In recent weeks, security teams worldwide have observed a surge in covert operations orchestrated by a clandestine group known colloquially as the “Chinese Nexus” APT.
This actor has been tailoring highly targeted campaigns against organizations in the finance, telecommunication, and manufacturing sectors, exploiting spear-phishing emails and compromised VPN credentials to gain initial footholds.
Victims report receiving seemingly innocuous industry whitepapers with weaponized macros that, once enabled, unleash a payload designed to deliver the NET-STAR malware suite.
Early telemetry indicates that these lures have achieved a success rate of approximately 30 percent against high-value targets.
Following intrusion, the attackers employ living-off-the-land techniques, invoking Windows PowerShell to execute obfuscated scripts directly in memory.
Palo Alto Networks researchers identified that the initial PowerShell stager decodes a Base64 string, reconstructs a .NET binary, and then dynamically injects it into a legitimate process such as explorer.exe or svchost.exe to evade detection.
This process unfolds within seconds of macro activation, leaving scant forensic artifacts on disk. The stealthy nature of the loader has complicated triage efforts, allowing the adversary to proceed to reconnaissance and lateral movement undetected.
Once deployed, NET-STAR exhibits a modular design composed of three primary components: the loader, the backdoor, and the command-and-control (C2) communication module.
The loader’s primary responsibility is to decrypt and load the backdoor payload into memory. The backdoor itself provides a robust set of remote administration capabilities, including file transfer, process manipulation, and registry modification.
Finally, the C2 module establishes an encrypted HTTPS tunnel to a rotating list of compromised web servers.
Analysts observed that each communication session employs a custom framing protocol with 256-bit AES encryption, thwarting standard network-based intrusion detection systems.
In its initial wave of infections, NET-STAR has been linked to exfiltration of proprietary data, ranging from financial records to intellectual property.
Impact assessments indicate that the adversary’s goal extends beyond espionage, aiming to position implants for future sabotage or secondary payload deployment.
.webp)
Incident responders have noted indicators of credential harvesting via in-memory Mimikatz execution, followed by lateral movement through SMB and RDP channels.
Affected organizations have reported operational disruption and data loss, underscoring the criticality of rapid detection and containment measures.
Infection Mechanism
A deep dive into NET-STAR’s infection mechanism reveals a sophisticated multi-stage process that begins with a malicious Word document. The embedded VBA macro (see Figure 1: “macro_decoder.png”) contains the following snippet:
$enc = "U3lzdGVtLkNvbnZlcnQuQ29tcHJlc3Npb24="
$bytes = [Convert]::FromBase64String($enc)
$asm = [Reflection.Assembly]::Load($bytes)
$method = $asm.GetType("Loader.Main").GetMethod("Execute")
$method.Invoke($null,$null)
This code decodes a Base64-encoded .NET assembly and invokes its entry point entirely in memory, leaving no executable on disk.
Palo Alto Networks analysts noted that the loader further employs Control Flow Flattening, obfuscating the assembly’s intermediate language to resist decompilation and prevent signature-based detection mechanisms.
Once loaded into a trusted process, the backdoor receives a second stage payload via HTTPS from the C2, completing the infection and solidifying persistence.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.