From ba48cb8a6d30afae95111ee2f3ccfc489dade76c Mon Sep 17 00:00:00 2001 From: Mar-Pic Date: Tue, 25 Feb 2025 15:56:07 +0100 Subject: [PATCH] Update readme --- blue_stylthon/readme | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blue_stylthon/readme b/blue_stylthon/readme index a8dbc09..c5c8b05 100644 --- a/blue_stylthon/readme +++ b/blue_stylthon/readme @@ -1,4 +1,4 @@ In December 2024, one of our Managed Threat Detection (CyberSOC) client was impacted by a malicious multistage campaign leveraging WsgiDAV servers to distribute XWorm and AsyncRAT, two notorious commodity malware. -We assess this specific campaign is ongoing since at least early November 2024 and targets France and Germany. Nevertheless, it aligns with a larger cluster previously detailed by Proofpoint, Fortinet or Forcepoint researchers which may have surfaced around February 2024 and which we detailed in our initial advisory back in August. We currently track this cluster under the “cheesy” name Blue Stylthon. +We assess this specific campaign is ongoing since at least early November 2024 and targets France and Germany. Nevertheless, it aligns with a larger cluster previously detailed by Proofpoint, Fortinet or Forcepoint researchers which may have surfaced around February 2024. We currently track this cluster under the “cheesy” name Blue Stylthon. The infection chain leveraged a phishing email as initial access vector, likely containing an attachement masquerading as an invoice. We then observed the following execution sequence: LNK > VBS > BAT > Powershell > ZIP > Python > AsyncRAT/XWorm. In addition to WsgiDAV (generic and extendable WebDAV server written in Python and based on WSGI) servers , the campaign also relied on TryCloudflare tunnels used to retrieve intermediary payloads (notably LNK and BAT files) as well as open-source tools used to obfuscate and load the stages (namely Kramer and Donut).