A brand new malware marketing campaign focusing on Home windows customers has emerged, utilizing misleading LNK shortcut information to distribute MoonPeak, a harmful distant entry trojan.
This malware, which seems to be a variant of XenoRAT, has been linked to risk actors affiliated with North Korea.
The assault primarily targets South Korean traders and cryptocurrency merchants via weaponized information disguised as respectable PDF paperwork associated to buying and selling methods.
When victims open the malicious LNK file, it triggers a classy an infection chain that deploys the malware whereas displaying a decoy PDF to keep away from suspicion.
The marketing campaign was first detected in January 2026, with LNK information containing Korean filenames suggesting investment-related content material.
These information embed an XOR-encoded PDF that opens usually when clicked, making the assault seem innocent to unsuspecting customers.
Behind the scenes, nevertheless, an obfuscated PowerShell script executes silently in a hidden window.
This script initiates a number of phases of payload supply, establishing persistence on the contaminated system and speaking with distant servers managed by the attackers.
IIJ Safety Diary analysts recognized this risk via detailed malware evaluation, uncovering the whole an infection stream that had not been totally documented in earlier studies.
Malicious PowerShell script created within the short-term folder (Supply – IIJ Safety Diary)
The researchers traced the assault infrastructure to GitHub repositories used for internet hosting malicious payloads, demonstrating the risk actors’ use of respectable platforms to evade detection.
Malicious VBScript created within the short-term folder (Supply – IIJ Safety Diary)
This system, referred to as Residing Off Trusted Websites (LOTS), permits attackers to bypass safety measures that sometimes block suspicious domains.
Multi-Stage An infection Mechanism and Evasion Techniques
The MoonPeak an infection course of operates via three distinct phases, every designed to evade safety evaluation and set up persistent entry.
Within the first stage, the LNK file checks for safety instruments and digital environments by scanning for particular working processes akin to IDA Professional, Wireshark, OllyDbg, and numerous sandbox indicators.
If any evaluation instruments are detected, the script instantly terminates to forestall researchers from finding out its conduct. This anti-analysis approach ensures the malware solely executes on real sufferer techniques.
As soon as the surroundings verify passes, the PowerShell script creates randomly named folders and information within the short-term listing, downloading further scripts from distant servers.
The duty that might be created for computerized execution (Supply – IIJ Safety Diary)
A scheduled process is then created to make sure the malware runs routinely, even after system reboots.
The second stage entails retrieving a GZIP-compressed payload from a GitHub repository, which is decompressed and loaded instantly into reminiscence with out touching the disk.
Malicious GitHub repository created by a risk actor (Supply – IIJ Safety Diary)
The ultimate stage deploys MoonPeak itself, obfuscated utilizing ConfuserEx to withstand decompilation and evaluation. The malware connects to its command-and-control server at 27.102.137[.]88:443, enabling attackers to remotely management contaminated machines.
Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most popular Supply in Google.
