- 900
- 246
Cybercriminals have begun luring users with the guise of gaming utilities. In reality, instead of "useful" tools, victims receive remote access malware. These are distributed through browsers and chat platforms, and the ultimate goal is to install a Trojan on the computer.
According to Microsoft Threat Intelligence, the attack chain begins with a malicious downloader.
It deploys a portable Java environment and runs a JAR file named jd-gui.jar. For stealthy execution, the attackers use PowerShell and standard Windows tools—so-called LOLBins , such as cmstp.exe. This approach allows them to disguise their activity as legitimate processes.
The downloader deletes itself to cover its tracks and adds exceptions to Microsoft Defender for malware components. Persistence in the system occurs via a scheduled task and a Windows startup script named world.vbs.
The final module is a multifunctional tool: it can function as a downloader, a command executor, a module for downloading additional files, and a fully-fledged RAT.
Once launched, the malware establishes a connection to an external server, 79.110.49[.]15, from which it receives commands. This opens the door for attackers to steal data and deliver additional payloads.
Experts recommend that administrators check the exclusion list in Microsoft Defender and the list of scheduled tasks, remove suspicious items, isolate infected hosts, and reset the credentials of users who worked on compromised machines.
According to Microsoft Threat Intelligence, the attack chain begins with a malicious downloader.
It deploys a portable Java environment and runs a JAR file named jd-gui.jar. For stealthy execution, the attackers use PowerShell and standard Windows tools—so-called LOLBins , such as cmstp.exe. This approach allows them to disguise their activity as legitimate processes.
The downloader deletes itself to cover its tracks and adds exceptions to Microsoft Defender for malware components. Persistence in the system occurs via a scheduled task and a Windows startup script named world.vbs.
The final module is a multifunctional tool: it can function as a downloader, a command executor, a module for downloading additional files, and a fully-fledged RAT.
Once launched, the malware establishes a connection to an external server, 79.110.49[.]15, from which it receives commands. This opens the door for attackers to steal data and deliver additional payloads.
Experts recommend that administrators check the exclusion list in Microsoft Defender and the list of scheduled tasks, remove suspicious items, isolate infected hosts, and reset the credentials of users who worked on compromised machines.