Get in touch
I'm always excited to take on new projects and collaborate with innovative minds.
Phone
Website
Address
Lagos
I'm always excited to take on new projects and collaborate with innovative minds.
Lagos
This campaign highlights the sophistication of modern phishing threats and underscores the importance of layered defense—user awareness, IOC detection, and behavioral analytics.
In June 2025, I investigated a deceptive phishing campaign that leveraged multi-layered evasion techniques to deliver a stealthy malware payload disguised as a financial invoice. This campaign demonstrates how a seemingly innocent attachment—invoice_10988.img—led to a .NET-based dropper (KTMBE25040170.exe) that deployed a secondary payload (Count.exe) with persistence via a startup VBS script.
• Initial Vector: Malicious email with .xz archive and mounted .img file
• Payload Behavior:
Drops Count.exe in %TEMP%
Establishes persistence via Count.vbs in the Startup folder
Initiates encrypted outbound C2 traffic tomxcnss.dns04.com:7702
• Obfuscation: .NET Reactor packing, control flow obfuscation
• Persistence: Hidden VBS launcher, mimicking benign startup behavior
• IOC Summary: SHA256, IP, Domain, File Paths provided
• Block .xz and .img attachments via email filtering
• Prevent .vbs execution from startup folders
• Monitor .NET executables for suspicious behavior
• Block traffic to known C2 IPs and ports
• Train users to recognize invoice-themed phishing attacks
drop your comment let's discuss on the comment section 👇
This campaign highlights the sophistication of modern phishing threats and underscores the importance of layered defense—user awareness, IOC detection, and behavioral analytics. 📎 Full report includes screenshots, technical artifacts, and a custom YARA rule for detection. 🔗 Let’s stay sharp, share knowledge, and raise the bar in proactive cybersecurity defense.
Your email address will not be published. Required fields are marked *
