- I tested the most advanced GPS dog tracker beside an AirTag - here's my buying advice
- AI governance platforms wait for customers to catch up
- Finally, I found an OLED sports watch that looks good and won't break the bank
- Scan, eat, learn: Wearable devices help young learners in Africa thrive
- Broadcom's 102.4 Tbps Tomahawk 6 targets million-XPU AI clusters
Sophisticated Malware Campaign Targets Windows and Linux Systems
A newly uncovered malware campaign targeting both Windows and Linux systems has revealed advanced evasion and credential theft techniques, according to the Sysdig Threat Research Team (TRT).
The operation began with a malicious Python script uploaded via a misconfigured system, enabling the download of crypto-miners and the deployment of stealthy tools for evasion and data exfiltration.
This multi-platform attack employed distinct paths for Linux and Windows, adapting its strategy based on the target operating system.
On Windows, attackers used a Python function to install the Java Development Kit (JDK), which facilitated the execution of a Java Archive (JAR) file retrieved from a previously active command-and-control (C2) server. The JAR file application-ref.jar functioned as a loader, initiating a chain of malicious components.
Two files from the JAR’s resources, renamed INT_D.DAT and INT_J.DAT, were deployed to the victim’s machine. The malware then used a ProcessBuilder command with suspicious flags such as -noverify and -XX:+DisableAttachMechanism, commonly seen in malicious Java processes to avoid detection and disable debugging.
Among the most concerning payloads were multiple infostealers embedded within the final JAR.
These components performed:
-
Credential theft from Chrome extensions
-
Token harvesting from Discord via HTTP header inspection
-
Hardware and system reconnaissance using PowerShell and WebSockets
The attack also delivered a native DLL file, app_bound_decryptor.dll, which performed XOR encoding/decoding, manipulated Windows named pipes and included sandbox evasion checks like IsDebuggerPresent() and IsProcessorFeaturePresent.
Detection Challenges and Misconfiguration Risks
This campaign highlights two key issues: the ongoing risk posed by misconfigured systems, and the need for effective detection strategies.
In this case, an exposed web interface allowed remote attackers to upload and execute malicious scripts, opening the door to a broader compromise. Such oversights remain a common and preventable vector in many intrusions.
To detect threats of this nature, organizations should rely on a combination of behavior-based monitoring, anomaly detection and layered runtime security controls.
Techniques such as YARA scanning, process behavior analysis and DNS monitoring can help flag suspicious activity early.
