The SOC360 team monitors the networks, endpoints and cloud environments of the largest organisations in Poland, using EDR/XDR/NDR technologies from leading manufacturers (SentinelOne, PaloAlto, Crowdstrike, MDE, Fidelis, Cybereason). During its analysis, the SOC360 team encounters various types of software, often ambiguously classified by security systems, which requires detailed context verification. This allows for appropriate responses and recommendations to be made.
Introduction
In June 2025, the SOC360 team observed a large-scale campaign distributed to many customers, masquerading as requests for proposals. The number of unique files, dedicated naming in the languages of the victims, and the structure of the infrastructure indicate a fairly large scale of operations. Further retrospective analysis of the code and network infrastructure revealed that the malware was distributed via a file server located on a compromised website of an organisation in Côte d'Ivoire, which is a convenient and effective method used by malicious actors. The analysis allowed for detailed identification of the functionality of the delivered software and threat hunting activities, which enabled the identification of threats to other customers. The multi-stage nature of the software and the use of compromised infrastructure with a good reputation allowed some security systems to be deceived.
Analysis
Initial reports
The first detection of suspicious activity occurred almost simultaneously through two channels:
- Detection in one of the commercial EDR systems using a behavioural engine analysing software activity
- A report by an alert employee of one of the organisations, who successfully noticed a phishing attempt
Analysis of the first stage
Files named Zapytanie_Ofertowej_
The script contained standard obfuscation techniques designed to confuse both security systems and analysts. These included:
- Enforcing UTF-8 to allow the use of strange variable names (@chcp 65001 >nul)
- Variable names that are not ASCII characters / come from different alphabets, including Armenian (set ‘ԲՆуԶՓПԼՉԸ=’C:\Wi")
- Splitting variables into smaller fragments that are combined at later stages (set ‘Զрնթп= | xco’, set ‘ЦըսтՒ=py /d ’, set ‘ԳпԺՌՒՀձ=/q /y ’ executed as % ЧՅշՇՇՏնԽդ%%Զрնթп%%ЦըսтՒ%%ԳпԺՌՒՀձ%%ՃժՔԵՅ%%ԲΝуԶՓПԼՉԸ%...)
- Fragmentation of paths and commands
- Use of so-called LOLBin processes (echo F | xcopy ...)
- Unused code fragments and an excessive amount of meaningless comments (:: Sglpdnzfl Dfnmxwdad Hztijdrufz:: Fdyaitteak Azemtm Epbtzle)
After converting the characters in the Armenian and Grazhdanka alphabets, you can see that a copy of the PowerShell process with the .Ntx extension has been created in the folder where the script is located. The duplicate process is then hidden by adding the appropriate attribute.
Code fragment:
%ЧՅշՇՇՏնԽդ%%Զрнթп%%ЦըսтՒ%%ԳпԺՌՒՀձ%%ՃժՔԵՅ%%ԲՆуԶՓПԼՉԸ%%РՌԹрն%% ԵՎуԶճՈծ%%ЦԸтՐПрՑՃо%%ԴխԺчՑ%%ИծսԶՔէ%%ЧՆՒզէԷ%% ИԾԹԵըрв%%ПиթԻԵԳп%%ԼհцПвԷ%%ԺՐՌпԸиՌՌՋ%
resulted in the call
echo F | xcopy /d /q /y /h /i ‘C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe’ ‘%~0.Ntx’
After creating a clone of the PowerShell process, the path of the bash script that was run is added to the environment variables.
set ‘ПпջՏуջբтհ=SET Pb’
set ‘ՉՔշծՇԿոդ=lropil’
set ‘ՂрՀмժрՎՉՁ==%~f0’
%ПпջՏуջբтհ%%ՉՔշծՇԿոդ%%ՂрՀмժрՎՉՁ%
Then, in a newly created PowerShell instance hidden from the user's view (cloned .Ntx file), a very long string in Base64 format is loaded. This is a typical string consisting of:
- Decoding the content from Base64
- Decompressing the content
- Loading the value into the MemoryStream object
It is decoded to the following content:
ՍԹճмՃв=FromBa → FromBa
ԵԼՄՑսԼկм=se64St → se64St
ՐՈԿпрԶ=tream( → tream(
ՔՃԾյԼՋ= [Conv → [Conv
ՓՋМՅПձՏ=t IO.M → t IO.M
ПԿԼէԿ= IO.Me → IO.Me
ИвժՋձуՊըՈ=emoryS → emoryS
ԵрէՔԶу=mpress → mpress
ՈեՂԸՔՒՓէժ=ompres → ompres
ЦՉյпՌՔէр=m.Refl → .Refl
AppDom + ain]:: + Curren
The bit string is then loaded into the AppDomain class, which allows the payload written in .Net to be executed. This is a classic call of malicious code in the process memory without additional file downloads or disk writes.
