October Malware Spam Campaigns

A series of targeted phishing campaigns delivered financial-themed emails (invoices, payment advice, POs, quotes) with compressed or executable attachments that dropped loaders and keyloggers. Multiple malware families and C2 artifacts were observed, including widespread use of xLoader and various keyloggers. #xloader #snakekeylogger

Keypoints

Phishing emails impersonated business transactions (payment advice, invoices, SOAs, purchase orders, quotations).
Attachments were often compressed (rar, zip, lzh, 7z) or packaged as executables/ISOs and mapped to malware like xLoader, snakekeylogger, vipkeylogger, warmcookie, guloader, remcos, venomrat.
Some campaigns had large targeting sets — the largest recorded batch targeted 46 users; others ranged from 2 to 22 recipients.
Observed C2 and distribution infrastructure includes numerous domains and URLs (qidr.shop, f6b-crxy.top, many api.telegram.org bot endpoints) and FTP hosts.
Multiple file hashes and IP addresses are listed as indicators tied to different malware families and campaigns.
email addresses from compromised or spoofed domains (e.g., starmech.net, fosna.net, azmaplast.com) were used in the messages.

MITRE Techniques

[T1566] Phishing – Deceptive emails used to deliver malicious attachments and trick recipients into opening them [‘Uses deceptive emails to trick users into opening malicious attachments.’]
[T1003] Credential Dumping – Malicious payloads aimed to harvest credentials from infected systems [‘Attempts to gather user credentials through malicious payloads.’]
[T1071] Command and Control – Compromised hosts communicated with attacker-controlled domains and APIs (including Telegram bot endpoints) [‘Utilizes various domains to maintain communication with compromised systems.’]
[T1210] Exploitation of Remote Services – Campaigns targeted remote services to escalate access or maintain persistence [‘Targets remote services to gain unauthorized access.’]
[T1486] Data Encrypted for Impact – Some activity included data-encryption capabilities to extort victims [‘Encrypts data to extort victims for ransom.’]

Indicators of Compromise

[File hashes] Malware samples – 00140ab45e4fcbba5f1b52f3058a8ac015771eb60348617843ac7ca841b8bae9 (xloader), 279fc80979106bdd10ca9992a9c242904a52185924705bcf90dd7cf0b4956732 (remcos), and many other hashes.
[Domains/URLs] C2 and distribution – qidr.shop/cu29, f6b-crxy.top/cu29, and numerous other short-lived hosting URLs and landing pages.
[API endpoints] Telegram bot C2 – https://api.telegram.org/bot7844099330, https://api.telegram.org/bot7725731697 used by keylogger families to exfiltrate data.
[IP addresses] Command servers – 103.124.107.115 (associated with remcos), 185.106.92.86:4040 (venomrat), and 154.216.18.238:1194 (xworm instances).
[Email addresses] Sender/recipient artifacts – [email protected], [email protected] used in campaign messages.
[Attachment/file names & types] Malicious delivery vectors – rar/zip/lzh/iso/exe attachments (e.g., “best price pdf.zip”, PO and invoice-themed attachments) mapping to xloader, snakekeylogger, vipkeylogger, warmcookie, guloader.

Security teams observed a recurring pattern of business-themed phishing lures over October 2024: invoices, payment advices, statements of account, purchase orders, and quotation requests. Attackers consistently used compressed archives and occasionally executable or ISO files to deliver payloads. The most frequently observed payload was xLoader, but campaigns also deployed multiple keyloggers (snakekeylogger, vipkeylogger), remote access tools (remcos, venomrat), and other loaders like warmcookie and guloader.

Targets varied from small recipient groups to bulk mailings — one batch reached 46 users while others hit between 2 and 22 recipients. Analysis of the artifacts revealed a wide set of indicators: numerous file hashes tied to different malware families, short-lived domains and URLs used for hosting or C2, Telegram bot endpoints leveraged by keyloggers for exfiltration, and several IP addresses/FTP hosts acting as command or file servers. Email addresses from legitimate-looking domains were used as senders or contacts to increase credibility.

Given the volume and diversity of tooling, defenders should prioritize blocking known C2 domains and Telegram bot endpoints, adding the listed file hashes to detections, and training finance and procurement teams to treat unsolicited invoice-related attachments with suspicion. Network and endpoint monitoring for connections to the cited IPs, unusual process execution from compressed attachments, and credential theft indicators will help detect and contain these campaigns early.