{ "id": "efff3e1d-8957-493f-9f4c-62027a641103", "created_at": "2026-04-06T00:15:29.429474Z", "updated_at": "2026-04-10T03:37:00.396781Z", "deleted_at": null, "sha1_hash": "45d7e67d878f70102facb193e55352c0155d86a2", "title": "Steal-It Campaign | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 654206, "plain_text": "Steal-It Campaign | ThreatLabz\r\nBy Niraj Shivtarkar, Avinash Kumar\r\nPublished: 2023-09-06 · Archived: 2026-04-05 18:31:09 UTC\r\nWindows Update Exfil Infection Chain\r\nHow it works\r\nFigure 12: Windows update exfil infection chain flow\r\nOverview\r\nIn our analysis of this infection chain, we observed a ZIP archive bundled with a LNK file that uses geofencing\r\ntechniques to target users in Belgium and unknowingly downloading multiple stages of a PowerShell script that\r\nexecutes system commands to collect basic information for nefarious purposes. Interestingly, we saw a similar\r\ninfection reported by CERT-UA which was attributed to APT28.\r\nTechnical Analysis\r\nFor this infection chain, the initial vector is a malicious LNK file bundled inside a ZIP archive (e.g.\r\ncommand_powershell.zip). The malicious LNK file opens the run[.]mocky[.]io URL using Microsoft Edge.\r\nThis downloads a c1 file into the Downloads folder, which is then moved into the Startup folder as c1.bat,\r\nmaintaining persistence on the machine. Whenever the system is restarted, c1.bat is executed.\r\nhttps://www.zscaler.com/blogs/security-research/steal-it-campaign\r\nPage 1 of 4\n\nFigure 13: Initial LNK file \r\nOnce opened, the run[.]mocky[.]io URL executes a JavaScript code which downloads a batch script from a\r\nbase64-encoded blob. The batch script is downloaded to the Downloads folder, where it is then renamed to c1.bat\r\nand moved into the Startup folder. \r\nc1.bat includes the “Window Update” title (identical to the phishing email subject) and is primed to download\r\nanother script from run[.]mocky[.]io into the ProgramData directory using CertUtil. \r\nTo conceal the malicious activity, the batch script shows an seemingly innocuous message on the console with a\r\nprogress bar. The message reads:\r\n“Dynamic Update for Windows Systems (KB5021043)” \r\nThis is depicted in the image below.\r\nFigure 14: Fake Windows update BAT script execution to download the additional stages\r\nThe LNK file opens a run[.]mocky[.]io URL using Microsoft Edge, which then performs following actions:\r\nVerifies if the userAgent header includes the keyword \"edg\" to determine if the browser used is “Microsoft\r\nEdge”\r\nUtilizes the IPAPI Geolocation API to check if the country code is \"BE\" (Belgium) \r\nSpecifically looking for the “BE” country code indicates the infection chain is geofenced and targeting users from\r\nBelgium.\r\nhttps://www.zscaler.com/blogs/security-research/steal-it-campaign\r\nPage 2 of 4\n\nFigure 15: Geofenced HTML that target users from Belgium\r\nIf both the conditions above are satisfied, a b4.css script is downloaded into the Downloads folder by decoding a\r\nbase64 blob. The script is then moved into the Startup folder and renamed to b4.cmd. This helps threat actors\r\nmaintain persistence like in the other infection chains. \r\nUpon execution, b4.cmd opens another run[.]mocky[.]io URL using Microsoft Edge, which is similar to the\r\nJavaScript code seen in Figure 15. \r\nThe JavaScript code executes the batch script with the title “Window Update” and displays a an innocent message\r\non the console with a progress bar stating:\r\n“Dynamic Update for Windows Systems (KB5021043)” \r\nFrom here, another script is downloaded from run[.]mocky[.]io in the ProgramData directory using CertUtil to\r\nexecute it.\r\nDuring the analysis, the Mocky URL was inaccessible, therefore while searching for similar scripts with the\r\n“Window Update” messages as shown in Figure 14, we discovered a PowerShell script which executes a final set\r\nof PowerShell commands downloaded from run[.]mocky[.]io. This script also uses the window title as “Updating\r\nWindows” and the message “Dynamic Cumulative Update for Windows (KB5023696)” to conceal malicious\r\nintentions as depicted in the screenshot below and was also reported previously.\r\nhttps://www.zscaler.com/blogs/security-research/steal-it-campaign\r\nPage 3 of 4\n\nFigure 16: Fake Windows update PowerShell script executes system commands and exfiltrates output\r\nThe final set of PowerShell commands in this script are commissioned to execute the commands tasklist and\r\nsysteminfo on the system, and then use WebClient.UploadString() to exfiltrate the command output to the\r\nmockbin[.]org URL using a POST request as shown below.\r\nIn addition to system information, we also observed cases where the full file paths were exfiltrated to\r\nmockbin[.]org by executing the “Get-ChildItem -Path -Recurse -File | select FullName” command and then\r\nexfiltrate the command output using WebClient.UploadString().\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/steal-it-campaign\r\nhttps://www.zscaler.com/blogs/security-research/steal-it-campaign\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.zscaler.com/blogs/security-research/steal-it-campaign" ], "report_names": [ "steal-it-campaign" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434529, "ts_updated_at": 1775792220, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/45d7e67d878f70102facb193e55352c0155d86a2.pdf", "text": "https://archive.orkl.eu/45d7e67d878f70102facb193e55352c0155d86a2.txt", "img": "https://archive.orkl.eu/45d7e67d878f70102facb193e55352c0155d86a2.jpg" } }