A sophisticated vishing campaign has emerged that combines social engineering with legitimate Microsoft tools to establish command execution chains leading to multi-stage .NET malware deployment.
Security researchers have identified an attack flow that begins with impersonated IT personnel contacting victims via Microsoft Teams and culminates in fileless malware execution through memory-based reflection techniques.
The infection sequence begins via a social engineering vector in which threat actors impersonate Senior IT Staff by spoofing display names in Microsoft Teams call notifications.
Victims receive unexpected calls from what appears to be legitimate internal IT support personnel.
The attacker leverages a carefully crafted social engineering narrative to convince the victim to launch Windows Quick Assist a legitimate remote assistance tool built into Windows operating systems.
Once the victim launches Quick Assist, the attacker gains remote access under the guise of providing technical support.
Within approximately 10 minutes of establishing this foothold, the user is redirected to a malicious webpage hosted at ciscocyber[.]com/verify.php.
This stage represents a critical pivot point where the attacker transitions from social engineering to technical exploitation.
Malware Deployment and Execution
The redirection leads to the deployment of “updater.exe,” a trojanized executable disguised as a legitimate Windows systems updater.
This is where the attack becomes particularly insidious the executable is constructed as a .NET Core 8.0 wrapper containing an embedded loader component designed to execute without traditional disk-based persistence.
The loader.dll component orchestrates the multi-stage payload delivery mechanism. Upon execution, it establishes communication with the command-and-control infrastructure hosted at jysync[.]info to retrieve encryption keys.
This separated key management approach complicates detection and analysis efforts.
The loader then retrieves an encrypted payload from the same infrastructure and decrypts it using AES-CBC encryption combined with XOR obfuscation a dual-layering technique that provides an additional barrier against static analysis.
The final stage of the attack chain exploits .NET reflection capabilities to load the decrypted assembly directly into the running process memory without writing to disk.
This fileless execution methodology represents a significant evasion technique, as traditional endpoint detection systems that rely on file monitoring and disk-based indicators of compromise will not capture this activity.
The malware operates entirely within memory, executing arbitrary code with the privileges of the user who launched the initial Quick Assist session.
Security Implications
This campaign demonstrates a convergence of multiple attack vectors social engineering, abuse of legitimate administration tools, and advanced fileless execution techniques.
The use of commonly trusted applications like Microsoft Teams and Quick Assist significantly lowers user suspicion and bypasses many network-level security controls.
The .NET Core wrapper approach indicates the attackers possess development sophistication and understanding of modern application delivery mechanisms.
Organizations should implement email and communication monitoring systems to detect impersonation attempts, enforce strict remote assistance policies, and educate users on verifying the identity of IT support personnel before granting system access.
Endpoint detection and response solutions capable of monitoring .NET runtime activity and process memory injection patterns are essential for detecting this type of fileless malware execution in network environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.