Metamorfo

Clicking through loads a spoofed website with the Microsoft logo designed to persuade the victim into opening it on a Windows device. It triggers a download of the Casbaneiro (aka Metamorfo) banking trojan.

At their simplest, job termination scams are a type of phishing attack designed to trick you into handing over your personal and financial information, or on clicking on a malicious link which could trigger a malware download.

The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.

The end goal is to persuade you to click on a malicious link or open an attachment, perhaps by claiming that it includes details of severance payments and termination dates.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.

DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded... TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives.

Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder. | Multiple entries describe creating .lnk shortcuts in Startup folders, such as BACKSPACE creating a shortcut to itself in the CSIDL_STARTUP directory and DarkGate creating an LNK object in the victim startup folder.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder. | Multiple entries describe creating .lnk shortcuts in Startup folders, such as BACKSPACE creating a shortcut to itself in the CSIDL_STARTUP directory and DarkGate creating an LNK object in the victim startup folder.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'

An email impersonating the UK’s Courts & Tribunals Service... Clicking through loads a spoofed website with the Microsoft logo designed to persuade the victim into opening it on a Windows device.

Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.

APT5 has used the THINBLOOD utility to clear SSL VPN log files located at /home/runtime/logs.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

CSPY Downloader has the ability to remove values it writes to the Registry.

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.

Agent Tesla has used ProcessWindowStyle.Hidden to hide windows. APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. APT28 has used the WindowStyle parameter to conceal PowerShell windows.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.

AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration... Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine... RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.

Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.

Agrius used a custom tool, sql.net4.exe, to query SQL databases and then identify and extract personally identifiable information... AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration... Ember Bear engages in mass collection from compromised systems during intrusions.

A significant amount of observed campaigns focus on stealing credentials for banking or other financial accounts, including use of banking trojans such as METAMORFO aka "Horabot," BBtok, and JanelaRAT.

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.