Stealth in Layers: Unmasking the Loader used in Targeted Email Campaigns

    Thursday, December 25, 2025 In: Threat Research Print

    Date: 12/25/2025

    Severity: Medium

    Summary

    Our labs are tracking a sophisticated commodity loader used by multiple advanced threat actors. The campaign shows strong regional and sector focus, targeting Manufacturing and Government entities. Affected regions include Italy, Finland, and Saudi Arabia. Attackers use multiple infection vectors, such as weaponized Office files, malicious SVGs, and ZIPs with LNK shortcuts. All delivery methods converge on a single, unified loader enhanced with steganography and trojanized open-source libraries. Disguised as Purchase Order emails, the campaign deploys RATs and infostealers through a four-stage evasion framework.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    http://192.3.101.161/zeus/ConvertedFile.txt

    https://pixeldrain.com/api/file/7B3Gowyz

    http://dn710107.ca.archive.org/0/items/msi-pro-with-b-64_20251208_1511/MSI_PRO_with_b64.png

    https://ia801706.us.archive.org/25/items/msi-pro-with-b-64_20251208/MSI_PRO_with_b64.png

    IP Address :

    38.49.210.241

    Hash :

    5c0e3209559f83788275b73ac3bcc61867ece6922afabe3ac672240c1c46b1d3

    c1322b21eb3f300a7ab0f435d6bcf6941fd0fbd58b02f7af797af464c920040a

    3dfa22389fe1a2e4628c2951f1756005a0b9effdab8de3b0f6bb36b764e2b84a

    bb05f1ef4c86620c6b7e8b3596398b3b2789d8e3b48138e12a59b362549b799d

    0f1fdbc5adb37f1de0a586e9672a28a5d77f3ca4eff8e3dcf6392c5e4611f914

    917e5c0a8c95685dc88148d2e3262af6c00b96260e5d43fe158319de5f7c313e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://192.3.101.161/zeus/ConvertedFile.txt" or url like "http://192.3.101.161/zeus/ConvertedFile.txt" or siteurl like "http://192.3.101.161/zeus/ConvertedFile.txt" or domainname like "https://pixeldrain.com/api/file/7B3Gowyz" or url like "https://pixeldrain.com/api/file/7B3Gowyz" or siteurl like "https://pixeldrain.com/api/file/7B3Gowyz" or domainname like "http://dn710107.ca.archive.org/0/items/msi-pro-with-b-64_20251208_1511/MSI_PRO_with_b64.png" or url like "http://dn710107.ca.archive.org/0/items/msi-pro-with-b-64_20251208_1511/MSI_PRO_with_b64.png" or siteurl like "http://dn710107.ca.archive.org/0/items/msi-pro-with-b-64_20251208_1511/MSI_PRO_with_b64.png" or domainname like "https://ia801706.us.archive.org/25/items/msi-pro-with-b-64_20251208/MSI_PRO_with_b64.png" or url like "https://ia801706.us.archive.org/25/items/msi-pro-with-b-64_20251208/MSI_PRO_with_b64.png" or siteurl like "https://ia801706.us.archive.org/25/items/msi-pro-with-b-64_20251208/MSI_PRO_with_b64.png"

    Detection Query 2 :

    dstipaddress IN ("38.49.210.241") or srcipaddress IN ("38.49.210.241") or ipaddress IN ("38.49.210.241")

    Detection Query 3 :

    sha256hash IN ("5c0e3209559f83788275b73ac3bcc61867ece6922afabe3ac672240c1c46b1d3","c1322b21eb3f300a7ab0f435d6bcf6941fd0fbd58b02f7af797af464c920040a","3dfa22389fe1a2e4628c2951f1756005a0b9effdab8de3b0f6bb36b764e2b84a","bb05f1ef4c86620c6b7e8b3596398b3b2789d8e3b48138e12a59b362549b799d","0f1fdbc5adb37f1de0a586e9672a28a5d77f3ca4eff8e3dcf6392c5e4611f914","917e5c0a8c95685dc88148d2e3262af6c00b96260e5d43fe158319de5f7c313e")

    Reference: 

    https://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/


    Tags

    MalwareFinlandItalySaudi ArabiaGovernment Services and FacilitiesCritical ManufacturingTrojanInfostealersRAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.