mirror of
https://github.com/cert-orangecyberdefense/cti
synced 2026-06-08 14:45:26 +00:00
CERT Orange Cyberdefense
22 lines
2.4 KiB
Markdown
22 lines
2.4 KiB
Markdown
🧵 Since March 2026, Orange Cyberdefense has been tracking a malware delivery cluster linking a fake FileZilla campaign with other software-themed lures, including LibreOffice and Google Drive Setup, as well as a ClickFix-based one.
|
|
Our investigation identified overlaps across these campaigns, and related samples were later publicly identified as STX RAT. #CTI #ThreatIntel #STXRAT
|
|
1/ Our investigation started from the publicly documented FileZilla campaign, which used a fake FileZilla website to distribute trojanized FileZilla 3.69.5 packages.
|
|
The campaign used two delivery variants:
|
|
a portable archive containing the legitimate FileZilla package plus a malicious version.dll
|
|
a single EXE installer dropping the same DLL during installation
|
|
In both cases, filezilla.exe sideloaded the DLL and triggered a staged infection chain that ultimately delivered a RAT.
|
|
2/ We identified overlaps with:
|
|
a malvertising chain using VBS lures impersonating Google Drive or LibreOffice
|
|
a ClickFix lure reported by a private source
|
|
These branches were supported by shared infrastructure and staging patterns.
|
|
3/ Key overlap points included infrastructure involving supp0v3[.]com, cdn0v3[.]com, and 147.45.178[.]61, multiple pages[.]dev staging hosts, and similar callback / tracking logic observed across the linked chains.
|
|
4/ In the FileZilla branch, the sideloaded loader performed anti-analysis and anti-virtualization checks, resolved C2 via DNS-over-HTTPS, and used callback logic with tracking parameters.
|
|
In the overlapping script-based activity we tracked, VBS / PowerShell stages and TAR-delivered components (1.bin and 2.txt) led to in-memory payload execution.
|
|
5/ Separately, eSentire later described a related script-based branch involving VBScript → JScript → TAR (1.bin + 2.txt) → PowerShell, which is consistent with the broader staging logic we observed across the cluster.
|
|
At the malware level, STX RAT is a Windows RAT with infostealer and HVNC capabilities. It uses a custom multi-stage unpacking chain, communicates over a proprietary TCP-based protocol with both clearweb and Tor fallback, and exposes broad post-exploitation functionality.
|
|
Notably, credential theft is only activated after successful C2 interaction.
|
|
6/ Bottom line: different lures, similar staging, same malware outcome.
|
|
7/ We published a full advisory for our customers on the infection chain, overlaps, and malware analysis. Related IoCs are also available in this public GitHub repository.
|
|
|
|
|