{ "id": "a2778807-eab4-44df-863c-85b41ed47d34", "created_at": "2026-04-06T00:12:30.156516Z", "updated_at": "2026-04-10T03:21:09.451001Z", "deleted_at": null, "sha1_hash": "418d0231ec0921ebdb42da5ef54e43895f274de2", "title": "Spear Phishing Campaign with New Techniques Aimed at Aviation Companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2044866, "plain_text": "Spear Phishing Campaign with New Techniques Aimed at Aviation\r\nCompanies\r\nBy Gayathri Thirugnanasambandam\r\nPublished: 2021-06-27 · Archived: 2026-04-05 17:27:42 UTC\r\nFortiGuard Labs Threat Research Report\r\nAffected platforms: Microsoft Windows \r\nImpacted parties: Windows Users\r\nImpact: Obtain sensitive data from the victim's device and deliver additional malware\r\nSeverity level: Critical\r\nIntroduction to the Spear Phishing Campaign\r\nAs we are all aware, spear phishing attacks are far more successful than untargeted ones and are most difficult to\r\ndetect. The FortiGuard Labs team has identified yet another spear phishing campaign, this one targeting aviation\r\ncompanies. In this campaign, a malicious link that distributes an AsyncRAT payload is sent to aviation companies\r\nwith a well-crafted message. AsyncRAT, an open-source remote administration tool, is used to steal credentials\r\nand other sensitive data. It also includes the capability to upload and download files on the compromised machine.\r\nThis blog highlights the various stages of this spear phishing campaign and its newly adapted techniques.\r\nSpear Phishing Campaign Overview\r\nThe infection cycle begins with phishing emails sent to aviation companies that contain malicious links disguised\r\nas pdf attachments. The link in the email directs the user to VB Script hosting sites, from which the initial payload\r\n(.vbs) is delivered. The .vbs script then drops the second stage payload, an xml file containing inline C# .NET\r\nassembly code that acts as a RAT loader. The loader hollows and injects the final payload, AsyncRAT, into the\r\nvictim process (RegSvcs.exe). AsyncRAT, also known as RevengeRAT, connects to its C2 server, takes control of\r\nthe compromised machine, and introduces additional payload. I will now dive into each of these steps in a bit\r\nmore detail. \r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 1 of 14\n\nFigure 1: Infection cycle of the spear phishing campaign\r\nSpear Phishing Email\r\nSpear phishing is a highly targeted attack resulting from extensive research on targeted users and their\r\norganizations conducted by threat actors. The phishing emails observed in this campaign were sent to multiple\r\naviation companies. They all appear to be coming from the federal aviation authority using a spoofed sender\r\naddress that matches with a “foreign operators affairs” email address for enquiries/approvals. The email goes\r\nthrough the extra step of having a signature and a logo to impersonate a federal authority. Also, the content is\r\ncarefully crafted to create a sense of urgency by making it to look like a Reporting of Safety Incident (ROSI) from\r\nAir Traffic Control. In addition, the email contains malicious Google Drive links disguised as a pdf attachment.\r\nMost of the emails in this campaign contain the strings ROSI, AOP, Incident Report, as well as the attachment\r\nname “ROSI-AOP Incident Report Details, \u003cdate\u003e”.pdf.\r\n(See Mitre ATT\u0026CK technique – Spearphishing Link.)\r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 2 of 14\n\nFigure 2: Spear Phishing Email sent to an aviation company\r\nAs of the time of writing this blog, these emails had not been flagged as phishing or suspicious by any of the\r\nVirusTotal engines.\r\nFigure 3: VT detections for the emails\r\nThe IP address “192.145.239.18” is used to send all the emails in this campaign. This IP address is also associated\r\nwith Snip3 Crypter, an aviation-themed campaign seen in April and May of 2021. A three-month review of its\r\ntelemetry reveals a spike in the last few weeks, with the majority of visitors coming from the UAE, Canada,\r\nArgentina, Djibouti, and Fiji.\r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 3 of 14\n\nFigure 4: Statistics for IP v4 address 192.145.239.18\r\nVisual Basic Script (VBS) /Wscript \r\nWhen you click on the link (the fake pdf attachment), the user’s default browser is launched and directed to a VB\r\nScript hosting site. This site delivers the initial payload (.vbs), which, once executed, drops subsequent payloads\r\nand establishes persistence.\r\nThe VB script “ROSI-AOP Incident Report Details,May 31st.vbs“ contains the next stage payload, “Good.xml”.