Rundll32.exe – D E C E I V E R . I O

Deceive, Detect, Engage

DONOT Hunt Me

A threat actor is utilizing spearphishing emails with malicious attachments to gain initial access, establish persistence via scheduled tasks, and exfiltrate data over HTTP.

DONOT APT Attack

The attacker sends a spearphishing email containing a malicious Office document that exploits the vulnerability CVE-2017-11882.
Upon opening the document, the exploit triggers, allowing the attacker to execute a command that launches the next stage of the attack.
A scheduled task named “Schedule” is created to execute a malicious DLL file via rundll32.exe every 5 minutes, ensuring persistence.
The scheduled task establishes communication with the attacker’s command-and-control (C2) server using the HTTP protocol.
The attacker sends commands and exfiltrates data over the established C2 channel.

Volt Typhoon against energy etc.

Attackers may be using Mshta.exe or Rundll32.exe to execute malicious code.

Tag: Rundll32.exe

DONOT Hunt Me

DONOT APT Attack

Volt Typhoon against energy etc.

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense