Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland
Essential information
- Published
- 14/07/2025 11:55
- Modified
- 14/07/2025 14:13
- Tags
- 2025-07-14 downloader scheduled task steganography
- Related entities
- 9 observables, 1 intrusion sets (apt), 8 techniques (mitre), 2 malware, 7 others
Description
A malicious CHM file targeting Poland was discovered, containing an infection chain that drops and executes a C++ downloader. The CHM file displays a decoy image while executing obfuscated JavaScript to extract and run a DLL. The downloader retrieves a payload from a domain associated with previous Belarus-linked threat activities. The payload is encrypted and appended to an image file. The infection process involves multiple stages, including the use of LOLbins and the creation of a scheduled task for persistence. This campaign shows similarities to activities attributed to threat actors like FrostyNeighbor and UNC1151, known for targeting Eastern European countries.