FHN 
Security researchers have identified a new malware campaign that uses advanced hiding techniques and multi-stage payloads to avoid detection. Instead of launching a direct attack, the malware spreads in stages, making it harder for traditional security tools to detect and block it. This approach is characterized as a multi stage malware attack.
The attack starts with a targeted phishing email sent to specific organizations, particularly government-related entities. The email is designed to look legitimate, pretending to come from an internal consultant and referencing a real-looking project to gain trust.
To make the message more convincing, it is marked as urgent and includes a request for a read receipt. This increases the chances that the recipient will open the attachments without suspicion.
This multi stage malware attack poses serious threats to organizations, as its multi-layered nature complicates detection and remediation efforts.
The email contains two files with slightly misspelled names to appear like quick internal documents:
- A Word file pretending to be a report
- A PDF file that looks like an official document
These small tricks are used to make the attack look normal and believable.
How the Multi-Stage Attack Works
The infection process is carefully designed and happens in multiple steps. This layered approach helps the malware stay hidden during each stage.
When the Word file is opened, it asks the user to enable macros. If the user allows it, hidden code runs in the background and downloads a malicious file from an external server. This technique helps bypass basic security checks.
At the same time, the PDF file acts as another attack path. It shows a fake error message asking the user to update their PDF reader. If the user clicks the prompt, it downloads another malicious file disguised as a legitimate application.
Once installed, the malware:
- Connects to remote servers using trusted services
- Uses tools like developer tunnels to maintain access
- Sends stolen data through platforms like Discord
- Executes commands on the infected system
By using legitimate platforms, the malware blends in with normal network traffic, making it difficult to detect.
Evasion Techniques and Why It’s Dangerous
This malware uses several techniques to avoid being detected by security systems. It checks for analysis environments, hides its code, and uses trusted services to carry out its activities.
Some of its key evasion methods include:
- Hiding malicious code inside compiled scripts
- Using trusted cloud services for communication
- Disguising files with familiar names and branding
- Delivering payloads in stages instead of all at once
Because of these methods, the malware can remain active for a long time without being noticed. It can steal data, monitor systems, and give attackers remote access.
This attack shows a growing trend where cybercriminals rely on trusted platforms and multi-step infections to bypass traditional defenses. Organizations should focus on monitoring behavior, restricting macros, and educating users to recognize suspicious emails.
About the Author
