Malicious spear-phishing emails may have been leveraged by APT37 to spread a ZIP archive with an LNK file, which when executed launches a PowerShell code containing a DLL file that facilitates the retrieval of VeilShell.
Attacks commence with the targeting of vulnerable Apache RocketMQ servers with perfctl, which would then download the primary payload httpd for persistence and concealment before its execution to facilitate cryptocurrency mining and proxyjacking activities.
Such websites, which are operated under "AI Nude" and are advanced by black hat SEO techniques, promise the conversion of uploaded photos into deepfake nudes but display a link, which when clicked redirected to another site with the password and link to the password-protected Dropbox-hosted archive that contains the infostealer malware.
Such packages leveraged in the attacks had their legitimacy established by fraudulent statistics and included malicious code distributed across several dependencies to better evade detection.
Aside from execution stability enhancements brought upon by overhauled client- and server-side frameworks, as well as text extraction improvements, Rhadamanthys version 0.7.0 has also been beefed up with Microsoft Software Installer file execution and installation capabilities aimed at better concealing malicious activity.
Check Point Research researchers discovered that installation of the fake WalletConnect app triggers a wallet connection request and the stealthy activation of the MS Drainer toolkit, which then conducts token and NFT scanning and exfiltration without being detected by targets.