{
  "name": "From Malspam to Fileless .NET Loader",
  "slug": "from-malspam-to-fileless-net-loader",
  "description": "A sophisticated malspam campaign delivers a multi-stage .NET loader through an elaborate chain beginning with HTML email attachments. The attack routes through legitimate Google DoubleClick infrastructure to evade detection, then deploys a dynamically personalized phishing kit that pulls victim company branding in real-time. The infection chain progresses through JavaScript, PowerShell, and multiple .NET components, executing primarily in-memory while actively patching AMSI and ETW to blind Windows telemetry. The loader performs extensive anti-analysis checks, terminates or reboots upon detecting sandboxes or debugging tools, and establishes persistence through registry keys and scheduled tasks disguised as NVIDIA components. It targets Microsoft-signed binaries like InstallUtil.exe and MSBuild.exe for process injection, maintains C2 communications over non-standard ports using AES-encrypted protobuf messages, and profiles victim systems including specific GPU enumeration potentially for cryptocurrency min...",
  "published": "2026-06-09T13:50:14+00:00",
  "created_at": "2026-06-09T13:50:14+00:00",
  "modified_at": "2026-06-10T06:30:03+00:00",
  "created_at_opencti": "2026-06-09T13:50:14+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-06-09",
    "amsi patching",
    "ddns c2",
    "fileless",
    "malspam",
    "sandbox-detection"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "http://catalogo.castrouria.com/c84da/bl.txt"
      },
      {
        "id": "",
        "name": "https://andrefelipedonascime1778799406970.2241107.meusitehostgator.com.br/GpazlLUWIJ_14_05_Meus_ArquivosDeTexto/02.txt"
      },
      {
        "id": "",
        "name": "https://pengajian.muliastudy.com/images/edu/u.php"
      },
      {
        "id": "",
        "name": "http://pengajian.muliastudy.com/images/edu/u.php"
      },
      {
        "id": "",
        "name": "c356aff1a01c2b0da472e584c8e3c8f875b9a24280435d42836a77b19f5a8c18"
      },
      {
        "id": "",
        "name": "d5b7247c497788cf0031ceb06e3df77a45fef59f1e49633dc7159816d64759b5"
      },
      {
        "id": "",
        "name": "e91fb249aa97be5c7931e430781167edfe7ba804720b5f643e6ab70b7e6e74dd"
      },
      {
        "id": "",
        "name": "f1c3ebe78bd8c38559bf3cfcc9a9fa37d221e31780774a3787e26160a61f5348"
      },
      {
        "id": "",
        "name": "c61b1941cf756eb7551f7c661743802362728b785adc22e860d269713dfb01a6"
      }
    ],
    "attack_patterns": [
      {
        "id": "a706defa-5a99-4a26-b1be-ac6c1fc20b92",
        "name": "T1562.006"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "7dc1bc79-ccad-419e-b7c0-0f7fa8522270",
        "name": "T1055.012"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "f552f67b-e22a-4c57-8989-7ff3b5e995b1",
        "name": "T1218.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "c998d878-b668-40dd-a84c-9ca7f73caaa4",
        "name": "T1497.003"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "1e573653-8e3c-42df-abd2-df73bd3e1266",
        "name": "T1218.004"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2023-46604"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "bth.startthewave.org"
      },
      {
        "id": "",
        "name": "xtadts.ddns.net"
      },
      {
        "id": "",
        "name": "catalogo.castrouria.com"
      },
      {
        "id": "",
        "name": "andrefelipedonascime1778799406970.2241107.meusitehostgator.com.br"
      },
      {
        "id": "",
        "name": "pengajian.muliastudy.com"
      },
      {
        "id": "",
        "name": "afxwd.ddns.net"
      },
      {
        "id": "",
        "name": "fostercareintheus.optimizationprime.com"
      }
    ]
  },
  "external_refs": [
    "https://www.huntress.com/blog/malspam-to-loader-delivery-chain-analysis",
    "https://otx.alienvault.com/pulse/6a2836368857c87f205e9605"
  ]
}