\r\nThis payload is encoded using Server.URLEncode() and obfuscated to evade detection. Antonin Foller's VBS\r\ndecode function from PSTRUH Software (http://www.motobit.com) is used to decrypt the payload. After\r\ndecryption, \"Good.xml\" is written to the victim's Temp directory, where it is launched using MSBuild.exe. If\r\nyou’re not aware of this executable, it is present on all Windows machines with the .NET framework installed. It’s\r\na trusted developer utility used to speed up the process of creating .NET applications. Because it is a trusted\r\nutility, adversaries use the tool in an effort to evade detection. (See Mitre ATT\u0026CK technique – Trusted Developer\r\nUtilities Proxy Execution: MSBuild.)\r\nIn the script below, the payload bytes are first substituted for de-obfuscation, then decoded before being written to\r\nthe Temp directory.\r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 4 of 14\n\nFigure 5: Initial Payload VB script with encoded payload bytes\r\nXML\r\nOnce the VB script executes successfully, the Good.xml file, which contains inline C# assembly code, a loader dll,\r\nand the RAT payload, is dropped into the victim's Temp directory. All the files are saved as an ASCII byte array,\r\nand the RAT payload is also reversed to avoid signature-based detection. In this case, the adversary employs\r\nthe method discovered by Casey Smith to compile and execute the inline C# code using the native Windows\r\nbinary (MSBuild.exe).\r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 5 of 14\n\nFigure 6: Good.xml with inline C# code\r\nWhen Good.xml is executed, it first creates a file named \"Startups32.vbs\" in the system startup folder. The .vbs\r\nscript contains code to run Good.xml file after each system startup to maintain persistence. (See Mitre ATT\u0026CK\r\ntechnique – Persistence.)\r\nFigure 7: Startups32.vbs\r\n.NET RAT Loader\r\nAfter achieving persistence, Good.xml retrieves the .NET Rat loader from the byte array and loads it into the\r\ncurrent application. The .NET RAT loader is contained in the byte array sBytes in the XML, which is loaded using\r\nthe method Thread.GetDomain.Load(sBytes). The method Thread.GetDomain() returns the domain of the current\r\nrunning thread, while Load() dynamically loads the byte array assembly into the current application domain\r\nduring runtime.\r\nThe projFUD.dll, available in VirusTotal, is the RAT loader DLL in use. We observed that a few bytes of the file\r\nhave been tweaked to avoid hash-based detection. The description and copyright mentions “VLC MEDIA\r\nPLAYER”. However, the file is not signed.\r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 6 of 14\n\nFigure 8: Loader dll tweaked to evade from detection\r\nAlthough the namespace and class name “ProjFUD.PA” in the loader is same as the one reported in the snip3\r\ncampaign, the PDB string retrieved from the loader DLL is different. It is likely to have come from a different\r\nauthor.\r\nFigure 9: PDB string retrieved from snip3 loader dll\r\nFigure 10: PDB string retrieved from this campaign’s loader dll\r\nAfter loading the .NET loader assembly, the function Execute() of the class ProjFUD.PA is called with the\r\narguments payloadBytes (RAT payload) and RegSvcs.exe (the path of the victim process).\r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 7 of 14\n\nThe .NET assembly ProjFUD.dll acts as a RunPE loader as it hollows and injects the final payload, AsyncRAT,\r\ninto the victim process. RegSvcs, a Windows command line utility for registering .NET Component Object Model\r\n(COM) assemblies, is used by an adversary to hide malicious payload. RegSvcs.exe is digitally signed by\r\nMicrosoft and can be used to help bypass a process-based whitelist. (See Mitre ATT\u0026CK technique – Process\r\nInjection: Process Hollowing.)\r\nCreateProcessA is first called to create the victim process RegSvcs.exe in a suspended state, with flags set to\r\n134217732U (0x08000004) (i.e., CREATE_SUSPENDED and CREATE_NO_WINDOW are set to True.) This\r\nprocess does not run until the thread is resumed. While the process is suspended, ZwUnmapViewOfSection is\r\ncalled to unmap (hollow) the code from the process memory. This routine unmaps the entire view of the section\r\ncontaining buffer1 from the virtual address space, and on successful return, the virtual-address region occupied by\r\nthe view is no longer reserved and available to map other views. \r\nNext, it allocates space for the payload using VirtualAllocEx, with size set to the payload length and page\r\nprotection to PAGE_EXECUTE_READWRITE (0x40). It then injects