A new spear-phishing campaign orchestrated by actors behind the Snake Keylogger stealer has come to light, marking a notable evolution in the threat landscape.
Uncovered by the S2 Group Intelligence team, the operation leverages sophisticated techniques and takes advantage of ongoing global geopolitical tensions.
The campaign, attributed to a Russian-origin malware-as-a-service (MaaS) operation, specifically targets companies, government entities, and individuals under the guise of oil product offers an approach designed to prey on anxieties surrounding Middle Eastern conflicts and the volatility of global energy markets.
Novel Abuse of Legitimate Java Tools
What sets this campaign apart is the exploitation of jsadebugd.exe, a legitimate Java debugging utility, to sideload a malicious DLL.
Normally, jsadebugd enables developers to debug Java applications, but this campaign marks its first documented use as a vector for DLL sideloading demonstrating the attackers’ ingenuity in subverting trusted binaries.
Victims receive spear-phishing emails, crafted to mimic communications from a prominent Kazakh oil company, “LLP KSK PETROLEUM LTD OIL AND GAS.”
These emails include a compressed attachment containing several files, including the renamed jsadebugd.exe, together with a malicious DLL (jli.dll) and a concealed Snake Keylogger payload stored inside a doctored “concrt141.dll.”
Once executed, the renamed executable triggers the DLL sideloading technique, causing jli.dll to load and, in turn, invoke the malware.
Notably, the actual Snake Keylogger binary is embedded at the start of the DLL file but ahead of the MZ header, evading many traditional security scanners.
The malware is then injected into the legitimate InstallUtil.exe process another trusted Windows utility enabling it to operate undetected.
The campaign is engineered for persistence and stealth. Upon execution, it copies its malicious files to a disguised system folder located at “%USERPROFILE%\SystemRootDoc” and establishes persistence by creating a registry key under the common “Run” path, ensuring that the malware executes upon system startup.
The attackers have automated exfiltration routines that use legitimate web services like reallyfreegeoip.org and checkip.dyndns.org to determine the infected host’s public IP address and country, transmitting this data along with harvested credentials.
Snake Keylogger is notorious for its breadth of data theft. The malware targets a comprehensive list of over 30 web browsers including Chrome, Firefox, Edge, Opera, Vivaldi, Brave, and many others as well as applications like Microsoft Outlook, Mozilla Thunderbird, Foxmail, and FileZilla.
It extracts stored credentials, application data, and even the Windows product key, then leverages the SMTP protocol to exfiltrate this sensitive information.
Stolen data is funneled from compromised systems to attacker-controlled email accounts, utilizing mailboxes such as serverhar244@gpsamsterdamqroup[.]com and harrysnakelogger@dklak[.]cam.
Geopolitical Tensions as a Catalyst
The operation’s social engineering lures are timely and highly tailored. By exploiting the specter of rising oil prices and logistical disruption fueled by the Iran-Israel conflict and fears over the closure of the Strait of Hormuz the attackers increase their credibility and the likelihood of user interaction with their malicious attachments.
The impersonation of a Kazakh oil giant is particularly calculated, as Kazakhstan’s prominence in the regional energy sector adds legitimacy to the phishing ploy.
Forensic analysis links at least 29 further samples to this campaign, all deploying variants of the Snake Keylogger family using the same jsadebugd.exe sideloading technique.
Such reuse and consistency support the hypothesis of a coordinated and ongoing operation by a well-resourced threat actor.
According to the Report, this campaign exemplifies the adaptive nature of cybercrime, where threat actors rapidly evolve their methods to evade detection and exploit current events.
By abusing previously safe Java executables and leveraging them in novel sideloading attacks, the operators behind Snake Keylogger have demonstrated an enhanced capability to bypass traditional security mechanisms and gain persistence on victim systems.
As geopolitical instability continues to ripple through the energy sector, organizations, especially those in oil and gas, must remain vigilant against such increasingly sophisticated cyber threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
