With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. PhantomRemote—the custom payload embedded inside the DLL—provides command execution, file download and system inventory over plain HTTP, adopting User-Agent strings such as “YandexCloud/1.0” or “MicrosoftAppStore/2001.0” to blend into outbound traffic. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. In the final week of June 2025 security teams across Russia’s healthcare and technology sectors began receiving an unusual flood of “routine” logistics and contract e-mails. Compromised corporate mailboxes, rather than spoofed domains, provided additional legitimacy, giving the attackers a near-perfect delivery mechanism that required no macro-enabled documents or overt executable attachments. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Hidden behind familiar subject lines and legitimate sender addresses, the messages contained archives that looked like ordinary ZIP files yet behaved like executable libraries. When rundll32 triggers PhantomRemote’s exported EntryPoint, the malware collects the computer and domain names, generates a GUID, and creates %PROGRAMDATA%\YandexCloud as its workspace. Even after perimeter detection, analysts report that workstation-level persistence allowed the threat actor to maintain footholds until manual remediation. This hybrid format—known as a polyglot—slipped past most secure mail gateways, allowing attackers to plant malware directly onto employee workstations. Bi.Zone analysts quickly linked the wave to the Rainbow Hyena threat cluster and discovered that each archive was simultaneously a PE32+ DLL and a ZIP container.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Jul 2025 10:35:10 +0000