Threat Labs Security Advisory: New STARK#VORTEX Attack Campaign: Threat Actors Use Drone Manual Lures to Deliver MerlinAgent Payloads

Securonix Threat Research documented the STARK#VORTEX campaign that uses Ukrainian-themed .chm (Microsoft Help) lure files to execute obfuscated JavaScript and PowerShell which download and deploy MerlinAgent payloads. The chain establishes persistence via a registry Run key and beacons to attacker C2 domains such as listen.servemp3[.]com. #MerlinAgent #UAC-0154

Keypoints

Targets were delivered a weaponized .chm Microsoft Help file (Ukrainian-language drone/manual lure) that runs hh.exe to open and execute embedded HTML/JavaScript.
Embedded obfuscated JavaScript launches a heavily obfuscated PowerShell one-liner that runs inside a hidden window to evade detection.
The PowerShell script downloads an encoded binary (e.g., hxxps://files.catbox[.]moe/g1h7zr.bin), decodes/decompresses it, applies an XOR mask derived from a hashed key, and writes the resulting executable to %APPDATA%.
The downloaded 64-bit executable is a MerlinAgent beacon (ctlhost.exe / minecraft.exe variants) which immediately attempts C2 communication (e.g., listen.servemp3[.]com / listen.serveminecraft[.]net) over TLS/443.
Persistence is achieved by creating a Registry Run key (ctlhost) that launches the binary via powershell/cmd at user logon.
Attackers used multiple obfuscation layers (Base64, GZIP, character substitutions, XOR masking) and legitimate services (catbox[.]moe, shorturl[.]at) to host stagers and evade AV (0/59 on VT for the .chm sample).
Securonix provided detection suggestions including monitoring hh.exe -> cmd/powershell child processes, PowerShell logging, Sysmon, and specific hunting queries for -bxor and IO.StreamReader + Decompress patterns.

MITRE Techniques

[T1204.002] User Execution: Malicious File – Lure delivered as a Microsoft Help (.chm) file that requires user opening to trigger execution (‘the lure file presents itself as a Microsoft Help file … Інфо про навчання по БПЛА для військових.v2.2.chm’).
[T1059.007] Command and Scripting Interpreter: JavaScript – Large obfuscated JavaScript one-liner embedded in the CHM invokes further payload execution (‘huge JavaScript one liner embedded into the HTML within <script></script> tags’).
[T1059.001] Command and Scripting Interpreter: PowerShell – Obfuscated PowerShell is executed via cmd.exe/start to download and decode the payload (‘the .chm file executes cmd.exe along with the “/c start /min” commands to call the PowerShell process’).
[T1027.010] Obfuscated Files or Information: Command Obfuscation – Multiple layers of obfuscation (Base64, GZIP, char substitution) hide the download and decoding logic (‘heavily obfuscated … Base64 encoding, GZIP compression, and char value substitutions’).
[T1218.001] System Binary Proxy Execution: Compiled HTML File – Abuse of the Windows help viewer hh.exe to run HTML/JS that spawns child processes (‘Help files … executed using the Windows binary hh.exe which is launched automatically’).
[T1105] Ingress Tool Transfer – Staged binary downloaded from public file-sharing services (catbox[.]moe via shorturl) to the victim for later execution (‘downloads a payload from hxxps://files.catbox[.]moe/g1h7zr.bin’).
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence via a registry Run key named “ctlhost” pointing to the deployed binary (‘creating a new key called “ctlhost” located in HKEY_USERS…CurrentVersionRun’).
[T1573.001] Encrypted Channel: Symmetric Cryptography – MerlinAgent uses encrypted C2 channels (TLS over port 443) for beaconing and commands (‘Command and control … used an encrypted channel over port 443’).
[T1112] Modify Registry – The installer modifies the registry to establish autostart persistence (‘establishes persistence in the registry by creating a new key called “ctlhost”’).
[T1219] Remote Access Software – Deployment of MerlinAgent framework which provides remote command shell and module support once connected to C2 (‘MerlinAgent framework … Remote command shell; Module support’).

Indicators of Compromise

[File Hashes] analyzed malicious binaries – 68A224AD49F2BD3D82EF6FCF5B16472DD06FECFF816263925DFB9BAC91951B21 (.chm), 46FA63AF33FB7A42D3F79ED81D38E5CADDA7D311B07B2306E917179948189C7A (g1h7zr.bin), 4659D371C9B6DB1687D6DD027E95563DA88A29378DE4F87DB19B267859D04D03 (ctlhost.exe)
[File Names] staged and lure files – Інфо про навчання по БПЛА для військових.v2.2.chm (Ukrainian drone manual), Confidential Offers.chm (updated lure).
[Domains/URLs] staging and C2 infrastructure – files.catbox[.]moe/g1h7zr.bin (stager), shorturl[.]at/abPU5 -> catbox[.]moe/sbjchf.mod (redirected stager), listen.servemp3[.]com / listen.serveminecraft[.]net (MerlinAgent C2).
[IP Addresses] C2 host – 168.100.8[.]245 (observed server_conn and beaconing address).
[Paths/Registry] persistence and install paths – %APPDATA%sysctlHostctlhost.exe or %appdata%/local/games/minecraft.exe and Registry Run key HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRun -> ctlhost (auto-start command).

Securonix observed a compact, multi-stage loader: a user-opening of a malicious .chm file triggers hh.exe to display embedded HTML, which contains a heavily obfuscated JavaScript blob that invokes a hidden PowerShell process. That PowerShell one-liner is layered with Base64, GZIP and character-substitution obfuscation and, once deobfuscated, downloads an encoded binary stager from public file hosting (example: files.catbox[.]moe/g1h7zr.bin or shorturl[.]at redirects), decodes/decompresses it, and writes the resulting payload to the user profile AppData path.

The decoded binary is a MerlinAgent 64-bit executable which begins immediate beaconing to attacker-controlled C2 domains over TLS (examples: listen.servemp3[.]com, listen.serveminecraft[.]net, IP 168.100.8[.]245). Before execution the script computes a SHA-256-derived XOR mask, transforms the downloaded file in buffered chunks (xor each byte, write to .tmp, then replace original), and supports multiple execution options; the deployed agent also creates a Registry Run entry named “ctlhost” to achieve persistence and is launched using a hidden PowerShell/cmd start sequence.

Detection evasions include use of .chm containers (AV-evading packaging, 0/59 VT detections for the sample), multi-layered obfuscation in both JavaScript and PowerShell, hosting stagers on legitimate file-sharing services, and flexible MerlinAgent command flags for proxying, JA3/UA spoofing, and encryption. Recommended telemetry to monitor: hh.exe process trees spawning cmd/powershell, PowerShell commands containing ‘-bxor’ or IO.StreamReader + Decompress patterns, unexpected downloads from catbox/shorturl, and creation of Run registry values pointing to AppData executables.