Cross-Platform JavaScript Stealer Targets Crypto Wallets in New Lazarus Group Campaign - Related to tunnels, javascript, campaign, dll, chrome

AsyncRAT Campaign Uses Python Payloads and TryCloudflare Tunnels for Stealth Attacks

A malware campaign has been observed delivering a remote access trojan (RAT) named AsyncRAT by making use of Python payloads and TryCloudflare tunnels.

"AsyncRAT is a remote access trojan (RAT) that exploits the async/await pattern for efficient, asynchronous communication," Forcepoint X-Labs researcher Jyotika Singh expressed in an analysis.

"It allows attackers to control infected systems stealthily, exfiltrate data and execute commands while remaining hidden – making it a significant cyberthreat."

Present within the file is an internet shortcut (URL) file, which serves as a conduit for a Windows shortcut (LNK) file responsible for taking the infection further, while a seemingly benign decoy PDF document is displayed to the message recipient.

Specifically, the LNK file is retrieved by means of a TryCloudflare URL embedded within the URL file. TryCloudflare is a legitimate service offered by Cloudflare for exposing web servers to the internet without opening any ports by creating a dedicated channel ([website], a subdomain on trycloudflare[.]com) that proxies traffic to the server.

The LNK file, for its part, triggers PowerShell to execute a JavaScript code hosted on the same location that, in turn, leads to a batch script (BAT) capable of downloading another ZIP archive. The newly downloaded ZIP file contains a Python payload designed to launch and execute several malware families, such as AsyncRAT, Venom RAT, and XWorm.

It's worth noting that a slight variation of the same infection sequence was discovered last year propagating AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm. A similar attack leveraging CVE-2024-38213, a now-patched Windows Mark-of-the-Web (MotW) bypass vulnerability, was also documented by Canadian cybersecurity firm Field Effect in November 2024.

"This AsyncRAT campaign has again shown how hackers can use legitimate infrastructures like Dropbox URLs and TryCloudflare to their advantage," Singh noted. "Payloads are downloaded through Dropbox URLs and temporary TryCloudflare tunnel infrastructure, thereby tricking recipients into believing their legitimacy."

The development comes amid a surge in phishing campaigns using phishing-as-a-service (PhaaS) toolkits to conduct account takeover attacks by directing clients to bogus landing pages mimicking the login pages of trusted platforms like Microsoft, Google, Apple, and GitHub.

Social engineering attacks conducted via emails have also been observed leveraging compromised vendor accounts to harvest customers' Microsoft 365 login credentials, an indication that threat actors are taking advantage of the interconnected supply chain and the inherent trust to bypass email authentication mechanisms.

Some of other lately documented phishing campaigns in recent weeks are below -.

Recent research by CloudSEK has also demonstrated that it's possible to exploit Zendesk's infrastructure to facilitate phishing attacks and investment scams.

A previously undocumented threat actor known as Silent Lynx has been linked to cyber attacks targeting various entities in Kyrgyzstan and Turkmenistan......

CISA warned [website] federal agencies on Thursday to secure their systems against ongoing attacks targeting a critical Microsoft Outlook remote code execu......

Payments to ransomware actors decreased 35% year-over-year in 2024, totaling $[website] million, down from $[website] billion recorded in 2023.

Fake Google Chrome Sites Distribute ValleyRAT Malware via DLL Hijacking

Bogus websites advertising Google Chrome have been used to distribute malicious installers for a remote access trojan called ValleyRAT.

The malware, first detected in 2023, is attributed to a threat actor tracked as Silver Fox, with prior attack campaigns primarily targeting Chinese-speaking regions like Hong Kong, Taiwan, and Mainland China.

"This actor has increasingly targeted key roles within organizations—particularly in finance, accounting, and sales department — highlighting a strategic focus on high-value positions with access to sensitive data and systems," Morphisec researcher Shmuel Uzan mentioned in a investigation .

Early attack chains have been observed delivering ValleyRAT alongside other malware families such as Purple Fox and Gh0st RAT, the latter of which has been extensively used by various Chinese hacking groups.

As lately as last month, counterfeit installers for legitimate software have served as a distribution mechanism for the trojan by means of a DLL loader named PNGPlug.

It's worth noting that a drive-by download scheme targeting Chinese-speaking Windows clients was previously used to deploy Gh0st RAT using malicious installer packages for the Chrome web browser.

In a similar fashion, the latest attack sequence associated with ValleyRAT entails the use of a fake Google Chrome website to trick targets into downloading a ZIP archive containing an executable ("[website]").

The binary, upon execution, checks if it has administrator privileges and then proceeds to download four additional payloads, including a legitimate executable associated with Douyin ("[website]"), the Chinese version of TikTok, that's used to sideload a rogue DLL ("[website]"), which then launches the ValleyRAT malware.

