Cyble Research and Intelligence Labs (CRIL) has identified a sophisticated CRIL malware loader attack targeting manufacturing and government organizations in Italy, Finland, and Saudi Arabia. The operation uses a commodity loader shared across multiple threat actors to exfiltrate sensitive industrial data and high-value credentials.
Advanced Delivery Methods
In this CRIL malware loader attack, adversaries distribute malware through phishing emails disguised as legitimate Purchase Order communications. Attached RAR or ZIP archives contain malicious JavaScript files, LNK shortcuts, or Office documents that exploit a known Microsoft Equation Editor vulnerability, CVE-2017-11882. Once opened, these files initiate a multi-stage infection process designed to evade traditional security tools.
The attack begins with an obfuscated JavaScript payload that launches a hidden PowerShell process using Windows Management Instrumentation. This script downloads an image file from Archive.org, which conceals a malicious .NET assembly embedded in its pixel data through steganography. The payload is extracted directly in memory, helping the CRIL malware loader attack evade detection.
In the next stage, a trojanized version of the open-source TaskScheduler library, modified with malicious code, is loaded reflectively. This module retrieves encoded payloads, decodes them, and injects them into legitimate Windows processes such as RegAsm.exe through process hollowing. This approach allows the malware to execute under trusted system binaries, bypassing standard security protections.
Stealthy Execution and Credential Theft
The final payload analyzed by CRIL includes the PureLog Stealer, a tool designed to harvest browser credentials, cryptocurrency wallet data, VPN configuration files, and email client information. Stolen data is transmitted to the attackers’ command-and-control server.
Researchers also discovered a novel User Account Control bypass technique. The malware monitors system processes and triggers a UAC prompt during legitimate application launches, tricking users into granting elevated privileges. This highlights the threat’s advanced evasion capabilities.
CRIL noted that identical loader artifacts appear across multiple campaigns, suggesting the use of shared infrastructure or a malware-as-a-service model. Similar loader characteristics have been observed by other security firms, including Seqrite, Nextron Systems, and Zscaler, across RATs and information stealers such as PureLog, Katz Stealer, DC Rat, Async Rat, and Remcos.
Recommendations for Organizations
CRIL urges organizations, particularly in the manufacturing and industrial sectors, to strengthen email security and implement controls to limit script execution. Endpoint detection and response solutions capable of identifying memory-based threats are recommended.
Organizations are also advised to examine image files from untrusted sources for hidden data, as attackers increasingly use steganography to conceal malicious payloads. Awareness training for employees on phishing tactics and unusual system prompts can further reduce the risk of compromise.
The campaign underscores the growing sophistication of cyber threats targeting industrial environments. Companies must adopt multi-layered cybersecurity measures and remain vigilant to prevent credential theft, unauthorized access, and operational disruptions.
With threat actors leveraging shared tools and advanced evasion methods, proactive security measures and rapid threat detection are critical to protecting sensitive data and maintaining operational continuity in vulnerable sectors, especially against threats like the CRIL malware loader attack.
