. TorNet backdoor is also obfuscated with Eziriz’s .NET Reactor obfuscator and has hash values for the compilation time. This could be the artifact that was created when the samples were compiled in Visual Studio with the “/deterministic” parameter. When Visual Studio is configured to generate deterministic binaries, the compiled date/time field of the binaries will be replaced by a hash of the compilation options. Talos had previously seen, and reported this technique used by other threat actors to disguise the actual compilation time of the malware binaries.    

TorNet initially decodes a base64-encoded string to obtain the C2 domain, port number, and an alphanumeric string of 16 characters (5e7a81857a353068). It then performs the anti-debugging, anti-malware, anti-VM, and sandbox evasion checks similar to PureCrypter we discussed in the previous section.  

Code snippet showing the base64 string decoding to obtain the string, C2 domain, and port number. 

After the evasion checks, TorNet establishes a TCP socket connection to the C2 server by resolving the IP address of the C2 domain decoded from the base64-encoded string. The connection uses one of the port numbers 8194, 7890, or 8410. We observed that the C2 domains used by the backdoor were resolving to the IP address 104\[.\]168\[.\]7\[.\]37 during the period of our research. 

TorNet backdoor sample connecting to the C2 using the domain and port number.

After establishing the connection to the C2 server, TorNet sends the gained string “5e7a81857a353068” by decoding the base64-encoded strings to the C2 server, creating a hexadecimal byte stream of length 20 and writes it to a memory stream by compressing it using the GzipStream function.  

HEX stream: “3A 12 12 10 35 65 37 61 38 31 38 35 37 61 33 35 33 30 36 38” 

ASCII equivalent: “:<2-byte place holder>\\n5e7a81857a353068” 

TorNet then generates an MD5 hash value of the string “5e7a81857a353068” and uses it as a key to encrypt the compressed 20-byte hexadecimal data stream using the triple DES algorithm. Using the Bitconverter function, TorNet splits the encrypted byte stream and sends it to the C2 server by writing it to the TCP stream through the socket.  

Code snippet of TorNet showing the data exfiltration to the C2 server through sockets. 

The C2 server may send an arbitrary encrypted .NET assembly as a response to a TorNet’s request. TorNet will decrypt the arbitrary binary and reflectively run it. During our research, we were unable to receive a response from the C2, still analyzing the TorNet binary allowed us to assess that the received response will be an arbitrary .NET assembly code, enabling the attack surface for further attack.  

Code snippet for running the received arbitrary .NET assembly. 

TorNet also connects the victim machine to the TOR network. It downloads the TOR expert bundle from the TOR Project archive site, unpacks it and runs the “tor\[.\]exe” as a background process to connect to TOR.  

Code snippet shows the download and execution of tor\[.\]exe. 

Once TOR is running, TorNet connects to the TOR network using the TOR SocksPort (127\[.\]0\[.\]0\[.\]1:9050), and with the “socket.Poll” function, it routes all traffic from the backdoor process on the victim machine through the TOR network. The threat actor is leveraging the TOR network to anonymize the C2 communication and evade detection.  

Connections from TorNet on analysis machine to the TOR nodes.

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64440, 64439, 64437, 64438 and 301115. 

ClamAV detections are also available for this threat: 

Win.Backdoor.TorNet-10041435-0    
Win.Downloader.TorNet-10041463-0    
Win.Malware.TorNet-10041565-0    
Win.Malware.TorNet-10041601-0    
Win.Trojan.TorNet-10041734-0 

**Indicators of Compromise  **

IOCs for this threat can be found in our GitHub repository here.

New TorNet backdoor seen in widespread campaign

Plus: A hacker finds an issue with Cloudflare’s systems that could reveal app users’ rough locations, and the Trump administration puts a wrench in a key cybersecurity investigation.

This week started off with a bang and just kept going. In the wee hours of Saturday night, TikTok cut off access to users in the United States ahead of Sunday’s deadline that forced Apple and Google to remove the video-sharing app from their app stores. While TikTok was dark, US users raced to get around the TikTok ban while several other unexpected apps saw their access to Americans severed as well. By midday on Sunday, however, TikTok access was already coming back in the US. By Monday night, newly inaugurated US president Donald Trump had signed an executive order delaying the TikTok ban by 75 days.

On Tuesday, Trump made good on his promise to free Ross Ulbricht, the imprisoned creator of the Silk Road dark-web market, where users sold drugs, guns, and worse. Ulbricht had spent more than 11 years behind bars after he was arrested by the FBI in 2013 and later sentenced to life in prison. Trump’s decision to pardon Ulbricht is largely seen as linked to the support he’s received from the libertarian cryptocurrency community, which has long considered the Silk Road creator a martyr.

As the world enters the second Trump era, WIRED sat down with Jen Easterly, who recently left her top spot as director of the Cybersecurity and Infrastructure Security Agency to discuss the cyber threats facing the US and CISA’s uncertain future as the frontline watchdog against nation-state hackers and other digital security threats facing the US.

