"This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT," Google-owned Mandiant stated, highlighting the sophistication of the attack.
"PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths," emphasized Mandiant researchers.
"The starting point of the attack chain is a Windows shortcut (LNK) file that's downloaded via drive-by download techniques... disguised as pirated movies," offering insight into the deceptive tactics used.
"Some of the malware strains distributed using this technique are Lumma Stealer, Hijack Loader, and CryptBot, all of which are advertised under the malware-as-a-service (SaaS) model," detailing the specific threats involved.
[
Collection
]
[
|
...
]