Monday, May 5, 2025
HomeCyber AttackHackers Weaponizing MSC Files In Targeted Attack Campaign

Hackers Weaponizing MSC Files In Targeted Attack Campaign

Published on

SIEM as a Service

Follow Us on Google News

Hackers utilize MSC or Microsoft Management Console files in themed attack campaigns as these files contain commands and scripts that enable them to perform different administrative tasks on the target system. 

By mimicking legitimate files, MSC files can evade various security properties and access overview and control of the vulnerable system with privileges, consequently resulting in unauthorized access to its data and other malicious deeds.

Cybersecurity researchers at NTT recently identified that hackers are weaponizing the MSC files in targeted attack campaigns.

- Advertisement - Google News

Hackers Weaponizing MSC Files

In late May 2024, DarkPeony took over the MSC file exploitation already reported on by Kimsuky through Operation Control Plug.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

These attacks could have been against military and government organizations in Myanmar, the Philippines, Mongolia as well as Serbia.

By taking advantage of the fact that MSC file abuse is not easily detected and is obscurely carried out, the attackers devised several stages for infection, in which deserves to be looked at

Attack flow (Source – NTT)

Operation Control Plug initiates its attack chain through malicious MSC files that, when opened, display a screen prompting users to click a link executing a PowerShell script. 

This script fetches and runs an MSI package containing a legitimate executable capable of DLL side-loading.

The side-loaded DLL decodes and loads a malicious DAT payload, ultimately deploying the PlugX malware. 

Threat actors abuse the innocuous-looking MSC (Microsoft Common Console Document) format by leveraging its “Console Taskpad” feature to camouflage malicious PowerShell commands as seemingly harmless links, tricking users into enabling the infection sequence.

Websites distributing MSI files with Operation Control Plug may use Cloudflare to control access, presumably to block researchers and analysis engines from accessing the MSI files while distributing them to targeted organizations. 

This article introduced DarkPeony’s Operation Control Plug, which uses MSC files as the starting point of attacks and infects computers with PlugX to carry out intrusions. 

Although there are few attacks using MSC files, they are used by multiple targeted attack groups and may become more active in the future.

Researchers recommend that you verify whether your organization can detect attacks.

IoCs

MSC File

  • 1cbf860e99dcd2594a9de3c616ee86c894d85145bc42e55f4fed3a31ef7c2292
  • 54549745868b27f5e533a99b3c10f29bc5504d01bd0792568f2ad1569625b1fd
  • f0aa5a27ea01362dce9ced3685961d599e1c9203eef171b76c855a3db41f1ec6
  • 8c9e1f17e82369d857e5bf3c41f0609b1e75fd5a4080634bc8ae7291ebe2186c
  • e81982e40ee5aaed85817343464d621179a311855ca7bcc514d70f47ed5a2c67

MSI File Download Site

  • versaillesinfo[.]com
  • lifeyomi[.]com
  • profilepimpz[.]com
  • lebohdc[.]com

PlugX C2 Server

  • shreyaninfotech[.]com
  • buyinginfo[.]org
  • gulfesolutions[.]com

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...