T1059.007 – D E C E I V E R . I O

Deceive, Detect, Engage

Unveiling RevC2 and Venom Loader

Initial Access: The attack likely begins with a phishing email containing a malicious LNK file (VenomLNK).
Execution: The LNK file executes an obfuscated batch script, which downloads and executes various payloads, including RevC2 and Venom Loader. Venom Loader utilizes DLL side-loading and JavaScript for execution.
Persistence: Venom Loader establishes persistence by adding a PowerShell script to the autorun registry key.
Command and Control: RevC2 uses WebSockets (ws://208.85.17[.]52:8082) for C2 communication, while More_eggs lite uses HTTP POST requests (/api/infos).
Defense Evasion: Both RevC2 and Venom Loader employ obfuscation to hinder analysis. Venom Loader also uses DLL side-loading.
Collection: RevC2 steals cookies, passwords, and takes screenshots.
Exfiltration: Stolen data is exfiltrated over the C2 channel.

Lazarus Lure in Yacht club

The Lazarus group is conducting a spearphishing campaign targeting individuals involved in the maritime industry, particularly yacht and luxury vessel sales, using malicious attachments to deliver malware.

Tag: T1059.007

Unveiling RevC2 and Venom Loader

Lazarus Lure in Yacht club

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense