mshta
-
APT36 uses weaponized LNK files to target Indian government entities
A multi-stage fileless campaign attributed to APT36 used oversized .lnk shortcuts embedding PDFs to deliver HTA loaders and in-memory .NET DLLs targeting Indian government systems. The malware adapts persistence to installed antivirus and uses encrypted C2.
-
GitHub repositories used to deliver new PyStoreRAT JavaScript RAT
Researchers say GitHub-hosted Python repositories have been used to deliver a JavaScript-based RAT called PyStoreRAT that executes remote HTA payloads, deploys a Rhadamanthys stealer and includes persistence and evasion measures; Chinese vendor QiAnXin also reported a separate SetcodeRat campaign.
-
Researchers: ClickFix variants use fake Windows Update page and steganography to deliver infostealers
Researchers warn that ClickFix attack variants are using a full‑screen fake Windows Update page and steganography in PNG images to hide and deliver infostealer malware, with campaigns employing mshta, PowerShell, a .NET Stego Loader and in‑memory execution techniques.
