Saturday, May 31, 2025
HomeMalwareMalware-as-a-service - Adwind Malware Attack Utilities Industry Via Weaponized PDF File

Malware-as-a-service – Adwind Malware Attack Utilities Industry Via Weaponized PDF File

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new wave of a phishing campaign that bypassing the Microsoft APT protection and delivery the Adwind malware via weaponized PDF file to attack utilities Industry network.

Adwind, a.k.a Unrecom, Sockrat, JSocket, and jRat is a cross-platform RAT that distributed via malware-as-a-service in underground markets where users can purchase and utilize to target victims.

Between 2013 to 2018, Adwind malware roughly affected more than half a million users around the globe, and deployed in various industries such as Manufacturing, Finance, Engineering, Government, Telecom, Software and more.

- Advertisement - Google News

In some of the previous attack, Adwind utilizing the DDE code injection to infection the cross platforms and it was equipped with spyware capabilities to steal data from victims and reporting back to the malware authors via command & control server.

Previous version Adwind Widely spreading via A360 Cloud Drive Platform Abuse for Delivering Remote Access Trojans and used as a Malware Distributing Platform by using a File-sharing site to host Malware.

Another scenario Cross-platform Remote Access Trojan “Adwind” Steal Credentials, Record and Harvest keystrokes the Aerospace Industries Data.

Adwind Malware infection Process

Initial Stage of infection starts by distributing a phishing campaign with an attached malicious PDF file that is capable of bypassing the Microsoft APT protection.

Attackers utilizing the hijacked accounts to delivery the phishing emails and also an attacker abusing the domain to host the malware.

Email body posed as a legal document and asked users to sign and return, is the was attacker trick users to click on the attached PDF file and open it.

Phishing Email (Credit: Cofense)

According to Cofense report, “At the top of the email is an embedded image which is meant to look like a PDF file attachment, however, is in fact a jpg file with an embedded hyperlink. When victims click on the attachment, they are brought to the infection URL hxxps://fletcherspecs[.]co[.]uk/ where the initial payload is downloaded.”

Initial payload named as “Scan050819.pdf_obf.jar.” here, attackers using obfuscation technique to make this file looks like a legitimate PDF and its create a two different .class file.

Malware author utilising the takskill.exe to disable popular analysis tools and antivirus software to evade the detection.

Adwind is developed with so many interesting features including,

  • Takes screenshots
  • Harvests credentials from Chrome, IE and Edge
  • Accesses the webcam, record video and take photos
  • Records audio from the microphone
  • Transfers files
  • Collects general system and user information
  • Steals VPN certificates
  • Serves as a Key Logger

In the end, Adwind store all the harvested data in the specific location of the system “C:\Users\Byte\AppData\Local\Temp\.” and share it to the attacker by establish a connection with Command & control server.

Sponsored:  – Manage all the Endpoint networks from a single Console.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Use AI-Generated Videos on TikTok to Spread Info-Stealing Malware

TrendMicro has uncovered a sophisticated campaign where threat actors are exploiting TikTok to distribute...

Novel Malware Evades Detection by Skipping PE Header in Windows

Researchers have identified a sophisticated new strain of malware that bypasses traditional detection mechanisms...

New Rust-Based InfoStealer Uses Fake CAPTCHA to Deliver EDDIESTEALER

A newly discovered Rust-based infostealer, dubbed EDDIESTEALER, has been uncovered by Elastic Security Labs,...