Lastly, we detailed new research that revealed how trivial bugs had exposed Subaru’s system for tracking the locations of its customers’ vehicles. The researchers found they could access a web portal for Subaru employees that allowed them to pinpoint up to a years’ worth of a car’s location—down to the parking spots they use. The flaws are now patched, but Subaru employees still have access to sensitive driver location data.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Judge Says Controversial FBI Searches Require a Warrant**

A US judge in New York this week found that the FBI’s practice of searching data on US persons under Section 702 of the Foreign Intelligence Surveillance Act without obtaining a warrant is unconstitutional. FISA gives the US government the authority to collect the communications of foreign entities through internet providers and companies like Apple and Google. Once this data was collected, the FBI could perform “backdoor searches” for information on US citizens or residents who communicated with foreigners, and it did so without first obtaining a warrant. Judge DeArcy Hall found that these searches do require a warrant. “To hold otherwise would effectively allow law enforcement to amass a repository of communications under Section 702—including those of US persons—that can later be searched on demand without limitation,” the judge wrote.

**Cloudflare Function Could Expose App Users’ Rough Location**

An “issue” with the basic functionality of internet infrastructure company Cloudflare’s content delivery network, or CDN, can reveal the coarse location of people using apps, including those meant for protecting privacy, according to findings from an independent security researcher. Cloudflare has servers in hundreds of cities and more than 100 countries around the world. Its CDN works by caching peoples’ internet traffic across its servers then delivering that data from the server closest to a person’s location. The security researcher, who goes by Daniel, found a way to send an image to a target, collect the URL, then use a custom-built tool to query Cloudflare to find out which data center delivered the image—and thus the state or possibly the city the target is in. Fortunately, Cloudflare tells 404 Media that it fixed the issue after Daniel reported it.

**Trump Administration Disbands Review Board Investigating China’s Salt Typhoon Attacks**

In one of its first moves after Trump took office on Monday, the Department of Homeland Security let go everyone on the agency’s advisory committees. This includes the Cyber Safety Review Board, which was investigating widespread attacks on the US telecommunications system by the China-backed hacker group Salt Typhoon. US authorities revealed in mid-November that Salt Typhoon had embedded itself in at least nine US telecoms for espionage purposes, potentially exposing anyone using unencrypted calls and text message to surveillance by Beijing. While the future of the CSRB remains uncertain, sources tell reporter Eric Geller that their investigation into Salt Typhoon’s attacks is effectively “dead.”

US Privacy Snags a Win as Judge Limits Warrantless FBI Searches

US prosecutors charged five, including North Koreans, for tricking firms into hiring fake IT workers, sending $866K+ to…

US prosecutors charged five, including North Koreans, for tricking firms into hiring fake IT workers, sending $866K+ to fund weapons programs. Stay alert, and report fraud.

Federal prosecutors in the United States have charged five individuals, including two North Korean nationals, for their roles in a scheme that tricked U.S. companies into **hiring North Korean IT workers**.

According to the Department of Justice (DOJ), the operation funneled hundreds of thousands of dollars to the North Korean government, which, other than **using hackers to steal cryptocurrency**, has been using such tactics to evade sanctions and fund its weapons programs.

The indicted individuals include North Korean nationals Jin Sung-Il and Pak Jin-Song, Mexican national Pedro Ernesto Alonso De Los Reyes, and U.S. citizens Erick Ntekereze Prince and Emanuel Ashtor. They are accused of using stolen identities and fraudulent documents to **pose as legitimate US-based IT professionals**, securing remote jobs with at least 64 American companies.

In a **detailed indictment** (PDF), the DOJ outlined that the group operated from April 2018 to August 2024, using fake identities and falsified documents to bypass hiring checks. Once employed, they allegedly transferred payments amounting to at least $866,255 from ten companies through a Chinese bank account to cover the money trail.

Fake documents used in the scam (Via US DoJ)

A key element of the operation, according to the DOJ’s **press release**, involved “laptop farms,” where company-issued computers were received at U.S. locations and set up with remote access software. This allowed North Korean operatives to control the devices from abroad, creating the impression that the workers were based in the United States.

The scheme came to light following an FBI investigation that led to the recent arrests of Prince and Ashtor in the U.S., while Alonso was apprehended in the Netherlands earlier this month.

All five defendants face charges that include conspiracy to commit wire fraud, identity theft, and money laundering. If convicted, they could face up to 20 years in prison.

****Repeated Pattern****

North Korea has long relied on cyber operations to generate revenue for its government. Thousands of IT workers, primarily based in China and Russia, have been deployed to secure freelance work under false identities. According to U.S. officials, these workers can earn up to $300,000 per year, collectively bringing in millions to support the country’s military ambitions.

To achieve this, they take advantage of online job platforms, social media, and payment services, often using unsuspecting individuals in the U.S. to help move money and avoid detection. In July 2024, cybersecurity firm **KnowBe4 was tricked** by a North Korean hacker posing as an IT worker whose next step was to load malware on a company-issued Macbook.

In response, the U.S. government has issued several warnings to businesses about the risks associated with hiring remote IT workers. The FBI and other agencies have **published guidelines** to help companies spot red flags and protect themselves from falling victim to similar scams.

Authorities are also urging businesses to stay alert when hiring remote workers and to report any unusual activity to the FBI. They emphasize the importance of protecting company data and following international sanctions to help stop this type of fraud.

1.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
2.  **Russian hacker tried hiring Tesla worker for malware attack**
3.  **Hackers used fake job website to scam jobless US veterans**
4.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
5.  **Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam**

Tag

#backdoor