Keypoints
- Operation FlightNight used spearphishing with an ISO attachment containing an LNK shortcut and a decoy PDF (Indian Air Force invitation) to deliver the payload.
- The payload is a modified version of the open-source HackBrowserData stealer with added Slack-based exfiltration, document theft, and obfuscation features.
- Malware creates a mutex file (Bkdqqxb.txt) in %TEMP%, decodes strings at runtime, and targets specific file types (Office, PDF, SQL) and browser cache data.
- Collected data is staged (C:UsersPublicresults.zip) and uploaded to attacker-controlled Slack workspaces via the files.upload API; Slack tokens and workspace URLs were hard-coded in the binary.
- Analysts recovered multiple SHA-256 hashes and Slack workspace domains used as command-and-control/exfiltration endpoints.
- Detection and mitigation opportunities include monitoring ISO mount events (Event ID 12), enabling command-line process auditing for LNK execution, disabling browser password caching, and enforcing 2FA.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Delivery via a phishing email with an ISO containing a decoy PDF and malware (“The information stealer was delivered via a phishing email, masquerading as an invitation letter from the Indian Air Force.”)
- [T1204] User Execution – Victim action required to run a deceptive LNK that activated the malware (“victims inadvertently executed a shortcut link that activated the hidden malware”)
- [T1059] Command and Scripting Interpreter – Malware automated data collection and exfiltration via scripting/automation (“the malware likely used scripting to automate the stealing and exfiltration of data.”)
- [T1547] Boot or Logon Autostart Execution – LNK use suggests potential autorun/bootstrap persistence strategies (“The use of an LNK file suggests that the attackers may have intended for the malware to execute upon startup or login.”)
- [T1027] Obfuscated Files or Information – Binary stores encoded strings and uses obfuscation to evade detection (“malware obfuscation for the evasion”; “The malware obfuscated its code and stored encoded strings to evade detection.”)
- [T1036] Masquerading – LNK masqueraded as a benign PDF icon to deceive users (“It appeared to be a harmless PDF document due to its misleading PDF icon.”)
- [T1552.001] Credentials from Web Browsers – Tool stolen browser credentials, cookies and histories using a modified open-source stealer (“steal browser login credentials, cookies, and history”)
- [T1005] Data from Local System – Collected documents and cached browser data from the infected host (“The malware collected documents and cached web browser data from the victim’s device.”)
- [T1074] Data Staged – Staged stolen browser data and documents into ZIP files prior to exfiltration (“Stolen data was staged in the form of a ZIP file before exfiltration.”)
- [T1071] Application Layer Protocol – Used Slack API as command-and-control and exfiltration channel (“communicated with attacker-controlled Slack channels using the Slack API for exfiltration.”)
- [T1048] Exfiltration Over Alternative Protocol – Exfiltrated data over Slack, an uncommon channel for data theft (“Data was exfiltrated over Slack, an alternative protocol not typically monitored for data theft.”)
Indicators of Compromise
- [SHA-256 Hash] FlightNight payloads – 4455ca4e12b5ff486c466897522536ad753cd459d0eb3bfb1747ffc79a2ce5dd, 69c3a92757f79a0020cf1711cda4a724633d535f75bbef2bd74e07a902831d59, and 1 more hash
- [SHA-256 Hash] GoStealer-related samples – a811a2dea86dbf6ee9a288624de029be24158fa88f5a6c10acf5bf01ae159e36, 4fa0e396cda9578143ad90ff03702a3b9c796c657f3bdaaf851ea79cb46b86d7, and 2 more hashes
- [Domain / Slack workspace] Exfiltration/C2 endpoints – solucionesgeofisicas.slack[.]com, swiftrecruiters.slack[.]com, and 2 more domains (telcomprodicci.slack[.]com, alfarabischoolgroup.slack[.]com)
- [File paths / names] Staging & mutex artifacts – %TEMP%Bkdqqxb.txt (mutex), C:UsersPublicresults.zip (staged browser/data archive)
- [Slack workspaces / API tokens] Hard-coded Slack access – attacker-controlled workspace URLs and bot tokens were embedded in the binary (examples: solucionesgeofisicas.slack[.]com, tucker-group.slack[.]com) and additional workspace URLs/tokens were recovered
The technical infection chain began with a spearphishing email containing an ISO attachment. Inside the ISO the actor placed a decoy PDF (an Indian Air Force invitation) alongside an LNK shortcut that used a misleading PDF icon; when a victim mounted the ISO and executed the LNK, the hidden executable launched and presented the decoy PDF to conceal activity while the payload ran covertly.
The payload is a modified HackBrowserData build: it decodes strings at runtime, creates a mutex file (Bkdqqxb.txt) in %TEMP%, and enumerates and extracts browser artifacts (credentials, cookies, history) across many Chromium- and Firefox-based browsers. It also searches for specific file types (Word, PowerPoint, Excel, PDF, SQL), stages results into C:UsersPublicresults.zip (CSV/browser data and document archives), and then uploads files to attacker-controlled Slack workspaces using Slack API methods (auth.test to validate connectivity and files.upload to send staged archives). Slack workspace URLs and API tokens were embedded in the binary, enabling direct exfiltration to channels named “FlightNight.”
Forensic and detection opportunities include hunting for ISO mount events (Microsoft-Windows-VHDMP-Operational Event ID 12 or SIGMA rule file_event_win_iso_file_recent), enabling command-line process auditing to detect LNK-driven child processes, monitoring large or repetitive outbound file uploads to unknown Slack workspaces, and reducing exposure by disabling browser credential caching and enforcing 2FA. The recovered artifacts (listed hashes, Slack domains, file paths) should be used in IR containment and threat hunting.