the payload into the allocated space using\r\nWriteProcessMemory. The thread context is changed to point to the payload by calling SetThreadContext and the\r\nthread is finally resumed via ResumeThread to execute the payload AsyncRAT. \r\nFigure 11: Malware using RegSvcs\r\nAfter successfully injecting and executing the AsyncRAT payload, the loader exits. \r\nAsyncRAT\r\nAsyncRAT then takes command and control of the infected machine via a C2 server. As mentioned in the\r\nintroduction, the AsyncRAT is an open-source Remote Access Tool (RAT) designed to remotely monitor and\r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 8 of 14\n\ncontrol other computers through a secure encrypted connection. It performs a variety of malicious tasks, and if\r\nyou want to learn more about it, the GitHub AsyncRAT-C-Sharp link can help.\r\nAsyncRAT uses the following anti-analysis techniques to protect itself from being analyzed. Because Virtual\r\nMachines (VM) and sandboxes are used for the majority of dynamic analysis within the security community,\r\nmany payloads, including this one, will try to evade dynamic analysis. In this case, the RAT retrieves the\r\nmanufacturer via the WMI query “Select * from Win32 ComputerSystem” and looks for the strings \"VMware\"\r\nand \"VirtualBox”. It also checks for disk space because sandboxes and virtual machines typically have limited\r\ndisk space. In addition, it loads the module SbieDll to detect “sandboxie”, an open-source sandboxing program for\r\nWindows. Lastly, it checks if the process is being debugged by calling IsDebuggerPresent(). (See Mitre ATT\u0026CK\r\ntechnique – Virtualization/Sandbox Evasion.)\r\nThe payload also includes a security software discovery technique. This technique is used to determine which\r\nsecurity products are present on the compromised machine to shape the follow-on behaviors. Below is the\r\ncommand-line query used to enumerate the installed antivirus products. (See Mitre ATT\u0026CK technique – Defense\r\nEvasion.)\r\nwmic.exe /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName”\r\nOnce the information is gathered, it then sends the following information about the infected machine to the C2\r\nRAT server. (See Mitre ATT\u0026CK technique – Exfiltration Over C2 Channel.)\r\nThis RAT hosts resources and additional payloads on Pastebin, an online content hosting service. In the below\r\ncode snippet, the RAT client grabs an IP address from the pastebin website using WebClient.DownloadString()\r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 9 of 14\n\nand connects to it. (See Mitre ATT\u0026CK technique – Acquire Infrastructure: Web Services.)\r\nThe AsyncRAT client requests that the RAT server send additional plugins and payloads, which are then executed\r\nin memory, as shown below. It employs a fileless technique to execute payloads in memory, reducing its footprint\r\nand avoiding traditional defenses that scan the disk for malicious files.\r\nTo maintain its foothold, it installs a scheduled task if the payload is running as an administrator. The reason it\r\nchecks for admin rights is that a task created with elevated privileges does not prompt the user to allow execution.\r\nIf the payload isn’t running as an administrator, it will add an entry to the Registry Run keys, causing the program\r\nto run every time the user logs in. (See Mitre ATT\u0026CK technique – Persistence.)\r\nKeylogging is the most prevalent type of input capture, and it’s used to steal credentials. This is done by\r\nintercepting the user’s keystrokes using Hooking API callbacks. This technique works by hooking into the\r\nWindows native API functions intended for processing keystroke data, and the callback function is invoked every\r\ntime the user types something. (See Mitre ATT\u0026CK technique – Input Capture: Keylogging.)\r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 10 of 14\n\nC2 Server\r\nAfter successfully compromising the victim’s machine, the AsyncRAT payload connects to the RAT C2 server\r\nlocated at “franco.ddns.net” on port 2455 (79.134.225.18:2455). Since 2019, IP 79.134.225.18 has been linked to\r\nAsyncRAT / RevengeRAT, NanoCore, and BotNet attacks. It is associated with the ISP provider “ The\r\nPRIVACYFIRST Project”, which runs multiple VPN services and supports the TOR project.\r\nThe C2 domain “franco.ddns.net” used in this campaign is just few weeks old, hence the associated spike.