2025-05-27상세분석보고서세금고지서로위장한정보탈취악성코드.pdf (1 MB)

Hauri analyzed a tax-notice-themed LNK attack that launches mshta.exe to retrieve txjyh.hta from cdn.glitch.global and execute an information-stealing chain. The HTA displays a tax.pdf decoy and branches on Windows Defender status: Defender-enabled hosts decode zip.log into pipe.zip and run obfuscated script malware, while Defender-disabled hosts execute v3.hta and load sys.dll through rundll32. The script path registers C:\%localappdata%\pipe\1.vbs as WindowsSecurityCheck under HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence. The malware collects execution time, privileges, OS, CPU, disk, volume, network adapter, process data, recent files, browser cookies, credentials, bookmarks, documents, archives, images, email files, logs, and cryptocurrency wallet-related artifacts. Stolen data is compressed into init.zip or related log archives and sent to lntzz.hopto.org/service3 or qokfqb.freedynamicdns.org/service2, with support for keylogging and additional payload execution.