In recent months, cybersecurity researchers have uncovered a sophisticated, Multi‑Stage Malware attack chain that delivers several high‑profile malware families—among them Agent Tesla variants, Remcos RAT, and XLoader. These campaigns demonstrate an evolving adversary playbook: rather than relying on one monolithic payload or a single exploit, attackers are increasingly assembling modular stages that hand off execution from one component to the next.
Saqib Khanzada of Palo Alto Networks’ Unit 42 notes that this layered approach “evades traditional sandboxes, bypasses signature‑based detection, and increases the likelihood of a successful compromise.” Attackers can adapt on the fly and frustrate analysis by stacking relatively simple stagers atop one another. Below, we break down each phase of this delivery chain and examine the technical mechanics and the defensive countermeasures organizations should employ.
Phase 1: Phishing Email and Archive Delivery
Deceptive Order‑Request Lure
The campaign initiates with a socially engineered phishing email masquerading as an order confirmation or payment receipt. In December 2024, Target received messages claiming that a vendor had processed a payment and attached an “order file” in a compressed 7‑zip archive. The email’s tone and subject line lent the illusion of business continuity, prompting recipients to open the attachment without a second thought.
Embedded JavaScript Downloader
Inside the 7‑zip archive sits a single file with a double extension—invoice. It is designed to execute as a Windows Script Encoded (JSE) script. When the user launches this file, it decodes an embedded JavaScript payload whose sole mission is to fetch a follow‑on PowerShell script from a remote command‑and‑control (C2) server. Because the initial script executes under wscript.exe or cscript.exe, it seldom triggers alarms in environments that tune only for Office‑macro or binary exploits.
Phase 2: PowerShell Payload and Base64 Stager
Fetching the Next‑Stage Script
Once the JavaScript downloader retrieves the PowerShell script, the attack pivots into a more powerful runtime environment. PowerShell’s versatile .NET underpinnings make it an ideal conduit for obfuscated, in‑memory payloads. The downloaded script is heavily encoded, and layers of Base64 wrapping make simple signature matches ineffective.
Decoding and Execution in Temp
After decoding its embedded content, the PowerShell script writes a binary payload to the local %TEMP% directory. This file then executes under the context of the current user. By staging in the temporary directory, the attacker avoids dropping artifacts in well‑monitored paths like Program Files, further reducing forensic footprints. At this juncture, victims have unwittingly launched the “dropper” component, which branches into two distinct execution paths.
Phase 3: Dual‑Path Dropper Design
.NET‑Based Dropper and Process Injection
In one branch, the dropper arrives as a .NET executable. Inside this file is an encrypted blob—often identified as an Agent Tesla variant (potentially Snake Keylogger or XLoader). Upon execution, the dropper decrypts the blob in memory and uses Process Hollowing or reflective injection to implant the malicious payload into a legitimate Windows process, such as RegAsm.exe. Because RegAsm.exe is a signed, trusted .NET utility, endpoint protections may trust its behavior, allowing the injected malware to bypass heuristic checks.
AutoIt‑Based Dropper for Added Obfuscation
Alternatively, the attacker may choose an AutoIt‑compiled executable as the intermediate dropper. AutoIt scripts are notoriously easy to obfuscate and can incorporate custom encryption routines. Once launched, the AutoIt stub extracts another encrypted payload, decodes it, and again uses process injection—this time targeting RegSvcs.exe. The result is the same: a fully functional Agent Tesla infection, but with an extra layer that complicates static and dynamic analysis.
Why Layered, Simple Stages Work
Rather than crafting one giant, polymorphic binary, the adversaries behind this campaign have shown that chaining together small, well‑understood techniques can be equally powerful. Each stage looks innocuous—or at least familiar—to many security tools:
- Email + Archive: Pedestrian phish tactic
- JavaScript Loader: Lightweight and often allowed
- PowerShell Decoder: Built‑in Windows component
- .NET/AutoIt Dropper: Trusted runtime environments
By stacking these moves, attackers gain resilience: if one stage is detected or blocked, alternative paths can still succeed. Khanzada says, “The attacker focuses on a multi‑layered attack chain rather than sophisticated obfuscation.”
Key Malware Families: Capabilities and Risks
Agent Tesla Variant
Agent Tesla is a . NET‑based info‑stealer that harvests credentials (browsers, mail clients, VPN tools) and logs keystrokes. Advanced variants today also include remote command execution and file exfiltration modules. Once injected into a trusted process, Agent Tesla maintains persistence by creating scheduled tasks or registry run keys.
