A new wave of phishing campaigns has been detected, revealing a significant shift in threat actor tactics designed to evade email security measures and compromise targeted organizations.
Attackers are now leveraging masquerading methods, including the use of polyglot files files structured to appear as multiple formats at once to successfully bypass spam filters and deliver advanced malware.
The classic distribution of harmful macros and office documents has largely been replaced by alternative vehicles such as LNK shortcuts, with malicious payloads cleverly concealed within ZIP-compressed polyglot files.
Phishing Tactics
The latest campaigns stand out for exploiting legitimate email addresses from previously compromised entities to send phishing emails.
These messages sport plausible subject lines, written in Russian, like “Транспортная накладная ТТН № 391-44 от 26.06.2025” (Waybill WB No. 391-44 dated June 26, 2025) and “Договор РН83-371” (Contract PH83-371), designed to create a sense of urgency and authenticity.
Each email carries a ZIP attachment meticulously engineered as a polyglot file; within lies a PE32+ dynamic link library (DLL) that not only acts as the primary infection vector but also contains a legitimate-looking decoy document and a further embedded ZIP archive with a malicious LNK file.
Upon an unsuspecting user’s execution of the LNK shortcut, an intricate infection sequence commences.
The LNK script systematically searches for its associated ZIP polyglot either in the current directory, recursively in %USERPROFILE%, or within the TEMP folder.
Upon locating the payload, rundll32.exe is used to execute the DLL, specifically invoking the exported EntryPoint function.
The LNK then proceeds to carve out the decoy content from the polyglot’s byte stream using predefined offsets and lengths, deploying the document into %TEMP% and launching it with a standard command-line execution to minimize suspicion.
Embedded PowerShell scripts dictate this process, further masking the malicious operations from real-time monitoring solutions.
The PhantomRemote Backdoor
The core objective of these campaigns appears to be data collection and sustained remote access. At the heart of the operation lies PhantomRemote, a backdoor PE32+ DLL written in C++.
Immediately after execution, PhantomRemote engages in system reconnaissance by collecting the host’s GUID, computer and domain names, and establishing a dedicated working environment in directories such as %PROGRAMDATA%\YandexCloud or %PROGRAMDATA%\MicrosoftAppStore.
The malware then connects to various command-and-control (C2) endpoints over HTTP, embedding system information into GET requests while masquerading as legitimate software through User-Agent strings like YandexUpdate/1.0 and MicrosoftAppStore/2001.0.
According to the Report, PhantomRemote is capable of executing a range of commands issued from its C2 infrastructure.
Notably, it can run arbitrary shell commands, download additional binaries via specified URLs, and maintain ongoing communication by sending the results of its operations back to the control server using POST requests.
Its design ensures persistence through directory creation and flexible payload management. The backdoor minimizes security alerts by incorporating timed sleep loops between command executions and error states, thus blending in with background processes.
Interestingly, this technical evolution in phishing methodology is paralleled by a broader trend among hacktivist groups.
Once motivated mainly by ideological concerns, these actors are increasingly engaging in traditional cybercrime embracing espionage and financial theft while adopting commercially available attack toolkits and infrastructures.
The persistent success and sophistication of these operations underscore the importance of updated defensive strategies across enterprise environments.
Security teams are urged to monitor not only for known malicious hashes and IP addresses but also behavioral patterns indicative of polyglot leveraging and LNK-based infection vectors.
Indicators of Compromise (IOCs)
| Type | Filename/Indicator | MD5 | SHA1 | SHA256 |
|---|---|---|---|---|
| ZIP | Договор_РН83_37_изменения.zip | 75a26a138783032ee18dcfc713b1b34c | 04d364d7cc98379352e89757d62521271cb410cb | ed9b24a77a74cd34c96b30f8de794fe85eb1d9f188f516bd7d6020cc81a86728 |
| ZIP | Договор_РН83_изменения.zip | 7e52be17fd33a281c70fec14805113a8 | 6942e07e7d08781cba571211a08e779838e72e9a | 204544fc8a8cac64bb07825a7bd58c54cb3e605707e2d72206ac23a1657bfe1e |
| ZIP | Транспортная_накладная_ТТН_№391-44_от_26.06.2025.zip | be990a49fa1e3789ebc5c55961038029 | 851157c01da6e85ffa94ded7f42cab19aa8528d6 | 01f12bb3f4359fae1138a194237914f4fcdbf9e472804e428a765ad820f399be |
| LNK | Договор_РН83_37_изменения.pdf.lnk | 698337a1be374f3ebb9556ccdc794389 | dc149c042747ddf4f58c7ac6bf23e6a02ce1fc77 | e3e3f7d9abb9696904684d8e32f36818e1939c8122dcc73299a1b7f6b6b700b2 |
| LNK | Транспортная_накладная_ТТН_№391-44_от_26.06.2025.xls.lnk | 88453eb954669b5c7ac712ecf1e0179c | 2a14a9dd1032479ab5bf8ed945ef9a22ebd4999d | 4d4304d7ad1a8d0dacb300739d4dcaade299b28f8be3f171628a7358720ca6c5 |
| Decoy | %TEMP%\Договор_РН83_37_изменения.pdf | 1dff0bcf719f3509c597a8955e49af38 | 4ce5e6e0b21323409db8cd8ed2a7ed251656d18a | 47262571a87e70238bd6afd376560e9cfdc94bfacae72f36b6aa9fb6e769eb9c |
| Decoy | %TEMP%\Транспортная_накладная_ТТН_№391-44_от_26.06.2025.xls | 9f8e2e09e37142a21c16b37ba310e009 | efe10ad0b49e6889597b5c3254139b92ed72064c | da53c49641b05e00cde09d47260da927ec403f01ac388605b785eac98306f9c2 |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
