{
	"id": "37efc82d-7561-4f63-bbe2-7d20366e68c5",
	"created_at": "2026-04-06T00:08:25.391323Z",
	"updated_at": "2026-04-10T03:20:39.787405Z",
	"deleted_at": null,
	"sha1_hash": "79c2c96381b1499953125e8e04342c97237c0bd5",
	"title": "Threat Actor Targets Manufacturing Industry With Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2062932,
	"plain_text": "Threat Actor Targets Manufacturing Industry With Malware\r\nPublished: 2024-12-05 · Archived: 2026-04-05 13:13:46 UTC\r\nThreat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot\r\nThreat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot\r\nCyble analyzes a malicious campaign targeting the manufacturing industry, using process injections to deliver Lumma\r\nStealer and Amadey bot.\r\nKey takeaways\r\nCyble Research and Intelligence Labs (CRIL) identified a malicious campaign targeting the manufacturing\r\nindustry, leveraging a deceptive LNK file disguised as a PDF file.\r\nThis campaign leverages multiple Living-off-the-Land Binaries (LOLBins), such as ssh.exe, powershell.exe, and\r\nmshta.exe, to bypass traditional security mechanisms and remotely execute the next-stage payload.\r\nThe Threat Actor (TA) used Google Accelerated Mobile Pages (AMP) URL along with a shortened URL to evade\r\ndetection by traditional URL scanners.\r\nThe attack heavily relies on file injection techniques, where the TAs execute malicious payloads directly in\r\nmemory to bypass conventional security mechanisms.\r\nThe attack chain leverages DLL sideloading and IDATLoader to deploy the Lumma stealer and Amadey bot,\r\nenabling the attacker to gain control and exfiltrate sensitive information from the victim’s machine.\r\nOverview\r\nCRIL recently identified a multi-stage cyberattack campaign originating from an LNK file. The initial infection vector\r\nremains unknown; however, the attack likely begins with a spear-phishing email, prompting the recipient to click on a link\r\nthat leads to an LNK shortcut file disguised as a PDF document. The file is hosted on a remote WebDAV share at\r\n“hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-\r\nns.shop/Downloads/18112.2022/Instruction_695-18121-002_Rev.PDF.lnk“.\r\nUpon searching for the file name “695-18121-002_Rev” on Google, we discovered a technical engineering drawing for a\r\ncomponent. Additionally, we observed similar samples using the name “Instruction_18112,” which led us to another\r\ntechnical document detailing the installation of a chair. The malicious LNK file hosted on the URL impersonates\r\nLogicalDOC, a cloud-based document management system commonly used in Manufacturing and Engineering firms.\r\nBased on the targeting and nature of these attacks, we suspect that the campaign is likely targeting the manufacturing\r\nindustry.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nPage 1 of 12\n\nOnce executed, the LNK file triggers a command to launch ssh.exe, which subsequently runs a PowerShell command.\r\nThis PowerShell command fetches and executes an additional malicious payload from a remote server using mshta.exe.\r\nThe remote server is accessed via a URL that abuses Google’s Accelerated Mobile Pages (AMP) framework, combined\r\nwith a shortened URL that redirects to a location hosting malicious PowerShell code.\r\nThe PowerShell code then triggers another malicious script hosted on Pastebin, controlled by the TA. This script contains\r\nan encoded PowerShell command that downloads a ZIP archive to the Temp directory, extracts its contents, and executes a\r\nlegitimate executable. The executable, in turn, sideloads a malicious DLL file.\r\nIn this sophisticated campaign, the TA uses multiple stages of code injection to deploy the Lumma stealer, which then\r\ndownloads the Amadey Bot onto the victim’s system. The figure below shows the infection chain.\r\nhttps://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nPage 2 of 12\n\nFigure 1 – Infection chain\r\nTechnical Analysis\r\nhttps://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nPage 3 of 12\n\nThreat Actors are increasingly exploiting LNK files as their initial vector for malware distribution due to their flexibility\r\nin executing various commands. In this campaign, they specifically leveraged the Windows SSH client\r\n(C:\\Windows\\System32\\OpenSSH\\ssh.exe) as an alternative target in the LNK file’s “Target” field. This approach reduces\r\nthe likelihood of detection compared to using cmd.exe or powershell.exe as the target. The image below shows the LNK\r\ncommand.\r\nFigure 2 – LNK using SSH as a target\r\nWhen a user opens the disguised LNK file, it triggers “ssh.exe” to run a PowerShell command through the\r\nProxyCommand option in ssh.exe. The embedded PowerShell command contains obfuscated content, as shown in the\r\nimage above. The de-obfuscated code attempts to execute PowerShell content hosted at the AMP URL\r\n“hxxps://www.google[.]ca/amp/s/goo.su/IwPQJP” using mshta.exe. In this case, the hosted content contains AES-encrypted data, as shown in the image below.\r\nFigure 3 – AES-encrypted content hosted in AMP URL\r\nUpon decryption, the data reveals Base64-encoded content, which is displayed in the image below.\r\nhttps://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nPage 4 of 12\n\nFigure 4 – Base64-encoded content\r\nThe decoded Base64 content reveals an obfuscated PowerShell command, as shown in the image below.\r\nFigure 5 – Obfuscated PowerShell command\r\nThis PowerShell command manipulates security protocols and performs the following actions:\r\nFirst, it configures various security protocols, including TLS 1.0, TLS 1.1, TLS 1.2, and SSL 3.0, using the .NET\r\nServicePointManager class.\r\nThen, it initiates a web request using Invoke-WebRequest (iwr) to fetch a payload from the URL\r\nhxxps://Pastebin[.]com/raw/0v6Vhvpb, which is then immediately executed using Invoke-Expression (iex).\r\nThe image below shows the retrieved payload from the Pastebin URL.\r\nFigure 6 – Partial PowerShell script fetched from the Pastebin URL\r\nThe retrieved content from the Pastebin link consists of a PowerShell script that performs several actions:\r\n1. The script begins by sanitizing the content fetched from Pastebin, removing newline characters (“n”) and commas\r\n(,).\r\n2. The cleaned string is then decoded from Base64 into binary data.\r\n3. Using a hardcoded decryption key, the script decrypts the binary data.\r\n4. Once decrypted, the script extracts a portion of the data starting from the 64th byte to the end, which is the actual\r\ncode to execute. This code is then converted into a readable PowerShell command using UTF-8 encoding.\r\n5. Before executing the decoded command, a 2-second delay is introduced with Start-Sleep. Finally, the decoded\r\nPowerShell command is executed in memory using Invoke-Expression.\r\nThe image below shows the decrypted PowerShell code extracted using the above steps.\r\nhttps://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nPage 5 of 12\n\nFigure 7 – Decrypted PowerShell code\r\nThe newly introduced script represents the final stage in delivering malicious files to the system. The script operates as\r\nfollows:\r\n1. The script first verifies the system’s internet connectivity by sending HTTP requests to two distinct domains:\r\n360.net and baidu.com. These requests ensure the system is online before proceeding with further actions.\r\n2. Once the victim’s system is connected to the internet, the script downloads a malicious CPL file named naailq0.cpl\r\nfrom the remote URL hxxps://berb.fitnessclub-filmfanatics.com/naailq0.cpl.\r\n3. The downloaded CPL file is saved as a ZIP file within the Temp directory. This ZIP file is then copied to a newly\r\ncreated folder under the LocalAppData folder. The folder name is dynamically generated using a GUID (Globally\r\nUnique Identifier).\r\n4. After extraction, the script scans the folder for any executable files (EXEs). Any EXE files found within the\r\nextracted contents are then executed.\r\n5. The script includes a commented-out line that, if activated, would delete the extracted files and folder after\r\nexecution, potentially covering its tracks.\r\nThe image below shows the contents of the downloaded ZIP file. The ZIP file also contains encrypted files, which will be\r\ndecrypted and loaded in the subsequent stages of infection.\r\nFigure 8 – Extracted files in the archive\r\nhttps://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nPage 6 of 12\n\nIn this case, the script executes “syncagentsrv.exe”, which performs DLL sideloading by loading the malicious\r\n“Qt5Network.dll” upon execution. The malicious DLL then reads an encrypted file named “shp” from the same directory,\r\ndecrypts its contents, and reveals strings such as LoadLibraryA, VirtualProtect, and dbghelp.dll, as shown in the figure\r\nbelow.