FortiGuard Labs found a phishing campaign that tricks users into downloading a malicious Java downloader to spread new VCURMS and STRRAT remote access trojans.
The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub to avoid detection. They used email as its command and control throughout the attack campaign. The receiving endpoint uses Proton Mail for privacy protection. Figure 1 shows the attack chain.
On February 13, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued 20 advisories about serious vulnerabilities in Industrial Control...
Palo Alto Networks has issued advisories for two critical vulnerabilities in its PAN-OS. The vulnerabilities, CVE-2025-0108 and CVE-2025-0110, may enable...
The email shown in Figure 2 is part of an attack campaign. It tricks staff members by pretending that a payment is being made and prompts them to click a button to confirm payment details. When the button is clicked, a harmful JAR file hosted on AWS is downloaded to the victim’s computer.
Figure 2: The phishing e-mail
Payment-Advice.jar:
The downloaded files look like typical phishing attachments with fake names meant to trick people into opening them. When checking the file with a JAR decompiler, many strings are hidden, and one of the class names, “DownloadAndExecuteJarFiles.class,” clearly shows the program’s intention. The program is designed to download two JAR files to a path provided by the attacker and run them.
Figure 3: Code to download and execute Jar Files
The obfuscator uses a class called “sense loader”, as seen in Figure 4. This class selects the appropriate native loader module from the resources based on the current operating system during execution.
Figure 4: A class employed by the obfuscator
The obfuscator‘s code is very similar to the code generated by a legitimate obfuscation tool called “Sense Shield Virbox Protector” shown in Figure 6.