Security researchers have uncovered a sophisticated phishing campaign that’s been active since July 2024, targeting Russian enterprises with Batavia , a previously undocumented Windows spyware designed for document theft and internal reconnaissance 🎣 Infection Begins with Phishing Fake contract emails arrive from domains like oblast-ru[.]com , used by the attackers. Victims click a link and download an archive containing a malicious .vbe script disguised as a contract 🧩 Multi‑Stage Malware Chain 1. VBE Downloader The Visual Basic‑encoded script profiles the host—collecting OS and system information—and submits it to the C2 server. It then pulls down WebView.exe , saving it to the %TEMP% folder. 2. Delphi‑Based WebView.exe This executable displays a fake contract to distract users while: Collecting documents (*.doc, *.pdf, .xls ), screenshots, system logs, and files from connected devices. Exfiltrating data to ru‑exchange[.]com and pulling another payload, java...
Security researchers at SentinelOne have uncovered a sophisticated attack campaign involving North Korean threat actors—linked to the BlueNoroff/Lazarus APT group—targeting Web3 and cryptocurrency firms. The attackers are using fake Zoom SDK update scripts to trick macOS users into installing a rare Nim‑compiled backdoor dubbed NimDoor 🧠 The Social Engineering Setup Victims are contacted on Telegram by someone posing as a trusted peer and invited to schedule a meeting via Calendly. They then receive an email with a “Zoom meeting” link and instructions to run a Zoom SDK update. The script is heavily obfuscated , padded with thousands of blank lines to disguise its true purpose. 🛠 Infection Chain & Techniques AppleScript Downloader A malicious AppleScript triggers the download of a second-stage payload from a spoofed Zoom domain Dual‑Channel Loaders A C++ loader ( InjectWithDyldArm64 ) uses process injection on macOS to deploy trojan payloads like trojan1_arm64 that...