CHAMELEON_NET Spreads FormBook via DarkTortilla

    Monday, November 10, 2025 In: Threat Research Print

    Date: 11/10/2025

    Severity: High

    Summary

    CHAMELEON_NET is a targeted malspam campaign delivering the DarkTortilla .NET loader to distribute FormBook. Infection starts with a phishing email and a .bz2 archive that drops an obfuscated JavaScript file. The JS launches a VB.NET loader that decrypts an embedded DLL via an index-based XOR and reflectively loads it in memory. FormBook then disables defenses, creates persistence (registry/startup), and gives attackers full remote access.

    Indicators of Compromise (IOC) List

    URLs/Domains

    duckdns.org

    IP Address

    51.79.62.89

    Hash

    eba24c92b51d8fb24697952135a7d7bdf4a7511ab94be850fda1fc512675f6ad

    67c00ede3964cb78c64575b65b301f808958311b99779b71597f6282b1a4e9f2

    4ebef5d23ce0fe6c2940ba7a2f6bfc512b1ec5f01458284d2ce0e71ee8787b81

    d4c097412ab05630e6cb97b544dc7c0a0e238a4bdf5c79da679c7545face2dad

    aab2b9cd5a946739bbb41ae2234adaf34ba9761445315c2b5ba270a7b931a2e2

    56d627adc6e6e8967ade649f707134a501cfea5ec66322514536ee8ace3053fb

    7c9128d197301fcd89d6fd1b0077d2a35f2a98c6219386900d7e8c89e4799a86

    a428d2602ad3bad2d590ed68b17a308cff8ab7ff61da2a51acb83fd202b5358d

    8bcfc6dd444f3f577f026d465d826194db45cd205b24f77b9080debba96e3b7b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "duckdns.org" or siteurl like "duckdns.org" or url like "duckdns.org"

    Detection Query 2 :

    dstipaddress IN ("51.79.62.89") or srcipaddress IN ("51.79.62.89")

    Detection Query 3 :

    sha256hash IN ("eba24c92b51d8fb24697952135a7d7bdf4a7511ab94be850fda1fc512675f6ad","8bcfc6dd444f3f577f026d465d826194db45cd205b24f77b9080debba96e3b7b","d4c097412ab05630e6cb97b544dc7c0a0e238a4bdf5c79da679c7545face2dad","56d627adc6e6e8967ade649f707134a501cfea5ec66322514536ee8ace3053fb","4ebef5d23ce0fe6c2940ba7a2f6bfc512b1ec5f01458284d2ce0e71ee8787b81","aab2b9cd5a946739bbb41ae2234adaf34ba9761445315c2b5ba270a7b931a2e2","67c00ede3964cb78c64575b65b301f808958311b99779b71597f6282b1a4e9f2","7c9128d197301fcd89d6fd1b0077d2a35f2a98c6219386900d7e8c89e4799a86","a428d2602ad3bad2d590ed68b17a308cff8ab7ff61da2a51acb83fd202b5358d")

    Reference:    

    https://www.securonix.com/blog/chameleonnet-a-deep-dive-into-multi-stage-net-malware-leveraging-reflective-loading-and-custom-decryption-for-stealthy-operations/


    Tags

    MalwareCHAMELEON_NETDarkTortillaFormBookPhishingDLL

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.