This multi-stage attack represents a concerning evolution in malware distribution techniques, as threat actors increasingly exploit legitimate Windows functionalities and outdated file formats to evade modern security solutions. The attack chain employs DBatLoader as its primary delivery mechanism, utilizing a combination of User Account Control bypass methods, obfuscated scripts, and Living Off the Land Binaries abuse to establish persistent access to compromised systems. A sophisticated new phishing campaign has emerged, leveraging obsolete Windows file formats and advanced evasion techniques to distribute the notorious Remcos Remote Access Trojan. The campaign begins with carefully crafted phishing emails containing malicious archives that house an executable named “FAKTURA,” designed to deploy DBatLoader onto target systems. The researchers noted that the attack leverages Program Information Files (.pif), originally designed for configuring DOS-based programs in early Windows systems, as a disguise mechanism for malicious executables. The sophisticated combination of UAC bypass, process injection, and scheduled task abuse creates a robust infection framework that challenges traditional detection methodologies and requires advanced behavioral analysis for identification. The malicious alpha.pif file, functioning as a Portable Executable, circumvents User Account Control by creating deceptive directories such as “C:\Windows ” with trailing spaces. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Any.Run analysts identified this campaign through comprehensive sandbox analysis, revealing the intricate methods employed by the malware to maintain stealth and persistence. The attack employs sophisticated time-based evasion through PING.EXE abuse, executing the command to ping the local loopback address (127.0.0.1) ten times. While legitimate applications use this for network connectivity testing, DBatLoader repurposes this functionality to introduce artificial delays, helping evade time-sensitive detection systems. The campaign further employs BatCloak obfuscation for .cmd files and utilizes extrac32.exe to manipulate Windows Defender exclusion lists. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The core innovation of this campaign lies in its exploitation of .pif files and Windows folder name handling vulnerabilities.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 30 Jun 2025 15:00:17 +0000