A newly uncovered malware campaign targeting both Windows and Linux systems has revealed advanced evasion and credential theft techniques, according to the Sysdig Threat Research Team (TRT).
The operation began with a malicious Python script uploaded via a misconfigured system, enabling the download of crypto-miners and the deployment of stealthy tools for evasion and data exfiltration.
This multi-platform attack employed distinct paths for Linux and Windows, adapting its strategy based on the target operating system.
On Windows, attackers used a Python function to install the Java Development Kit (JDK), which facilitated the execution of a Java Archive (JAR) file retrieved from a previously active command-and-control (C2) server. The JAR file application-ref.jar functioned as a loader, initiating a chain of malicious components.
Two files from the JAR’s resources, renamed INT_D.DAT and INT_J.DAT, were deployed to the victim’s machine. The malware then used a ProcessBuilder command with suspicious flags such as -noverify and -XX:+DisableAttachMechanism, commonly seen in malicious Java processes to avoid detection and disable debugging.
Read more on malware evasion techniques: CoffeeLoader Malware Loader Linked to SmokeLoader Operations
Among the most concerning payloads were multiple infostealers embedded within the final JAR.
These components performed:
-
Credential theft from Chrome extensions
-
Token harvesting from Discord via HTTP header inspection
-
Hardware and system reconnaissance using PowerShell and WebSockets
The attack also delivered a native DLL file, app_bound_decryptor.dll, which performed XOR encoding/decoding, manipulated Windows named pipes and included sandbox evasion checks like IsDebuggerPresent() and IsProcessorFeaturePresent.
Detection Challenges and Misconfiguration Risks
This campaign highlights two key issues: the ongoing risk posed by misconfigured systems, and the need for effective detection strategies.
In this case, an exposed web interface allowed remote attackers to upload and execute malicious scripts, opening the door to a broader compromise. Such oversights remain a common and preventable vector in many intrusions.
To detect threats of this nature, organizations should rely on a combination of behavior-based monitoring, anomaly detection and layered runtime security controls.
Techniques such as YARA scanning, process behavior analysis and DNS monitoring can help flag suspicious activity early.