Weekly Summary Cyberattacks september 11-17

Inside Maranhão Stealer: Node.js-Powered InfoStealer Using Reflective DLL Injection    

Cybersecurity researchers at have identified an active campaign involving Maranhão Stealer, a sophisticated Node.js-powered credential-stealing malware. The campaign is currently spreading through social engineering websites hosted on cloud platforms that distribute pirated software, cracked game launchers, and cheats aimed at the gaming community. Victims are tricked into downloading trojanized installers such as DerelictSetup.zip or Fnafdoomlauncher.exe, which contain an Inno Setup installer that silently drops a Node.js-compiled binary named updater.exe inside a disguised "Microsoft Updater" folder. The malware establishes persistence using Run registry keys and scheduled tasks, conceals its components by marking them as hidden system files, and then proceeds with detailed host reconnaissance, geolocation lookups, and screen capturing. Stolen artifacts include system data, screenshots, credentials, cookies, browsing history, and cryptocurrency wallet information.  

The Threat of a New Generation: Hybridpetya was Discovered, the Heir to the Infamous Cipher, With the Bypass of UEFI Secure Boot    

A new ransomware family, named HybridPetya, was identified. The ransomware family mimics Petya/NotPetya but with enhanced technical capabilities, notably, UEFI Secure Boot bypass via CVE-2024-7344. Like its namesakes, it targets NTFS partitions and encrypts the Master File Table (MFT), which is central metadata for all files on those partitions. Unlike NotPetya, HybridPetya retains the possibility of decryption: the decryption key can be reconstructed from the victim's "personal installation key," making it more like Petya in that respect rather than purely destructive. Technically, HybridPetya supports both legacy BIOS‐based and modern UEFI‐based systems.  

AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks    

Cybersecurity researchers from Unit 42 have reported that AdaptixC2, a relatively new open-source post-exploitation and adversarial emulation framework, is increasingly being leveraged in real-world cyberattacks. Originally intended for penetration testers, AdaptixC2 has gained traction among threat actors due to its flexibility, modular design, and ability to evade detection. Unlike more established C2 frameworks, Adaptix C2 has remained largely unnoticed until recently; however, its documented use in multiple incidents indicates a rising adoption trend. AdaptixC2 allows attackers to execute commands, manipulate the file system, create or delete files, enumerate processes, terminate applications, and launch new programs on compromised systems. It also supports advanced tunneling mechanisms such as SOCKS4/5 proxying and port forwarding, enabling covert communication even in tightly controlled environments.

Frankenstein Variant of the ToneShell Backdoor Targeting Myanmar    

Researchers have identified a new hybrid variant of the ToneShell backdoor, a malware family associated with the China-linked threat group Mustang Panda, targeting entities in Myanmar. This variant, dubbed a "Frankenstein" build due to its combination of features from earlier iterations, does not introduce groundbreaking capabilities but incorporates extensive anti-analysis measures and new indicators of compromise that defenders can use for detection. ToneShell is typically delivered via DLL sideloading, often embedded in archives containing legitimate signed executables. In this campaign, one malicious ZIP file was distributed under the name "TNLA and other revolutionary forces" (in Burmese), reflecting attempts to lure victims through politically charged themes.  

RevengeHotels: A New Wave of Attacks Leveraging LLMs and VenomRAT    

The cybercriminal group known as RevengeHotels (also tracked as TA558) has launched a new wave of cyberattacks targeting the hospitality and tourism sector, with a particular focus on Brazilian hotels and expanding into Spanish-speaking markets. Active since 2015, RevengeHotels is known for stealing credit card data from hotel guests through phishing campaigns. In this latest activity, the group has significantly evolved its operations by leveraging large language model (LLM) agents to generate portions of its malicious code and phishing lures, indicating a growing trend of cybercriminals exploiting AI to enhance their attack capabilities. The new campaigns rely on phishing emails with invoice or fake job application themes, specifically crafted in Portuguese and Spanish, and sent to hotel reservation and administrative e-mail accounts. Victims who click on the malicious links are redirected to fraudulent document storage websites, which download JavaScript loaders. These files, often identifiable by their LLM-generated clean code, placeholders, and extensive comments, initiate the infection chain by deploying PowerShell downloaders and subsequent payloads.