"A sophisticated, multi-stage malware campaign directed at customer support staff working for Web3 companies is leveraging suspicious links sent via customer support chat to initiate an attack chain that delivers a malicious executable disguised as a photograph."
"The loader proceeds to retrieve an implant named Farfli (aka Gh0st RAT) that's launched via DLL side-loading to establish persistent communication with threat actor-controlled infrastructure."
"This campaign has been attributed to APT-Q-27 (aka GoldenEyeDog), a financially motivated threat group suspected to be operating out of China since at least 2022."
A multi-stage malware campaign is targeting customer support staff in Web3 companies. It uses suspicious links in customer support chats to deliver a malicious executable disguised as a photograph. This executable retrieves a second-stage loader from an AWS S3 dead drop, which then installs an implant named Farfli (Gh0st RAT) through DLL side-loading. The campaign is attributed to APT-Q-27, a financially motivated group believed to be operating from China since 2022. Similar tactics were noted in a previous campaign involving Zendesk.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]