Threat Intelligence, Critical Infrastructure Security, Government security

Sophisticated multi-stage attack targets manufacturing, governments

Plain code with the word "cyberattack" in red.

Cyble Research and Intelligence Labs has uncovered a highly sophisticated and multi-stage cyberattack campaign targeting manufacturing and government entities in Italy, Finland, and Saudi Arabia, characterized by a shared, modular commodity loader used across different threat actor groups, GBHackers News reports.

The attack begins with weaponized documents masquerading as purchase orders, which funnel victims through a meticulously designed four-stage evasion pipeline to bypass traditional security. This pipeline employs advanced obfuscation, steganography to hide payloads in images on legitimate sites, a novel "hybrid assembly" technique that trojanizes open-source GitHub code, and a final process injection into a legitimate Windows utility. The ultimate payloads include powerful information-stealing malware like PureLog Stealer, which harvests browser credentials, cryptocurrency data, and 2FA secrets.

CRIL's analysis indicates a shared infrastructure and tradecraft among diverse actors, evidenced by identical loader artifacts and evolving techniques like a novel UAC bypass. This represents a significant, continuously evolving threat ecosystem targeting critical sectors with precision and advanced operational security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds