Mirrors/cert-orangecyberdefense-cti
1
0
Fork 0
mirror of https://github.com/cert-orangecyberdefense/cti synced 2026-06-08 14:45:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update readme

Browse Source
This commit is contained in:
Mar-Pic
2025-02-25 15:54:57 +01:00
committed by GitHub
parent 67420d4961
commit c88357aee8
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
blue_stylthon/readme
+4 -1
View File
@@ -1 +1,4 @@
In December 2024, one of our Managed Threat Detection (CyberSOC) client was impacted by a malicious multistage campaign leveraging WsgiDAV servers to distribute XWorm and AsyncRAT, two notorious commodity malware.
We assess this specific campaign is ongoing since at least early November 2024 and targets France and Germany. Nevertheless, it aligns with a larger cluster previously detailed by Proofpoint, Fortinet or Forcepoint researchers which may have surfaced around February 2024 and which we detailed in our initial advisory back in August. We currently track this cluster under the “cheesy” name Blue Stylthon.
The infection chain leveraged a phishing email as initial access vector, likely containing an attachement masquerading as an invoice. We then observed the following execution sequence: LNK > VBS > BAT > Powershell > ZIP > Python > AsyncRAT/XWorm.
In addition to WsgiDAV (generic and extendable WebDAV server written in Python and based on WSGI) servers , the campaign also relied on TryCloudflare tunnels used to retrieve intermediary payloads (notably LNK and BAT files) as well as open-source tools used to obfuscate and load the stages (namely Kramer and Donut).