Sep 26, 2025Ravie LakshmananMalware / Cryptocurrency
A brand new marketing campaign has been noticed impersonating Ukrainian authorities businesses in phishing assaults to ship CountLoader, which is then used to drop Amatera Stealer and PureMiner.
“The phishing emails include malicious Scalable Vector Graphics (SVG) information designed to trick recipients into opening dangerous attachments,” Fortinet FortiGuard Labs researcher Yurren Wan mentioned in a report shared with The Hacker Information.
Within the assault chains documented by the cybersecurity firm, the SVG information are used to provoke the obtain of a password-protected ZIP archive, which accommodates a Compiled HTML Assist (CHM) file. The CHM file, when launched, prompts a sequence of occasions that culminate within the deployment of CountLoader. The e-mail messages declare to be a discover from the Nationwide Police of Ukraine.
CountLoader, which was the topic of a latest evaluation by Silent Push, has been discovered to drop numerous payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. On this assault chain, nonetheless, it serves as a distribution vector for Amatera Stealer, a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner.
It is value stating that each PureHVNC RAT and PureMiner are a part of a broader malware suite developed by a menace actor referred to as PureCoder. A number of the different merchandise from the identical creator embody –
PureCrypter, a crypter for Native and .NET
PureRAT (aka ResolverRAT), a successor to PureHVNC RAT
PureLogs, an info stealer and logger
BlueLoader, a malware that may act as a botnet by downloading and executing payloads remotely
PureClipper, a clipper malware that substitutes cryptocurrency addresses copied into the clipboard with attacker-controlled pockets addresses to redirect transactions and steal funds
In keeping with Fortinet, Amatera Stealer and PureMiner are each deployed as fileless threats, with the malware “executed by way of .NET Forward-of-Time (AOT) compilation with course of hollowing or loaded straight into reminiscence utilizing PythonMemoryModule.”
Amatera Stealer, as soon as launched, gathers system info, collects information matching a predefined checklist of extensions, and harvests knowledge from Chromium- and Gecko-based browsers, in addition to functions like Steam, Telegram, FileZilla, and numerous cryptocurrency wallets.
“This phishing marketing campaign demonstrates how a malicious SVG file can act as an HTML substitute to provoke an an infection chain,” Fortinet mentioned. On this case, attackers focused Ukrainian authorities entities with emails containing SVG attachments. The SVG-embedded HTML code redirected victims to a obtain web site.”
The event comes as Huntress uncovered a probable Vietnamese-speaking menace group utilizing phishing emails bearing copyright infringement discover themes to trick recipients into launching ZIP archives that result in the deployment of PXA Stealer, which then evolves right into a multi-layered an infection sequence dropping PureRAT.
“This marketing campaign demonstrates a transparent and deliberate development, beginning with a easy phishing lure and escalating by means of layers of in-memory loaders, protection evasion, and credential theft,” safety researcher James Northey mentioned. “The ultimate payload, PureRAT, represents the end result of this effort: a modular, professionally developed backdoor that offers the attacker full management over a compromised host.”
“Their development from amateurish obfuscation of their Python payloads to abusing commodity malware like PureRAT exhibits not simply persistence, but additionally hallmarks of a severe and maturing operator.”
