In recent months Minerva Labs researchers have seen a spike in events associated with Taurus loader. Its spreading method allows it to generate new samples and infect new devices continuously.

Sload (aka Starslord loader) is one of the most dangerous types of malware in recent years. It usually functions as a downloader with an aim to assess the target and drop a more significant payload.

The injector used by the malware is also obfuscated with a compiler-based technique named control flow flattening, which modifies the normal flow of the program and makes static analysis impossible.

The .Net based malware has recently been disguised as an installer of the popular secure messaging app, Telegram. Like Most .Net malware, the fake setup file is packed and highly obfuscated.

TA511 achieves initial access through a malicious Word document that drops an Hancitor sample as a DLL file and executes it using rundll32, a common Living Off the Land technique.

The specific Excel document used in the recent wave of attacks is using XLM macros to download and execute its payload. The latest update also saw a major change in its first stage loading mechanism.

The individuals developing this threat have been actively improving the evasiveness of their loader since February 2021, which in turn made their payloads fully undetectable for almost a month.