Email Filters Defeated by Polyglot File Trick Used in Malware Campaigns

Attackers are increasingly using advanced disguising techniques, such polyglot files, to get around email filters and successfully send phishing payloads in the constantly changing world of cyber threats.

These polyglot files, which can be interpreted as multiple file formats simultaneously, allow malicious content to evade detection by appearing benign to security scanners.

This shift marks a departure from traditional malicious document distribution, with adversaries favoring alternative formats like Windows shortcut (LNK) files for their stealth and execution efficiency.

Concurrently, hacktivist groups are pivoting from ideological campaigns toward more conventional illicit pursuits, including espionage and financial exploitation, while integrating advanced tools and methodologies to enhance their operational sophistication.

Evolving Tactics in Phishing

A recent campaign exemplifies these tactics, where adversaries leveraged compromised organizational email addresses to disseminate phishing messages.

These emails featured subject lines mimicking legitimate business documents, such as “Транспортная накладная ТТН № 391-44 от 26.06.2025” (Waybill WB No. 391-44 dated June 26, 2025) and “Договор РН83-371” (Contract PH83-371).

Attached were .zip polyglot files, which doubled as PE32+ dynamic link libraries (DLLs).

These polyglots concealed a decoy document and an embedded ZIP archive containing an LNK file.

Upon execution, the LNK file initiates a sequence to locate the polyglot file first in the current directory, then recursively in the %USERPROFILE% and %TEMP% directories.

It then invokes the polyglot via rundll32.exe, targeting the exported EntryPoint function.

Subsequently, it extracts a decoy file by reading specific byte offsets (e.g., skipping 1,107,968 bytes and taking the next 3,280,549 bytes) and saves it to %TEMP%, before opening it using cmd /c start to maintain the illusion of legitimacy.

An example command from a sample LNK file, such as “Договор_РН83_37_изменения.pdf.lnk,” employs PowerShell to handle path resolution, execution, and decoy extraction, ensuring hidden operation with parameters like -WindowStyle hidden.

PhantomRemote Backdoor

At the core of this malware delivery is the PhantomRemote backdoor, a PE32+ DLL developed in C++ that embeds its malicious logic within the DllMain function.

The EntryPoint export includes a check on a global variable; if set to 1, it enters an infinite loop with 5-second Sleep() calls to potentially evade analysis.

PhantomRemote begins by gathering system intelligence: it generates a GUID via CoCreateGuid() (defaulting to “UNKNOWN” on failure), retrieves the computer name using GetComputerNameW(), and obtains the domain via GetComputerNameExW(ComputerNameDnsDomain).

It establishes a working directory in %PROGRAMDATA%, named either “YandexCloud” or “MicrosoftAppStore” across samples, for storing downloaded files.

Communication with the command-and-control (C2) server occurs over HTTP, initiating with a GET request to URLs like “91.239.148[.]21/poll?id=&hostname=&domain=”, transmitting collected data under User-Agent headers such as “YandexCloud/1.0” or “MicrosoftAppStore/2001.0.”

The backdoor processes commands in formats like “cmd:|” for executing shell commands via cmd.exe (with output piped from stdout and stderr, sometimes using Unicode encoding via /u and chcp 65001), or “download:|” to fetch files using WinHTTP.dll functions, saving them to the working directory.

Post-execution, responses are sent via POST to “/result” endpoints, detailing success or failure (e.g., “Download successful: %PROGRAMDATA%YandexCloud” or “Download failed”).

Between cycles, the malware sleeps for 10 seconds on success or 1 second on failure, maintaining persistence and low visibility.

According to the Report, this backdoor’s modular design enables loading additional executables from C2, amplifying threats like data exfiltration or lateral movement.

These campaigns underscore the need for enhanced email gateway protections against polyglot anomalies and behavioral analysis for LNK-induced executions.

Security teams should monitor for anomalous DLL loads via rundll32 and HTTP traffic with specific User-Agents.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.