\r\nFigure 12: Statistics for C2 domain franco.ddns.net\r\nConclusion\r\nThe campaign analyzed in this blog is likely part of Snip3 Crypter-as-a-service, as some of the artifacts (i.e.,\r\nSender IP, C2 IP address, and the final payload) are the same. But this one doesn’t use PowerShell script. Instead,\r\nit employs a new technique to compile and execute inline C# code contained in an XML. This is yet another\r\nexample of threat actors quickly adopting and evolving techniques to create more sophisticated and difficult-to-detect attacks. In addition to the Fortinet protections below, I would encourage you to review the Mitre attack\r\ntechniques and measure how effective your current security controls are. Learn more about Mitre Att\u0026CK and\r\nhow to test your defenses. \r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 11 of 14\n\nFortinet Protections\r\nFortinet customers are already protected from this RAT variant with FortiGuard’s Web Filtering and AntiVirus\r\nservices, as follow:\r\nThe C2 IP address is rated as \"Malicious\" by the FortiGuard Web Filtering service.\r\nThe VB script is detected as “VBS/Agent.OQP!tr” and the xml file is detected as “VBS/Agent.AK!tr”. The RAT\r\nloader and the final payload AsyncRAT are detected as “W32/PossibleThreat”.\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. The\r\nFortinet AntiVirus engine is a part of each of those solutions as well. As a result, customers who have these\r\nproducts with up-to-date protections are protected.\r\nFortiEDR’s real time protection detects process hollowing during execution and blocks the RAT from connecting\r\nto the C2 server. \r\nFortinet’s Phishing Simulation Service, FortiPhish, can also be used to proactively test the susceptibility of your\r\norganization to these kinds of phishing attacks.\r\nMITRE ATT\u0026CK\r\nT1566.002: Phishing: Spearphishing Link\r\nT1059.005: Command and Scripting Interpreter: Visual Basic\r\nT1027: Obfuscated Files\r\nT1127.001: Trusted Developer Utilities Proxy Execution: MSBuild\r\nT1218.009: Signed Binary Proxy Execution: Regsvcs\r\nT1055.012: Process Injection: Process Hollowing\r\nT1547.001: Registry Run Keys / Startup Folder\r\nT1056.001: Input Capture: Keylogging\r\nT1053.002: Scheduled Task\r\nT1041: Exfiltration Over C2 Channel\r\nT1518.001: Security Software Discovery\r\nT1497: Virtualization/Sandbox Evasion\r\nIOCs\r\nEmail\r\n34646a93538a34c871e04a368c97637d1b7d1d4507bf210afd9349a61b25b35e\r\nef4b52c8f2c844b76534f583171d03a87cc195b0c3ae32754df0c01177792432\r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 12 of 14\n\n04e93767d16a3e6ca68e45fea23434a9c9ed363c3f0d28b9653f74bbf405ef65\r\nVBS\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n34914c4af84888552bd7ef74d9a691918013766719881a042723001ef96f554c\r\nc16e5de09a78886dc972d26aeb0e9fe760b855eb157c7df308fad2116b860ef7\r\n65d3ff89602db4294fa2f585c472e566a3d72d2065e6bc4f493b02a3b08393ba\r\n4c6f832a85fbcf17308ab923b066577de859571a2743e99bf249398e19a00fb8\r\n0b56c16a28482cc0af81b93aff36d02610e30a8d65d7ea1ccd73f8242effbada\r\n9dd8a6725b9c881311501b79770e4f1c9aee2c3b42f59f7694d48b67939eede5\r\n59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91\r\na54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2\r\n9297b0db717beea397aacf15e7ef081faf3b9e430002a1c1b4e150e56fb940f9\r\nGood.xml\r\nE7D60A25BF1D80C144919F5F112594793A12A8176F2000BD890E331234A26814\r\n8938838db8d16708692e80d170e0d8dc1522531e5a5ab5ae878a27a147780f44\r\nb45470aa79cc7acab448a65252c3c7ee840ce6d0e78c40ad2c6bc261a912d393\r\nf9bc8699f18b93cdb4b076dbf6f4baf2befd8c72eb26cefc28086f02a607f2f6\r\n.NET Loader\r\nB0DC46B5FC849DA9CC7A3FC4D8AA5EA8745D7E50869AC689BB956AAB3079EEB9\r\n814f21f8c2befba504e592e3396be7454f93013939325cc7fbad5c38f022b395\r\nAsyncRAT\r\n5344E8B1EF4939A3C9F84921B284DD6E0B98B2CF524D678116BEF6E58DC4A6C3\r\nPDB\r\nE:\\Hard Drives\\Local Disk (C)\\WIN 10 [ October Update ] FILES\\Sparta Project\r\n#Hope\\projFUD\\projFUD\\obj\\Debug\\projFUD.pdb\r\nMalicious IPs\r\n79.134.225.18 (C2)\r\n192.145.239.18 \r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nLearn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda\r\n(TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans\r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 13 of 14\n\nprogram. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nhttps://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies" ], "report_names": [ "spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies" ], "threat_actors": [], "ts_created_at": 1775434350, "ts_updated_at": 1775791269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/418d0231ec0921ebdb42da5ef54e43895f274de2.pdf", "text": "https://archive.orkl.eu/418d0231ec0921ebdb42da5ef54e43895f274de2.txt", "img": "https://archive.orkl.eu/418d0231ec0921ebdb42da5ef54e43895f274de2.jpg" } }