Keypoints
- Threat actors distributed malicious ISO archives via search-engine advertisements impersonating download pages for business applications (AnyDesk, WinSCP, Cisco AnyConnect, Slack, TreeSize).
- The ISO contained a ZIP archive with a Python executable (python.exe) and dependent files; a loaded DLL was used to execute a Meterpreter stager.
- The Meterpreter stager provided remote access, enabling credential harvesting, persistence, and data exfiltration, with extortion as an end goal.
- Researchers traced the campaign back to at least May 2023 and observed a focus on targets in North America (six U.S. organizations and one in Canada identified so far).
- There were observed attempts to deploy BlackCat ransomware during follow-on stages of the intrusion.
MITRE Techniques
- [T1189] Drive-by Compromise – Malicious ads and fake download pages delivered the initial payload (‘…set up fake websites for high-interest software and promote them on top of the results page through advertisements.’)
- [T1204.002] User Execution: Malicious File – Victims needed to download and run the delivered ISO/contained executable (‘the malicious ISO file contained a ZIP archive holding a Python executable and its dependencies.’)
- [T1105] Ingress Tool Transfer – Tools and payloads (python.exe, DLLs, Meterpreter stager) were transferred to victims via the ISO/ZIP (‘the malicious ISO file contained a ZIP archive holding a Python executable and its dependencies.’)
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking/DLL Side‑loading – A DLL loaded by python.exe was used to run malicious code (Meterpreter stager) (‘One DLL loaded by the python.exe process was set to execute malicious code in the form of a Meterpreter stager…’)
- [T1078] Valid Accounts (Credential Access) – Attackers aimed to obtain credentials as part of lateral access and persistence (‘the attackers’ primary goal is to obtain credentials…’)
- [T1547] Boot or Logon Autostart Execution (Persistence) – Actors attempted to establish persistence on important systems (‘set up persistence on important systems’)
- [T1041] Exfiltration Over C2 Channel – Data exfiltration was a goal during the intrusion dwell time (‘…exfiltrate data, with extortion as the end goal.’)
- [T1486] Data Encrypted for Impact (Ransomware) – Attempts were observed to deploy BlackCat ransomware after initial access (‘We also noticed attempts to deploy BlackCat ransomware.’)
Indicators of Compromise
- [File type] Malicious archive artifacts – malicious ISO (example: delivered ISO containing ZIP), ZIP with python.exe
- [Executable] Payloads and loaders – python.exe (malicious bundle), DLL used to execute Meterpreter stager
- [Payload] Remote access stager – Meterpreter stager (embedded in DLL) and attempts to follow with BlackCat ransomware
- [Targeted software] Impersonated download pages – AnyDesk, WinSCP (also Cisco AnyConnect, Slack, TreeSize)
- [Targets] Victim geography/context – six organizations in the U.S. and one in Canada identified
- [Source reference] Research/IOCs published by vendor – Bitdefender whitepaper and blog post (full IOCs available to Bitdefender Advanced Threat Intelligence users)
The attack chain begins with malvertising: actors create search ads that mimic legitimate download pages for widely used business applications (AnyDesk, WinSCP, Cisco AnyConnect, Slack, TreeSize). When a user clicks the ad and downloads the offered file, they receive a malicious ISO archive. That ISO contains a ZIP which unpacks a Python runtime (python.exe) alongside dependencies and a specifically crafted DLL.
Upon execution, python.exe loads the supplied DLL, which is used to launch a Meterpreter stager, providing the attackers with remote access. From that foothold the adversaries focus on harvesting credentials, establishing persistence on important systems, and moving laterally to locate valuable data. Payloads and tools are transferred via the delivered archive (ingress of tools), and command-and-control channels are used for exfiltration and further control.
During post-compromise activity the actors attempted to deploy BlackCat ransomware in some intrusions, and the campaign—tracked back to at least May 2023—has primarily targeted organizations in North America. Full, up-to-date indicators of compromise and technical artifacts are documented in the vendor whitepaper referenced by the researchers.