216.73.217.139

Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland

· Published 14/07/2025 11:55 · Modified 14/07/2025 14:13

Export JSON

Essential information

Published
14/07/2025 11:55
Modified
14/07/2025 14:13
Tags
2025-07-14 downloader scheduled task steganography
Related entities
9 observables, 1 intrusion sets (apt), 8 techniques (mitre), 2 malware, 7 others

Description

A malicious CHM file targeting Poland was discovered, containing an infection chain that drops and executes a C++ . The CHM file displays a decoy image while executing obfuscated JavaScript to extract and run a DLL. The retrieves a payload from a domain associated with previous Belarus-linked threat activities. The payload is encrypted and appended to an image file. The infection process involves multiple stages, including the use of LOLbins and the creation of a for persistence. This campaign shows similarities to activities attributed to threat actors like FrostyNeighbor and UNC1151, known for targeting Eastern European countries.

External references