Cybercriminals are leveraging reports of Venezuelan President Nicolás Maduro’s arrest on January 3, 2025, to distribute backdoor malware through a sophisticated social engineering campaign.
Security researchers at Darktrace have uncovered a malicious operation that exploits this high-profile geopolitical event to compromise unsuspecting victims.
Attack Method
The threat actors likely used spear-phishing emails containing a ZIP archive titled “US now deciding what’s next for Venezuela.zip”.
Inside the archive, victims find an executable file named “Maduro to be taken to New York.exe” alongside a malicious dynamic-link library (DLL) called “kugou.dll”.
The executable is actually a legitimate KuGou binary, a Chinese streaming platform, that has been weaponized to load the malicious DLL via DLL search-order hijacking.
Once executed, the malware creates a directory at C:ProgramDataTechnology360NB and copies itself there.
The executable is renamed “DataTechnology.exe” and configured to run automatically at system startup through a registry key at HKCUSoftwareMicrosoftWindowsCurrentVersionRunLite360.
A deceptive dialog box then prompts users to restart their computer, and if they don’t comply, the malware forces a system restart.
After the restart, the malware establishes encrypted TLS connections to its command-and-control server at 172.81.60[.]97 on port 443, periodically beaconing to receive instructions and configuration updates from the attackers.
This campaign follows a well-established pattern of exploiting major world events for malicious purposes.
Similar tactics have been observed in campaigns related to the Ukraine war, with threat actors using prisoner-of-war references in phishing emails.
The Chinese threat group Mustang Panda has repeatedly employed comparable techniques, using lures about Ukraine, Tibet conventions, the South China Sea, and Taiwan to deploy backdoors.
While the tactics, techniques, and procedures show similarities to Mustang Panda operations, researchers emphasize there is insufficient evidence to attribute this campaign to a specific threat group definitively.
Organizations and users are strongly advised to exercise caution when opening email attachments, particularly those referencing current events.
Indicators of Compromise (IoCs)
- 172.81.60[.]97
- 8f81ce8ca6cdbc7d7eb10f4da5f470c6 – US now deciding what’s next for Venezuela.zip
- 722bcd4b14aac3395f8a073050b9a578 – Maduro to be taken to New York.exe
- aea6f6edbbbb0ab0f22568dcb503d731 – kugou.dll
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.