Chinese APT Group Deploys EggStreme Fileless Malware Against Philippine Military

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.

A new ransomware variant, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware but includes the ability to bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and can compromise modern UEFI-based systems. The ransomware operates through a bootkit and an installer, with the bootkit managing encryption and decryption processes. The ransomware has been observed in samples uploaded to VirusTotal in February 2025, with no evidence of active use in the wild. The vulnerability exploited by HybridPetya was patched in January 2025. The ransomware encrypts the MFT and displays a fake CHKDSK message to deceive victims. It demands a $1,000 ransom in Bitcoin, with a total of $183.32 received between February and May 2025. The ransom note provides an option for victims to enter a decryption key after payment, which triggers the decryption process. The bootkit also recovers legitimate bootloaders from backups created during installation. The ransomware triggers a system crash during bootloader changes, ensuring the bootkit binary is executed upon reboot. HybridPetya may be a research project, proof-of-concept, or early version of a cybercrime tool under limited testing. HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect. The emergence of HybridPetya highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level.

A flaw in the Visual Studio Code Marketplace allows threat actors, notably WhiteCobra, to republish deleted extensions under the same names. This vulnerability was discovered after identifying a malicious extension named "ahbanC.shiba" that mimicked previously flagged extensions. The flaw enables attackers to reuse names of removed extensions, posing a risk to software supply chain security. The malicious extensions act as downloaders, retrieving a PowerShell payload that encrypts files and demands Shiba Inu tokens. This issue highlights the need for secure development practices and proactive monitoring of software repositories. WhiteCobra has targeted VSCode, Cursor, and Windsurf users by planting 24 malicious extensions in the Visual Studio marketplace and the Open VSX registry. The campaign is ongoing as the threat actor continuously uploads new malicious code to replace the extensions that are removed. The group is responsible for the $500,000 crypto-theft in July, through a fake extension for the Cursor editor.

A new remote access trojan, GodRAT, is targeting trading and brokerage firms through a campaign that uses steganography and Gh0st RAT code. The malware is distributed via Skype messenger, disguised as financial documents, and has been active since at least September 2024. GodRAT employs a plugin-based approach to harvest sensitive information and deliver secondary payloads, including AsyncRAT. The campaign has targeted financial institutions in several countries, including Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan. The malware uses steganography to conceal shellcode within image files, which is then used to download the malware from a command-and-control (C2) server. GodRAT is an evolution of another Gh0st RAT-based backdoor known as AwesomePuppet, which was first documented in 2023. The malware is believed to be the work of the Chinese threat actor, Winnti (aka APT41). The attackers have also been found to leverage ConnectWise ScreenConnect to deliver AsyncRAT, using a layered VBScript and PowerShell loader to execute obfuscated components from external URLs. The malware maintains persistence via a fake 'Skype Updater' scheduled task and can log keystrokes, steal browser credentials, fingerprint the system, and scan for installed cryptocurrency wallet desktop apps and browser extensions.