This approach enables the malware to inject its payload into legitimate Windows processes such as MSBuild.exe and aspnet_regiis.exe, effectively hiding its malicious activities within trusted system processes while establishing persistence and evading detection mechanisms. The malware employs a custom function called SinCosMath() that performs bitwise operations on the encoded payload, applying bitwise NOT operations followed by arithmetic subtractions to decrypt the hidden malicious code. The research revealed that the malware employs advanced evasion techniques, including process injection, DLL side-loading, and complex obfuscation methods to avoid detection by traditional security solutions. When unsuspecting users download what they believe to be free software from the GitHub repository hosted by user SAMAIOEC, they inadvertently execute a sophisticated multi-stage malware deployment system. The assembly information includes nonsensical entries such as “CompanyName” listed as “run he think” and “FileDescription” as “collaborate black system,” indicating the use of automated malware builders to generate random metadata. A sophisticated malware campaign has emerged exploiting the trusted GitHub platform to distribute malicious software disguised as legitimate tools. Upon execution, the malware performs several deceptive operations, beginning with the creation of fake assembly metadata designed to confuse automated analysis tools. The malware operation centers around a dropper named Launch.exe, which serves as the initial payload delivery mechanism. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The dropper then utilizes dynamic loading techniques through Windows API calls including LoadLibrary and GetProcAddress to execute the malicious DLL’s GetGameData export function. The technical analysis reveals that Launch.exe functions as a sophisticated dropper containing Base64-encoded malicious payloads. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Once decoded, the malware drops a file named msvcp110.dll into the user’s AppData\Roaming directory and immediately applies hidden file attributes to conceal its presence. The malware’s infection mechanism demonstrates advanced technical sophistication through its multi-stage payload delivery system. The initial Launch.exe dropper contains a Base64-encoded DLL that undergoes complex decoding and obfuscation processes before execution.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Jul 2025 15:25:09 +0000