Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
14 distinct techniques documented for this family, organized by ATT&CK tactic.
The script also builds command names dynamically, including `msiexec.exe`, `powershell.exe`, `certutil.exe`, and `Shell.Application`. This gives it several ways to continue if one download method fails.
Alert on UAC policy changes where `ConsentPromptBehaviorAdmin` is set to `0`. In this chain, the fake PNG/VBS stage changes local UAC behavior before the final agent installation.
MANC service is created for persistence. By creating a Windows service, the payload can start automatically and continue running after reboot.
The VBS chain copies `curl.exe` and `bitsadmin.exe` into DLL-looking filenames such as `winhttp.dll` and `wininet.dll`... The ClientSetup branch runs a fake `svchost.exe` from the `msres` directory.
Stronger behavioral signals include IP-addressed filenames, hidden directories under system folders, svchost.exe running from non-standard paths, and outbound traffic on ports 6671, 6681, and 6683.
The downloader then reaches out to three hard-coded cloud-hosted objects... At this point, the chain has moved from a web-looking `.php` URL to a local staging directory and then into S3-hosted follow-on components.
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.