"The VBScript drops three files in the startup folder, including NOVUpdate.exe, a signed G DATA antivirus updater abused for DLL sideloading to execute a PlugX malware variant."
"Within seconds after being dropped, NOVUpdate.exe creates a TCP connection to its command-and-control (C&C) infrastructure on Alibaba Cloud."
"The script also wraps the entire malicious payload section in an On Error Resume Next statement, silently swallowing any errors so that failures in the deployment do not produce visible error dialogs that might alert the victim."
A fraudulent website imitating Anthropic Claude was found distributing a remote access trojan. The site offered a ZIP file claiming to be a pro version of the LLM, which contained an MSI installer that mimicked the legitimate installation process. Upon launching the app, a VBScript executed, running the real application while simultaneously installing malware. This included a signed G DATA updater used for DLL sideloading to deploy PlugX, a known RAT. The infection chain was linked to phishing campaigns using fake meeting invitations.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]