\r\nFigure 9 – Decrypted content\r\nAfter decryption, the malicious DLL extracts the string “dbghelp.dll” from the decrypted content and utilizes it to load the\r\nDLL via the LoadLibraryA API. The “dbghelp.dll” is a Microsoft Windows library designed for debugging and managing\r\nsymbol information. After loading the DLL, the malicious code employs the VirtualProtect API to modify the memory\r\nregion permissions of “dbghelp.dll” to PAGE_EXECUTE_READWRITE, as illustrated below.\r\nFigure 10 – Modifying permission of dbghelp.dll\r\nIt then overwrites the contents of “dbghelp.dll” with the decrypted data and subsequently modifies the memory protection\r\nof the overwritten region to PAGE_EXECUTE_READ, as depicted below.\r\nFigure 11 – Modifying the permissions of dbghelp.dll\r\nAfter modifying the memory protection, the malicious code begins executing the injected content within “dbghelp.dll“.\r\nThe injected code then proceeds to read another file named “bwvrwtn“, located in the same directory. The file “bwvrwtn”\r\nis an encrypted IDAT file containing multiple encrypted chunks, each prefixed with the string “IDAT,” as illustrated\r\nbelow.\r\nhttps://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nPage 7 of 12\n\nFigure 12 – IDAT marker\r\nThe DLL now searches the strings IDAT, takes four bytes following IDAT, and performs a comparison with C6 A5 79 EA.\r\nIf the comparison is successful, the DLL proceeds to copy all the data following IDAT into memory, decrypts it using the\r\nXOR key, and then decompresses the decrypted content using the RTLDecompressBuffer API, as shown below.\r\nFigure 13 – Decompressed data\r\nIt then loads a legitimate “pla.dll” from the %syswow64% directory using the LoadLibraryW API. After loading, it\r\nchanges the memory permissions of “pla.dll” to PAGE_EXECUTE_READWRITE, copies the decrypted content into its\r\nmemory, changes the permissions to PAGE_EXECUTE_READ, and finally executes the injected code in the “pla.dll” as\r\nshown below.\r\nhttps://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nPage 8 of 12\n\nFigure 14 – Executing the injected code\r\nThe code within “pla.dll” proceeds to inject malicious code into “more.com” and then executes it. The malicious code in\r\n“more.com” is responsible for deploying the final payload by injecting it into a newly created process, “msiexec.exe.” The\r\ninjected payload is Lumma Stealer – which is capable of stealing sensitive information from the victim’s machine. The\r\nfigure below shows the memory string of “msiexec.exe” containing Lumma Stealer’s C2 details.\r\nFigure 15 – Msiexec Process memory strings\r\nhttps://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nPage 9 of 12\n\nAmadey Bot\r\nThe TA behind this campaign also deploys the Amadey bot in the “%temp%” directory, employing the same technique of\r\ninjecting code into “more.com.” This injected code further injects the final Amadey bot payload into “explorer.exe“. To\r\nachieve persistence, the malware creates a Task Scheduler entry named “NodeJS Web Framework.” This task is configured\r\nto execute a copy of the Amadey bot stored in the %Appdata% directory, as illustrated below.\r\nFigure 16 – Task Scheduler for Persistence\r\nThe figure below shows the execution flow of Lumma Stealer and Amadey bot.\r\nFigure 17 – Execution Flow\r\nConclusion\r\nThis multi-stage cyberattack campaign demonstrates the increasing sophistication and adaptability of threat actors. By\r\nleveraging various evasion techniques such as URL shortening and AMP URLs, the attackers successfully bypass\r\ntraditional security mechanisms.\r\nThe use of legitimate system tools like ssh.exe and mshta.exe to execute malicious PowerShell commands further\r\nillustrates the complexity of the attack. The final payload, which involves the deployment of both Lumma stealer and\r\nAmadey bot, highlights the TA’s intent to steal sensitive information and maintain persistent control over compromised\r\nsystems.\r\nYara and Sigma rules to detect this campaign are available for download from the linked Github repository.      \r\nRecommendations\r\nThe initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to\r\nidentify and prevent the dissemination of harmful attachments.\r\nExercise caution when handling email attachments or links, particularly those from unknown senders. Verify the\r\nsender’s identity, particularly if an email seems suspicious.