A sophisticated phishing campaign leveraging the Snake Keylogger malware has emerged, exploiting legitimate Java debugging utilities to bypass security mechanisms and target organizations worldwide. When executed, the malware utilizes DLL sideloading techniques to load malicious code through the jli.dll library, subsequently injecting the Snake Keylogger payload into the legitimate InstallUtil.exe process. The malware’s most sophisticated evasion technique involves storing the Snake Keylogger binary within concrt141.dll while strategically positioning malicious code immediately before the standard MZ header. The malware employs a multi-stage infection process beginning with compressed attachments containing the legitimate jsadebugd.exe binary, renamed to appear as a petroleum-related document. CN-SEC analysts identified this campaign as particularly noteworthy due to its unprecedented abuse of jsadebugd.exe, a legitimate Java debugging utility that has never before been documented for malicious purposes. The Russian-originated .NET malware, distributed through a Malware as a Service (MaaS) model, represents a significant evolution in cybercriminal tactics by abusing trusted system components that typically evade detection. The attackers demonstrate sophisticated understanding of system architecture by leveraging this trusted binary to execute their payload while maintaining stealth. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. These malicious communications impersonate major oil companies, particularly targeting organizations in the energy sector during a period of global concern over potential disruptions to oil logistics through the Strait of Hormuz. The malware establishes persistence through registry modification at SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ensuring continued execution across system reboots while copying components to %USERPROFILE%SystemRootDoc. This placement allows the payload to remain hidden from conventional signature-based detection systems that rely on standard PE file structure analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 01 Jul 2025 18:35:15 +0000