Analysis of the .Net file
Compromised file server
Analysis of the file showed that one of the first actions performed by the malicious file is to download and load further content from hxxps://
This is a domain of a palm oil production company in Ivory Coast that has not been updated since 2016. The website was probably compromised by attackers through a vulnerable PowerShell plugin, which allowed them to share a number of malicious documents used during the attack.
Exploiting compromised infrastructure is a very convenient method for attackers, making it easier to bypass security systems and hindering analysis by specialists. This is due to, among other things, the fact that:
- detection engines do not detect the domain as malicious for a long time
- its history, including the registration period and the registering entity, inspire trust (also in systems)
- trusted SSL certificates do not arouse suspicion
- network traffic looks standard (expected)
- it is not possible to add such entities to the blacklist in advance
Further analysis of the infrastructure revealed that the file server on the compromised website contains a large number of unique second-stage attacks that are downloaded by the loader. The files masquerade as .pdf documents, .mp3, .mp4 and .wav music recordings, and .vdf files, a format used by Valve to store game-related data.
Although the size and structure of the files indicate that their use is the same, unique names and automatic code obfuscation that automates content generation typically hinder the use of reputation-based detection mechanisms (unique file checksums). Most of the files present on the server are unrecognisable by commercial reputation engines or classified as safe. The files present on the server (second and, in fact, third stage) are not recognisable by CTI sources even many weeks after the period of active use of the infrastructure. The downloaded file is much larger and indicates the target payload along with the parameters needed to decode it.
Further analysis of software fragments and infrastructure links in CTI sources allowed the malware to be classified as a malware family called Pure.
Links to other files and analyses
Analysis of domain links (server with malicious files) and the malicious files themselves indicated a campaign targeting at least several European Union countries. The file names referred to requests for quotations, invoices, or lists of products and prices. Examples of files that used the infrastructure of a compromised organisation from WKS:
- Angebotsanfrage_MBM_Metallbau_04-06-2025.tgz
- SMG_Zapytanie_Oferta_20250605_65000324.cmd
- Poptavka_Produkty_Ceny_EurotechService_202507.tgz
- RFQ_Welding_Equipment_Parts_Metalex_20250527.tgz
The strings were often further detailed by adding the name of a specific organisation (probably automatically from the recipient's domain) at the beginning or end to encourage the file to be opened even more effectively. Infrastructure analysis indicates continuous use of at least some of the domains, files and IP addresses from June 2025 to November 2025. In addition, some of the related files made network connections to addresses originating from ASN AEZA, a well-known bulletproof hosting service used by Russian cybercriminal groups.
The Pure family
Analysis of the detected software and examination of the relationships between files whose metadata is recognisable by commercial reputation engines clearly indicate a campaign using the Pure family. This is a range of software available for purchase on Darknet in the form of Malware-as-a-service (MaaS), allowing for the distribution of malicious software. The family includes many independent tools, including:
- Crypter – a tool for running malicious code in an obfuscated application designed to bypass security systems and significantly hinder analysis. In this case, it is a crypter for applications written in the .Net environment.
- RAT – a tool for remote access and management of an infected host
- Logs – a tool for stealing information and logs.
- Loader – a tool (usually the first stage of an attack) designed to silently download additional files containing actual malware from the Internet and then decrypt/decode/unpack/execute them.
- Clipper – a tool that steals (transfers to a selected account) funds from cryptocurrency wallets.
These tools are neither the latest nor the most sophisticated, but they are sufficiently advanced and complementary in terms of functionality to carry out mass campaigns.
Summary
Analysis of files registered with customers has identified a large-scale phishing campaign using the Pure malware family targeting private organisations within the European Union.
In addition to using various Pure components (Crypter, Loader, and Stealer), the attackers employed other mechanisms, such as compromising the websites of real organisations, to maximise the chances of a successful attack. Analysis of the infrastructure revealed the significant scale of the undertaking and its long duration – up to several months. Typical links in the cybercriminal ecosystem chain were also identified, such as the use of AEZA hosting infrastructure. Although the mechanisms used were not state-of-the-art, they were sufficient to bypass certain security mechanisms and hinder the analysis of cybersecurity specialists. The scale of the campaign can also be determined by the number of reports received by various SOC360 customers from many countries and sectors. The use of bulletproof hosting, MaaS tools from the Darknet, compromised infrastructure for distributing malware, and loaders, crypters and stealers, despite being a standard among modern cybercriminals, remains an effective method of infiltrating organisations with a little customisation.