Patchwork Dark Samurai False Flag Mythic RAT

MITRE Techniques

• [T1566] Phishing – Attackers sent spear-phishing emails with links to download compressed packages containing MSC files disguised as PDFs to obtain initial access. Quote: ‘发送“xxx”为主题的钓鱼邮件，诱使受害者点击钓鱼链接下载压缩包，内含伪装为PDF的msc文件’
• [T1218] Signed Binary Proxy Execution (mshta, regsvr32, rundll32, etc.) – Abuse of mmc.exe and copying/loading Dism.exe to load a malicious DLL in a white-then-black manner. Quote: ‘mmc.exe 触发 ActiveX 对象… 复制 Dism.exe 到本地并加载释放的恶意 DLL，以白加黑方式加载Mythic远控木马’
• [T1059] Command and Scripting Interpreter – Execution of multiple layers of obfuscated JavaScript (JScript) including XSL transformation to run remote JavaScript payloads. Quote: ‘利用 JScript 执行 XSL 转换… 请求嵌入在 StringTable 字段中url远程执行 javaScript代码’
• [T1547] Boot or Logon Autostart Execution – Creation of scheduled tasks and system startup items (MicrosoftEdgeUpdateTaskMachineCoreXUI) for persistence. Quote: ‘设置名为MicrosoftEdgeUpdateTaskMachineCoreXUI的计划任务’
• [T1105] Ingress Tool Transfer – JavaScript downloads and writes additional payloads (lure PDF and DismCore.dll) to disk from remote URLs. Quote: ‘下载诱饵文件到C:UsersPublicDrone_Information.pdf… 写入C:ProgramData… DismCore.dll’
• [T1027] Obfuscated Files or Information – Multi-layer JavaScript obfuscation, custom decoding (character flip, replacements, hex conversion, base64) to hide payloads. Quote: ‘第二层JavaScript混淆代码… 解码过程：翻转字符，替换$为4，替换!为1，转为十六进制，转为字符串，base64解码’
• [T1041] Exfiltration Over C2 Channel – Encrypted communications to C2 using AES/HMAC and POST via WinHTTP, checkin/action fields matching Mythic agent telemetry. Quote: ‘使用到 aes_hmac 加密通信内容… 使用WinHTTP API ，以POST方法发送数据… “action”:”checkin”… 与开源Mythic远控木马一致.’