Also retrieved is another DLL file ("[website]"), which is responsible for terminating any running process present in an exclusion list.

Compiled in Chinese and written in C++, ValleyRAT is a trojan that's designed to monitor screen content, log keystrokes, and establish persistence on the host. It's also capable of initiating communications with a remote server to await further instructions that allow it to enumerate processes, as well as download and execute arbitrary DLLs and binaries, among others.

"For payload injection, the attacker abused legitimate signed executables that were vulnerable to DLL search order hijacking," Uzan unveiled.

The development comes as Sophos shared details of phishing attacks that employ Scalable Vector Graphics (SVG) attachments to evade detection and deliver an AutoIt-based keystroke logger malware like Nymeria or direct customers to credential harvesting pages.

Curious about the buzz around AI in cybersecurity? Wonder if it's just a shiny new toy in the tech world or a serious game changer? Let's unpack this ......

British-based engineering firm IMI plc has disclosed a security breach after unknown attackers hacked into the firm's systems.

The US Cybersecurity & Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities catalog, urging fed......

Cross-Platform JavaScript Stealer Targets Crypto Wallets in New Lazarus Group Campaign

The North Korea-linked Lazarus Group has been linked to an active campaign that leverages fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver malware capable of infecting Windows, macOS, and Linux operating systems.

, the scam begins with a message sent on a professional social media network, enticing them with the promise of remote work, part-time flexibility, and good pay.

"Once the target expresses interest, the 'hiring process' unfolds, with the scammer requesting a CV or even a personal GitHub repository link," the Romanian firm noted in a study shared with The Hacker News.

"Although seemingly innocent, these requests can serve nefarious purposes, such as harvesting personal data or lending a veneer of legitimacy to the interaction."

Once the requested details are obtained, the attack moves to the next stage where the threat actor, under the guise of a recruiter, shares a link to a GitHub or Bitbucket repository containing a minimum viable product (MVP) version of a supposed decentralized exchange (DEX) project and instructs the victim to check it out and provide their feedback.

Present within the code is an obfuscated script that's configured to retrieve a next-stage payload from [website][.]io, a cross-platform JavaScript information stealer that's capable of harvesting data from various cryptocurrency wallet extensions that may be installed on the victim's browser.

The stealer also doubles up as a loader to retrieve a Python-based backdoor responsible for monitoring clipboard content changes, maintaining persistent remote access, and dropping additional malware.

At this stage, it's worth noting that the tactics documented by Bitdefender exhibit overlaps with a known attack activity cluster dubbed Contagious Interview (aka DeceptiveDevelopment and DEV#POPPER), which is designed to drop a JavaScript stealer called BeaverTail and a Python implant referred to as InvisibleFerret.

"The analyzed malware seems to fall within the Contagious Interview cluster," Bitdefender Labs told The Hacker News. "However, the infected JavaScript sample is different from other BeaverTail samples that were seen in the past. We have also observed other details in the infection chain that leads us to believe that the threat actors are continuously adapting and improving their tactics."

The malware deployed by means of the Python malware is a .NET binary that can download and start a TOR proxy server to communicate with a command-and-control (C2) server, exfiltrate basic system information, and deliver another payload that, in turn, can siphon sensitive data, log keystrokes, and launch a cryptocurrency miner.

"The threat actors' infection chain is complex, containing malicious software written in multiple programming languages and using a variety of technologies, such as multi-layered Python scripts that recursively decode and execute themselves, a JavaScript stealer that first harvests browser data before pivoting to further payloads, and .NET-based stagers capable of disabling security tools, configuring a Tor proxy, and launching crypto miners," Bitdefender noted.

There is evidence to suggest these efforts are quite widespread, going by reports shared on LinkedIn and Reddit, with minor tweaks to the overall attack chain. In some cases, the candidates are asked to clone a Web3 repository and run it locally as part of an interview process, while in others they are instructed to fix intentionally introduced bugs in the code.

One of the Bitbucket repositories in question refers to a project named "miketoken_v2." It is no longer accessible on the code hosting platform. Bitdefender mentioned the activity is part of the same campaign with the repository names and recruiter profiles shuffled.

The disclosure comes a day after SentinelOne revealed that the Contagious Interview campaign is being used to deliver another malware codenamed FlexibleFerret.

Bogus websites advertising Google Chrome have been used to distribute malicious installers for a remote access trojan called ValleyRAT.

Cybercriminals are increasingly leveraging legitimate HTTP client tools to facilitate account takeover (ATO) attacks on Microsoft 365 environments.

A previously undocumented threat actor known as Silent Lynx has been linked to cyber attacks targeting various entities in Kyrgyzstan and Turkmenistan......