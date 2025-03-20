Phishing

VenomRAT covertly distributed via VHD files

Log4j bug exploited to push novel EarlyRat malware

Virtual hard disk image files have been leveraged by threat actors to conceal the VenomRAT remote access trojan in a new malware campaign, Hackread reports.

Attackers deliver phishing emails purporting to be purchase orders that contain .vhd file attachments, which when opened triggers a batch script that deploys PowerShell, ensures persistence, and alters Windows registry settings before launching VenomRAT, according to Forcepoint X-Labs researchers. Aside from exfiltrating data, keystrokes, and other sensitive details, VenomRAT also enables further executable downloads while using the Hidden Virtual Network Computing service to bypass security systems. Such a threat should prompt users to not only verify unexpected purchase orders or invoices but also strengthen their security defenses and bolster phishing awareness. "This is a unique approach. Attackers are constantly looking for ways to evade detection, and hiding malware within a virtual hard disk image is a good example of that," said Forcepoint X-Labs security researcher Prashant Kumar.

