Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis


In December 2024, Palo Alto Unit 42 researchers uncovered an attack chain that employs distinct, multi-layered stages to deliver malware like Agent Tesla variants, Remcos RAT or XLoader.

Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution. The phishing campaign we analyzed used deceptive emails posing as an order release request to deliver a malicious attachment. This multi-layered attack chain leverages multiple execution paths to evade detection and complicate analysis.

Read more…
Source: Palo Alto Unit 42


Sign up for our Newsletter
The latest news and insights delivered right to your inbox.


Related:

  • Lazarus pivots to Linux attacks through Dacls Trojan

    December 17, 2019

    Lazarus, an advanced persistent threat (APT) group, has expanded its reach with the development and use of a Trojan designed to attack Linux systems. The APT, suspected to hail from North Korea, has previously been connected to global cyberattacks and malware outbreaks including the infamous WannaCry rampage, the $80 million Bangladeshi bank heist, and a new campaign impacting financial institutions worldwide. Recent reports ...

  • DDoS Attacks and IoT Exploits: New Activity from Momentum Botnet

    December 16, 2019

    Trend Micro recently found notable malware activity affecting devices running Linux, a platform that has battled numerous issues just this year. Further analysis of retrieved malware samples revealed that these actions were connected to a botnet called Momentum (named for the image found in its communication channel). We found new details on the tools and techniques ...

  • Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities

    December 13, 2019

    Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution. Unlike other Mirai variants, this particular variant stands out for the sheer ...

  • Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities

    December 12, 2019

    Many of today’s threats evolve to incorporate as many living-off-the-land techniques as possible into the attack chain. The PowerShell-based downloader Trojan known as sLoad, however, puts all its bets on BITS. Background Intelligent Transfer Service (BITS) is a component of the Windows operating system that provides an ability to transfer files in an asynchronous and throttled fashion using ...

  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting

    December 12, 2019

    The threat group regularly referred to as APT33 is known to target the oil and aviation industries aggressively. This threat group has been reported on consistently for years, but our recent findings show that the group has been using about a dozen live Command and Control (C&C) servers for extremely narrow targeting. The group puts up multiple layers of obfuscation to ...

  • DeCypherIT – All eggs in one basket

    December 12, 2019

    These days, attackers use cheap and publicly accessible services to help them bypass Anti-Virus protections and gain a foothold in their victims’ systems. We give a behind the scenes look at a service called CypherIt, which is sold publicly as a legitimate service but is used to wrap malwares and hide their malicious content. This evasion technique ...