<![CDATA[(hunt.io) Malware Delivery via Open Directories: AsyncRAT and Cobalt Strike Campaign Analysis]]>

<![CDATA[(hunt.io) Malware Delivery via Open Directories: AsyncRAT and Cobalt Strike Campaign Analysis]]>(hunt.io) Malware Delivery via Open Directories: AsyncRAT and Cobalt Strike Campaign Analysis

New analysis reveals threat actors exploiting open directories to deliver AsyncRAT and Cobalt Strike in multi-stage campaigns.

In brief - Adversaries are using exposed open directories to host and deliver malware, including AsyncRAT via BITS abuse and Cobalt Strike through Fernet-encrypted Python executables. These campaigns demonstrate how unsecured infrastructure enables sophisticated intrusions.

Technically - Campaign 1: VBScript (xx.txt) creates temp.xml with PowerShell, abuses BITSAdmin to fetch a disguised ZIP (f.jpg) containing 9 files, then self-deletes. Campaign 2: PyInstaller-compiled 1.exe (~10MB) uses Fernet to decrypt Cobalt Strike shellcode from a.txt, executed in-memory. The binary includes obfuscation (Base64 Chinese strings, QuickSort noise) and links to Supershell C2 (207.32.217[.]21, 121.37.21[.]229). Both leverage open directories for payload staging.

Source: https://hunt.io/blog/gateway-to-intrusion

#Cybersecurity #ThreatIntel

]]>https://board.circlewithadot.net/topic/49bf6e4a-f02a-4e9a-b337-0593129d38b4/hunt.io-malware-delivery-via-open-directories-asyncrat-and-cobalt-strike-campaign-analysisRSS for NodeFri, 15 May 2026 08:38:49 GMTWed, 22 Apr 2026 11:27:31 GMT60