“The malware exhibits advanced anti-analysis techniques, including anti-VM, anti-debugging, and process injection detection, alongside extensive credential harvesting, surveillance capabilities, and remote system control,” they said. “Stolen data is exfiltrated as ZIP archives over Discord webhooks and Telegram bots.”
Initial access and memory-resident execution
The infection chain begins with a small batch script that establishes persistence through a per-user Registry Run key. Rather than deploying a full executable, the script launches a PowerShell-based loader, reducing the likelihood of immediate detection by traditional endpoint security tools.
This PowerShell loader decodes and executes shellcode generated using Donut, an open-source framework commonly used to convert. NET assemblies into position-independent shellcode. The shellcode injects the payload directly into memory, avoiding the need to write a portable executable to disk.
