The cybersecurity article details a wave of attacks by the **APT-C-06 (DarkHotel)** group observed in the latter half of 2025. This campaign is a continuation of earlier attacks by the same group, but with variations in the malware deployed and the infection vectors used.
**What Happened:**
The attackers are distributing malicious payloads disguised as legitimate software installers. These installers are delivered via USB drives. When executed, they release a loader script (`drivermon.ps1`) that, in turn, loads a shellcode. This shellcode then deploys a PE (Portable Executable) payload that is consistent with malware used in earlier 2025 attacks by the group. A key observation is that the `drivermon.ps1` script's subsequent stages were not observed in this particular campaign, unlike previous attacks.
**Who is Affected:**
The affected users are those who insert infected USB drives into their computers. The attackers appear to avoid deploying their payloads on systems that are either connected to remote desktop services or registered with Azure AD, suggesting a potential targeting of less "professional" or more general-use machines. The malicious installers observed include common software like TrueCrypt, SanDisk, WinRAR, Adobe Reader, and FlashFXP.
**Security Implications:**
The primary security implication is the **compromise of user systems through seemingly innocuous software installers**. The use of USB drives as an infection vector highlights the continued risk posed by removable media. The attackers' ability to evade detection by checking for antivirus software and their use of PowerShell for persistence mechanisms indicate a sophisticated approach to maintaining access and executing their malicious activities.
**Technical Details:**
- **Malicious Installers:** These are disguised as legitimate software. Their resource sections contain two types of data: `BIN_00`, which is the original installer, and `BIN_06` (or `BIN_03`), which decrypts into a shellcode payload. The malware's core function is to execute the legitimate installer while also loading the shellcode.
- **Execution Flow:** The malware releases the original installer with a leading underscore in its filename and sets it as hidden. The shellcode is not loaded if a `Global\TermSvrReadyMutex` lock (potentially indicating remote desktop services) or the `C:/ProgramData/Windows/IdentityCRL/Cert` path (potentially indicating Azure AD registration) is present.
- **Shellcode and PE Payload:** The shellcode loader is similar to DarkSeal components and is used for reflective loading of the PE payload. The PE payload checks for installed antivirus software, influencing subsequent actions.
- **Command and Control (C2):** A URL is constructed using system version and antivirus detection information, which is then used to populate a PowerShell script. This script's location and form vary depending on the presence of specific antivirus software (e.g., 360, Avast).
- **Persistence:** Scheduled tasks are created using PowerShell. The method of creation differs based on the presence of antivirus software, with COM interfaces or privilege escalation techniques being employed.
**What Defenders Should Know:**
- **USB Drive Security:** Implement strict policies and technical controls regarding the use of USB drives, including scanning for malware and potentially disabling their use on sensitive systems.
- **Phishing and Social Engineering Awareness:** Educate users about the risks of executing software from untrusted sources, especially those delivered via removable media or email attachments.
- **Endpoint Detection and Response (EDR):** Deploy and maintain robust EDR solutions capable of detecting suspicious PowerShell activity, shellcode execution, and unusual process behaviors.
- **Antivirus and Threat Intelligence:** Keep antivirus definitions up-to-date and leverage threat intelligence feeds to identify and block known indicators of compromise associated with APT-C-06 (DarkHotel).
- **Monitoring for Persistence Mechanisms:** Actively monitor for the creation of scheduled tasks and other persistence techniques, particularly those involving PowerShell.
- **Understanding Evasion Tactics:** Be aware that attackers may check for specific security software or system configurations to alter their behavior or avoid detection.