Blackmoon (KRBanker) malware variant deployed via DLL sideloading and staged payloads
Malware Activity
Summary
Hide ▲
Show ▼
A Blackmoon (KRBanker) malware variant is being deployed through DLL sideloading and staged payload delivery, giving operators persistent control over compromised hosts and helping them evade detection. The chain adds administrative privileges, checks for Avast Free Antivirus, and uses a repurposed SyncFuture TSM payload to support monitoring and data theft. The activity matters because it combines anti-analysis, security-software evasion, and remote control capabilities in a single infection flow.
Related Happenings
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
STX RAT attempted deployment in financial services environment
Malware Activity
First: 09.04.2026 18:00
Last: 09.04.2026 18:00
Sources 1
About this happening:
A previously undocumented **STX RAT** attempted deployment in a **financial services environment** exposed a stealthy RAT with **credential theft** and **remote-control** capabili...
STX RAT attempted deployment in financial services environment
Malware ActivityAbout this happening: A previously undocumented **STX RAT** attempted deployment in a **financial services environment** exposed a stealthy RAT with **credential theft** and **remote-control** capabili...
Reynolds ransomware BYOVD defense-evasion activity
Malware Activity
First: 10.02.2026 16:36
Last: 10.02.2026 16:36
Sources 1
About this happening:
The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...
Reynolds ransomware BYOVD defense-evasion activity
Malware ActivityAbout this happening: The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...
Tax-themed phishing campaign targeting Indian users with persistent access payloads
Campaign
First: 26.01.2026 19:01
Last: 26.01.2026 19:01
Sources 1
How related:
The activity, per the eSentire Threat Response Unit (TRU), involves using phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive, ultimately granting the threat actors persistent access to their machines for continuous monitoring and data exfiltration.
About this happening:
An ongoing **tax-themed phishing campaign** is targeting **Indian users** with a **multi-stage backdoor**, creating persistent access for **continuous monitoring** and **data exfi...
Tax-themed phishing campaign targeting Indian users with persistent access payloads
CampaignHow related: The activity, per the eSentire Threat Response Unit (TRU), involves using phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive, ultimately granting the threat actors persistent access to their machines for continuous monitoring and data exfiltration.
About this happening: An ongoing **tax-themed phishing campaign** is targeting **Indian users** with a **multi-stage backdoor**, creating persistent access for **continuous monitoring** and **data exfi...
Amnesia RAT retrieved from Dropbox for data theft and remote control
Malware Activity
First: 24.01.2026 13:09
Last: 24.01.2026 13:09
Sources 1
About this happening:
The **Amnesia RAT** payload is being staged from **Dropbox**, giving the operators a **remote-access trojan** that can steal data and control infected endpoints. It is the final s...
Amnesia RAT retrieved from Dropbox for data theft and remote control
Malware ActivityAbout this happening: The **Amnesia RAT** payload is being staged from **Dropbox**, giving the operators a **remote-access trojan** that can steal data and control infected endpoints. It is the final s...
Timeline
-
26.01.2026 19:01 2 articles · 4mo ago
Tax-phishing campaign delivers Blackmoon and SyncFuture TSM
Initial DisclosureResearchers describe a phishing campaign targeting Indian users with fake Income Tax Department of India notices that entice victims to open a malicious ZIP, sideload a DLL through "Inspection Document Review.exe", bypass User Account Control with COM-based techniques, masquerade as explorer.exe, and fetch a next-stage payload from "eaxwwyr[.]cn". The chain is assessed to deploy Blackmoon (aka KRBanker) and SyncFuture TSM, and it can tamper with Avast Free Antivirus exclusions when "AvastUI.exe" is present to preserve persistence, monitoring, and data exfiltration.
Show sources
- Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware — thehackernews.com — 26.01.2026 19:01
- Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware — thehackernews.com — 26.01.2026 19:01