A sophisticated phishing campaign targeting Turkish defense and aerospace enterprises has emerged, delivering a highly evasive variant of the Snake Keylogger malware through fraudulent emails impersonating TUSAŞ (Turkish Aerospace Industries). Malwation researchers identified this particular strain during their analysis of recent phishing campaigns, noting the malware’s sophisticated use of legitimate Windows utilities to maintain persistence and evade security controls. Additionally, the malware harvests autofill data, credit card information, download histories, and top sites from compromised systems before exfiltrating the stolen data via SMTP to mail.htcp.homes servers. Simultaneously, the malware creates a scheduled task named “Updates\oNqxPR” using schtasks.exe to ensure automatic execution at system startup. The scheduled task creation process involves generating an XML configuration file that defines the execution parameters, allowing the malware to persist across system reboots without user interaction. Once executed, the malware immediately establishes multiple layers of persistence while simultaneously implementing anti-detection mechanisms to ensure long-term access to victim systems. The malicious campaign distributes files disguised as contractual documents, specifically using the filename “TEKLİF İSTEĞİ – TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe” to deceive recipients into executing the payload. The Snake Keylogger variant demonstrates advanced persistence capabilities and sophisticated evasion techniques that allow it to operate undetected within compromised systems. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This technique leverages legitimate Windows task scheduling functionality, making detection significantly more challenging for traditional security solutions. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The malware employs a dual-pronged approach to establish persistence while evading detection systems. Upon execution, it immediately invokes PowerShell to add itself to Windows Defender’s exclusion list using the command Add-MpPreference -Excl, effectively neutralizing the built-in antimalware protection. This operation is executed through the NtCreateUserProcess system call, launching powershell.exe with elevated privileges to modify security configurations. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The keylogger’s primary targets include credentials, cookies, and financial information extracted from over 30 different browsers and email clients, including Chrome, Firefox, Outlook, and Thunderbird. The sample, with SHA256 hash 0cb819d32cb3a2f218c5a17c02bb8c06935e926ebacf1e40a746b01e960c68e4, presents as a PE32 executable written in .NET, utilizing multiple unpacking layers to conceal its true functionality.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 19 Jul 2025 12:20:10 +0000