A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader, which is then used to drop Amatera Stealer and PureMiner.
"The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments," Fortinet FortiGuard Labs researcher Yurren Wan said in a report shared with The Hacker News.
In the attack chains documented by the cybersecurity company, the SVG files are used to initiate the download of a password-protected ZIP archive, which contains a Compiled HTML Help (CHM) file. The CHM file, when launched, activates a chain of events that culminate in the deployment of CountLoader. The email messages claim to be a notice from the National Police of Ukraine.
CountLoader, which was the subject of a recent analysis by Silent Push, has been found to drop various payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. In this attack chain, however, it serves as a distribution vector for Amatera Stealer, a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner.
It's worth pointing out that both PureHVNC RAT and PureMiner are part of a broader malware suite developed by a threat actor known as PureCoder. Some of the other products from the same author include -
- PureCrypter, a crypter for Native and .NET
- PureRAT (aka ResolverRAT), a successor to PureHVNC RAT
- PureLogs, an information stealer and logger
- BlueLoader, a malware that can act as a botnet by downloading and executing payloads remotely
- PureClipper, a clipper malware that substitutes cryptocurrency addresses copied into the clipboard with attacker-controlled wallet addresses to redirect transactions and steal funds
According to Fortinet, Amatera Stealer and PureMiner are both deployed as fileless threats, with the malware "executed via .NET Ahead-of-Time (AOT) compilation with process hollowing or loaded directly into memory using PythonMemoryModule."
Amatera Stealer, once launched, gathers system information, collects files matching a predefined list of extensions, and harvests data from Chromium- and Gecko-based browsers, as well as applications like Steam, Telegram, FileZilla, and various cryptocurrency wallets.
"This phishing campaign demonstrates how a malicious SVG file can act as an HTML substitute to initiate an infection chain," Fortinet said. In this case, attackers targeted Ukrainian government entities with emails containing SVG attachments. The SVG-embedded HTML code redirected victims to a download site."
The development comes as Huntress uncovered a likely Vietnamese-speaking threat group using phishing emails bearing copyright infringement notice themes to trick recipients into launching ZIP archives that lead to the deployment of PXA Stealer, which then evolves into a multi-layered infection sequence dropping PureRAT.
"This campaign demonstrates a clear and deliberate progression, starting with a simple phishing lure and escalating through layers of in-memory loaders, defense evasion, and credential theft," security researcher James Northey said. "The final payload, PureRAT, represents the culmination of this effort: a modular, professionally developed backdoor that gives the attacker complete control over a compromised host."
"Their progression from amateurish obfuscation of their Python payloads to abusing commodity malware like PureRAT shows not just persistence, but also hallmarks of a serious and maturing operator."
