“The PowerShell executes the binary VBoxSVC.exe that will side load from the current directory the malicious DLL libcurl.dll,” Desimone said. “By minimizing the on-disk footprint of encrypted malicious code, the threat actor is able to evade file-based AV and ML scanning.”

The tampered DLL file subsequently proceeds by parsing handoff.wav, which, in turn, packs an encrypted payload that’s decoded and executed via mshtml.dll, a method known as module stomping, to ultimately load GHOSTPULSE.

GHOSTPULSE acts as a loader, employing another technique known as process doppelgänging to kick start the execution of the final malware, which includes SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.