Keypoints
- Lure document created two days before Taiwan’s national elections and delivered via an archive containing an LNK file and a __MACOS folder with the payload.
- Infection chain is multi-stage and ends with a Cobalt Strike beacon; configurations and malleable profile vary between samples but retain the same watermark value (100000000).
- C2 configuration observed: C2Server values pointing to www.cybereason.xyz (and related mobile path) with HttpPostUri set to /RELEASE_NOTES; another C2 domain used was updateservice[.]store with upserver.updateservice[.]store as a subdomain.
- Attack infrastructure (updateservice[.]store registered Dec 12, 2023; Cybereason[.]xyz registered Oct 27, 2023) was anonymously registered and both servers were unavailable at time of reporting.
- Artifacts indicate DLL search-order hijacking was abused (an executable from a known vendor was used), and tools/malware observed include ShadowPad, Winnti, and Cobalt Strike.
- Overlap with an I-Soon data leak: shared victims, shared malware/tooling, and source IPs traced to Chengdu (location of I‑Soon teams), suggesting a possible linkage.
MITRE Techniques
- [T1566] Phishing – Social engineering via email was a primary infection vector (‘using email, resorting to social engineering as one of its main avenues of infection’)
- [T1566.001] Spearphishing Attachment – Malicious archive contained an LNK file used in the lure (‘The folder also contained an LNK file and a __MACOS folder with payload’)
- [T1574.001] DLL Search Order Hijacking – Attackers abused an executable for DLL hijacking (‘an executable file abused for DLL hijacking.’)
- [T1071.001] Application Layer Protocol: Web Protocols – C2 used HTTP POST to communicate (‘C2Server – www.cybereason.xyz,/mobile-android HttpPostUri – /RELEASE_NOTES’)
Indicators of Compromise
- [Domain] C2 infrastructure – updateservice[.]store (subdomain upserver.updateservice[.]store), Cybereason[.]xyz (www.cybereason.xyz)
- [File artifact] Lure and payload files – LNK file in the delivery archive; a __MACOS folder containing the payload timestamped Dec. 22, 2023
- [Malware/tool] Observed implants and frameworks – Cobalt Strike, ShadowPad, Winnti
- [Registration metadata] Domain registration dates – updateservice[.]store (registered Dec 12, 2023), Cybereason[.]xyz (registered Oct 27, 2023)
The technical chain begins with a tailored archive dropped via email-based social engineering; the archive contains an LNK shortcut and an accompanying __MACOS directory that holds the staged payload. Execution of the LNK triggers the multi-stage loader sequence which includes use of DLL search-order hijacking (an executable was abused to load malicious DLLs) and additional staging to deploy a Cobalt Strike beacon. Samples share a malleable profile watermark (100000000) while varying Cobalt Strike configurations and URLs across archives.
Command-and-control was implemented over HTTP POST to web endpoints. Observed C2 configurations point to www.cybereason.xyz with an HttpPostUri of /RELEASE_NOTES and to upserver.updateservice[.]store under the updateservice[.]store domain; both domains were anonymously registered in late 2023. The campaign also deployed other known malware families—ShadowPad and Winnti—indicating a diverse toolchain for persistence, lateral movement, and data collection.
Investigators noted overlaps with an I‑Soon data leak: shared victim identifiers, a common malware/toolset, and source IPs traced to Chengdu (the same region tied to I‑Soon penetration teams). For detection and response, focus on anomalous LNK execution, DLL load chains tied to nonstandard executables, HTTP POSTs to /RELEASE_NOTES or to the listed domains, and signatures/behavioral detections for ShadowPad, Winnti, and Cobalt Strike connectivity.