Sunday, April 20, 2025
HomeExploitHackers Launching Powerful Malware ExileRAT Via Weaponized Microsoft PowerPoint Document

Hackers Launching Powerful Malware ExileRAT Via Weaponized Microsoft PowerPoint Document

Published on

SIEM as a Service

Follow Us on Google News

Researchers observed a new malicious campaign that delivers a powerful ExileRAT malware via Microsoft powerpoint documents using previously used C2 server infrastructure.

Attackers deliver the malware via Email attachment and the Mail address represented the Central Tibetan Administration (CTA), a Tibetan based government organization.

Nature of this malware campaign seems to spy on civilian populations for political reasons and its most likely not distributing for financial gain.

- Advertisement - Google News

PPSX file format document, a non-editable slideshow derived via MS Powerpoint was used for this attack and it attached with a CTA mailing list

Further analysis revealed that the malware campaign shared the payload and infrastructure that is used by previous malware LuckyCat, an Android- and Windows-based trojans.

Apart from that, discovered C2 server hosting used for multiple campaigns using the same payloads and the PPSX file dropper helps an attacker to execute the various payload into victims system.

Mailing list infrastructure used from Indian based company DearMail,  that provides a cloud enabled web-based email campaign manager.

Attackers abusing the Email Header and modified the standard reply that helps to get a direct reply from victims to the attacker’s email address.

ExileRAT Malware Infection Process

Attackers using Microsoft office based remote code execution vulnerability and its exploit hosted on GitHub which is available for public.

The exploit code resides in the “slide1.xml.rels” file and the researchers analyze file by dynamic analysis on Threat Grid and find that the
PPSX also attempts to contact IP location to perform some geo-location lookups.

Later it initiate the HTTP request to C2 server where it retrieves the JavaScript script that’s responsible for downloading the payload “syshost.exe” and infect the system.

ExileRAT is Remote access Trojan based Malware that is capable of getting information on the system (computer name, username, listing drives, network adapter, process name), getting/pushing files and executing or terminating processes.

According to Cisco Talos Research, Apart from this ExileRAT infection, the researcher identified several other open directories that contained other .exe and .dll files, namely “AcroRd32.exe” and “ccL100U.dll.”.

“The hardcoded C2 server IP in Syshost.exe was also recently home to a specific interesting domain: mondaynews[.]tk. This domain is the C2 domain of an Android RAT created on Jan. 3. This is a newer version of the LuckyCat Android RAT used in 2012 against Tibetan activists” Talos researchers said.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep your self-updated.

Also Read:

Hackers Exploiting Adobe Flash Zero-Day that Launching via a Microsoft Office Document

New AZORult Malware Spreading Via Office Documents Steals to Credentials & Launch Ransomware Attack

Hackers Distributing PowerShell-based Backdoor Via MS Office document That Shares Stolen Data Via C&C Server

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

10 Best Patch Management Tools 2025

In today's digital landscape, maintaining secure and efficient IT systems is critical for organizations....

10 Best Cloud Security Solutions 2025

In today’s digital era, businesses are increasingly adopting cloud computing to store data, run...

Chinese Hackers Exploit Ivanti Connect Secure Flaw to Gain Unauthorized Access

In a sophisticated cyber-espionage operation, a group known as UNC5221, suspected to have China-nexus,...

New Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions

A new malware strain known as SuperCard X has emerged, utilizing an innovative Near-Field...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions

A new malware strain known as SuperCard X has emerged, utilizing an innovative Near-Field...

How To Hunt Web And Network-Based Threats From Packet Capture To Payload

Modern cyberattacks increasingly exploit network protocols and web applications to bypass traditional security controls....

KeyPlug Malware Server Leak Exposes Fortinet Firewall and VPN Exploitation Tools

Cybersecurity researchers have stumbled upon a treasure trove of operational tools and scripts linked...