Remcos RAT
Remcos (Remote Control and Surveillance) RAT grants attackers full remote access. Its feature set includes live remote desktop viewing, system information gathering, audio/video capture, and arbitrary command execution. Remcos is popular on underground markets due to its user‑friendly builder interface.
XLoader
A successor to the infamous FormBook stealer, XLoader focuses on exfiltrating credentials, cookies, cryptocurrency wallets, and form data. It can also download additional modules on demand, making it a modular threat capable of morphing its behavior post‑infect.
Case Study: IronHusky’s MysterySnail RAT Campaign
While the above campaign demonstrates one infection path, another high‑profile operation—attributed to the Chinese‑speaking IronHusky—targeted government organizations in Mongolia and Russia with a custom RAT dubbed MysterySnail.
IronHusky Background
Active since at least 2017 and first flagged by Kaspersky in late 2021, IronHusky has a track record of exploiting zero‑day and publicly known vulnerabilities. Their prior use of a Win32k privilege escalation (CVE‑2021‑40449) showcased their willingness to combine bespoke exploits with custom implants.
Malicious MMC Script Lure
In the MysterySnail campaign, attackers distributed a malicious Microsoft Management Console (MMC) script that impersonated a co‑financing letter from Mongolia’s National Land Agency. When opened, this script leveraged MMC’s script engine to download a ZIP archive containing:
- A benign executable: CiscoCollabHost.exe
- A malicious DLL: CiscoSparkLauncher.dll
- A decoy document (to maintain legitimacy)
While the lure document appears innocuous, the real action occurs when the benign executable loads the malicious DLL via DLL sideloading.
DLL Sideloading and Backdoor Deployment
The Piping‑Server Component
CiscoCollabHost.exe is hijacked to load CiscoSparkLauncher.dll, which embeds a lightweight backdoor based on the open‑source piping‑server project. This backdoor establishes a communication channel with the attacker’s C2 infrastructure, enabling:
- Remote shell execution
- File upload/download
- Directory enumeration
- Process creation and termination
Final RAT Stage: MysterySnail
Once the backdoor foothold is established, operators use it to sideload the complete MysterySnail RAT. The latest version of MysterySnail supports nearly 40 commands—ranging from advanced file management and service manipulation to modular network communications via dedicated DLL plugins.
MysteryMonoSnail: A “Lightweight” Remediation
After initial detections and containment efforts, IronHusky pivoted to a scaled‑down variant named MysteryMonoSnail. This version pares down functionality to 13 essential commands: listing directories, writing files, launching shells, and spawning processes. By reducing its code footprint, MysteryMonoSnail evaded some heuristic signatures aimed at the more feature‑rich MysterySnail family.
Defending Against Multi‑Stage Attacks
Understanding the anatomy of these campaigns is the first step. Organizations should adopt a defense‑in‑depth strategy that addresses each stage:
Email Security and User Awareness
- Deploy advanced email filtering that scans inside compressed archives for executable scripts.
- Conduct regular phishing simulations and training to help employees spot payment confirmation and order‑request lures.
Endpoint Protection and Runtime Monitoring
- Enable script‑block policies in PowerShell (e.g., ConstrainedLanguage mode) to restrict unsigned or untrusted code execution.
- Monitor for anomalous parent‑child process relationships—such as wscript.exe spawning PowerShell or signed binaries running from %TEMP%.
Application Control and Process Integrity
- Whitelist approved applications and block uncommon executable paths.
- Use behavior‑based EDR to catch in‑memory code injections (e.g., RegAsm.exe or RegSvcs.exe spawning unknown threads).
Network Segmentation and C2 Blocking
- Segment critical systems to limit lateral movement once an initial foothold occurs.
- Maintain up‑to‑date indicators of compromise (IoCs) and rigorously block known C2 domains and IPs at the firewall.
Conclusion: Multi‑Stage Malware
The campaigns outlined here—whether leveraging layered JavaScript/PowerShell stagers to deliver Agent Tesla, XLoader, and Remcos or deploying MysterySnail via malicious MMC scripts—highlight a clear trend: adversaries prefer agility and modularity over monolithic exploits. For defenders, our detection and response capabilities must be equally adaptable.
Organizations can interdict each stage of these attack chains by combining robust email hygiene, endpoint hardening, application allow‑listing, and vigilant network monitoring. Ultimately, the most vigorous defense is proactive: anticipate how attackers assemble and adapt their toolkits and build layered controls that leave them no easy path forward.
Sources: The Hacker News
