Cyber attackers never stop inventing new ways to compromise their targets. That’s why organizations need to be aware of the latest threats.
Here’s a quick overview of the current malware and phishing attacks you need to be aware of to protect your infrastructure before they get to you.
Zero-day attack: Corrupted malicious files are not detected by most security systems
The team of analysts of St ANYONE. RUN recently shared their analysis of the current zero-day attack. It has been active since at least August, and to this day remains undetected by most detection programs.
The attack involves the use of deliberately corrupted Word documents and ZIP archives with malicious files inside.
 |
| VirusTotal shows 0 detections for one of the corrupted files |
Due to the corruption, security systems cannot properly identify the type of these files and analyze them, resulting in zero threat detection.
 |
| Word will ask the user if they want to repair the damaged file |
Once these files are delivered to the system and opened with their native programs (Word for docx and WinRAR for zip), they recover, presenting the victim with malicious content.
ANY.RUN Sandbox is one of the few tools that detect this threat. It allows users to manually open and restore corrupted malicious files in a fully interactive cloud-based virtual machine with the appropriate applications. This allows you to see what payload the file contains.
 |
| Recovered document with phishing QR code analyzed in ANY.RUN sandbox |
Departure this sandbox session with a corrupted Word document. Upon recovery, we see that there is a QR code with an embedded phishing link.
 |
| ANY.RUN interactive sandbox marks the document and its contents as malicious |
Sandbox automatically detects malicious activity and notifies you about it.
Try the ANY.RUN interactive sandbox to see how it can speed up and improve your malware analysis.
Fileless Malware Attack via PowerShell Script Distributes Quasar RAT
Another notable recent attack involves using a fileless bootloader called Psloramyra that loads the Quasar RAT onto infected devices.
 |
| ANY.RUN identifies PSLoramyra and its malicious activities |
This session is a sandbox shows how the Psloramyra bootloader uses the LoLBaS (Living off the Land Binaries and Scripts) technique to run a PowerShell script after it is initially pinned to the system.
 |
| The process tree in ANY.RUN shows the entire chain of execution |
The script dynamically loads the malicious payload into memory, identifies and uses the Execute method from the loaded .NET assembly, and finally injects Quasar into a legitimate process such as RegSvcs.exe.
 |
| The ANY.RUN sandbox logs all network activity and detects the C2 Quasar connection |
The malware functions entirely in system memory, ensuring that it leaves no traces on the physical drive. To maintain its presence, it creates a scheduled task that runs every two minutes.
Abuse of Azure Blob Storage in Phishing Attacks
Cybercriminals now host phishing pages on Azure cloud storage using the *.blob(.)core(.)windows(.)net subdomain.
Attackers use the script to obtain information about the victim’s software, such as the OS and browser, that are on the page to make it more trustworthy. See an example.
 |
| A fake login form that asks the user to enter their information |
The goal of the attack is to trick the victim into entering their login credentials into a fake form, which are then collected and stolen.
Emmenhtal Loader uses scripts to deliver Lumma, Amadey and other malware
Emmenhtal is a new threat that has been involved in several campaigns over the past year. In one of the latest attacks, criminals use scripts to facilitate an execution chain that includes the following steps:
- The LNK file initiates Forfiles
- Forfiles finds the HelpPane
- PowerShell runs Mshta with an AES-encrypted first-stage payload
- Mshta decrypts and executes the downloaded payload
- PowerShell runs the AES encrypted command to decrypt Emmenhtal
 |
| The entire execution chain is demonstrated by the ANY.RUN interactive sandbox |
The Emmenhtal loader, which is a final PowerShell script, executes a payload—often Updater.exe—using a binary file with a generated name as an argument.
this leads to infection by malware families such as Lumma, Amadey, Hijackloader or Arechclient2.
Analyze the latest cyber attacks with ANY.RUN
Equip yourself with ANY.RUN’s interactive sandbox for advanced malware and phishing analysis. The cloud service provides you with a secure and full-featured virtual machine environment, allowing you to freely interact with the malicious files and URLs you submit.
It also automatically detects real-time network and system malicious activities.
- Identify threats in less than 40 seconds
- Save resources on setup and maintenance
- Log and audit all malicious activity
- Work with your team in private mode
Get a 14-day free trial of ANY.RUN to check out all the features it has to offer →
