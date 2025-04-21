Malicious payloads have been distributed as part of a new covert multi-stage intrusion while Chinese advanced persistent threat operation IronHusky has been targeting Russian and Mongolian government entities with an upgraded MysterySnail RAT variant, reports The Hacker News.
Attackers delivered a phishing email purporting to be a successful order payment that includes a 7-zip archive with a JavaScript encoded file that then downloads a PowerShell script, according to an analysis from Palo Alto Networks Unit 42. Execution of the script then leads to the deployment of a next-stage dropper that could either be a .NET or AutoIT executable, with the former resulting in the injection of a suspected Snake Keylogger or XLoader payload into the "RegAsm.exe" process while the latter results in the eventual distribution of Agent Tesla, said researcher Saqib Khanzada, who noted the various execution paths as a means to better bypass detection and analysis. Another report from Kaspersky revealed that IronHusky's attacks against government organizations in Russia and Mongolia involved the spread of a nefarious Microsoft Management Console script to result in the eventual execution of the newest version of MysterySnailRAT, which has been improved to support almost 40 commands. Attackers have also leveraged the more basic MysteryMonoSnail variant of the payload with 13 commands following action against the more complex iteration.