\r\nhttps://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nPage 10 of 12\n\nDisable WebDAV if it is not required for business operations to minimize potential attack vectors.\r\nConsider disabling the execution of shortcut files (.lnk) originating from remote locations, such as WebDAV links,\r\nor implementing policies that require explicit user consent before executing such files.\r\nThe campaign abused the legitimate ssh utility; hence, it is advised to monitor the activities conducted by the ssh\r\nutility and restrict access to limited users.\r\nConsider limiting the execution of scripting languages, such as PowerShell and mshta.exe, on user workstations\r\nand servers if they are not essential.\r\nImplement application whitelisting to ensure only approved and trusted applications and DLLs can be executed on\r\nthe systems.\r\nMonitor AMP links using advanced URL filtering and threat intelligence feeds to detect suspicious activity.\r\nSet up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious\r\nactivities to prevent potential breaches.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique Procedure\r\nInitial Access\r\n(TA0001)\r\nPhishing (T1566)\r\nThe LNK file may be\r\ndelivered through phishing\r\nor spam emails\r\nExecution (TA0002)\r\nUser Execution:  Malicious Link\r\n(T1204.001)    Command and Scripting\r\nInterpreter: PowerShell (T1059.001)\r\nExecution begins when a\r\nuser executes the LNK file.\r\nThe LNK file executes\r\nPowerShell commands.\r\nDefence\r\nEvasion (TA0005)\r\nMasquerading: Masquerade File Type\r\n(T1036.008)\r\nUses LNK files with\r\naltered icons to disguise as\r\nlegitimate\r\nDefense\r\nEvasion (TA0005)\r\nSystem Binary Proxy Execution: Mshta\r\n(T1218.005)\r\nAbuse mshta.exe to proxy\r\nexecution of malicious\r\nfiles.\r\nDefense\r\nEvasion (TA0005) \r\nObfuscated Files or  \r\nInformation (T1027)  \r\nScripts include packed or\r\nencrypted data.\r\nDefense\r\nEvasion (TA0005) \r\nSystem Binary Proxy Execution: Msiexec\r\n(T1218.007)\r\nmsiexec.exe used for proxy\r\nexecution of malicious\r\npayloads\r\nPrivilege  \r\nEscalation \r\n(TA0004) \r\nDLL Side-Loading (T1574.002)  Malicious DLL Side\r\nloaded. \r\nPrivilege  \r\nEscalation \r\n(TA0004) \r\nProcess Injection (T1055) \r\nInjects malicious content\r\ninto explorer.exe and other\r\nprocess.\r\nhttps://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nPage 11 of 12\n\nPersistence (TA0002) Scheduled Task/Job (T1053.005)\r\nAdds task schedular entry\r\nfor persistence.\r\nC\u0026C \r\n(TA0011) \r\nApplication Layer Protocol \r\n(T1071) \r\nMalware communicates to\r\nthe C\u0026C server. \r\nExfiltration (TA0010) Automated Exfiltration (T1020) \r\nData is exfiltrated after\r\ncollection \r\nIndicators Of Compromise\r\nIndicators \r\nIndicator\r\nType\r\nDescription\r\n5b6dc2ecb0f7f2e1ed759199822cb56f5b7bd993f3ef3dab0744c6746c952e36 SHA-256\r\nInstruction_695-\r\n18121-\r\n002_Rev.PDF.lnk\r\n8ed1af83cf70b363658165a339f45ae22d92c51841b06c568049d3636a04a2a8 SHA-256\r\nMalicious\r\nPowerShell Script\r\ndownloaded from\r\nPastebin(0v6Vhvpb)\r\n7b8958ed2fc491b8e43ffb239cdd757ec3d0db038a6d6291c0fd6eb2d977adc4 SHA-256\r\nZip file disguised as\r\n.cpl\r\ndc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250 SHA-256\r\nMalicious DLL\r\n(Sideloaded)\r\nhxxps://www.google[.]ca/amp/s/goo.su/IwPQJP  \r\nhxxps://pastebin[.]com/raw/0v6Vhvpb   hxxps://berb.fitnessclub-filmfanatics[.]com/naailq0.cplURL remote servers\r\nhxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-\r\nns.shop/Downloads/18112.2022/\r\nURL\r\nWebDAV server\r\nlink hosting\r\nmalicious LNK file\r\nReferences\r\nhttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-Lumma-infostealers\r\nhttps://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel\r\nSource: https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nhttps://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/"
	],
	"report_names": [
		"threat-actor-targets-manufacturing-industry-with-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434105,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79c2c96381b1499953125e8e04342c97237c0bd5.pdf",
		"text": "https://archive.orkl.eu/79c2c96381b1499953125e8e04342c97237c0bd5.txt",
		"img": "https://archive.orkl.eu/79c2c96381b1499953125e8e04342c97237c0bd5.jpg"
	}
}