"Purchase Order" Deception: Sophisticated Loader Targets Manufacturing Giants in Italy, Finland, and Saudi Arabia

A highly sophisticated cyber-espionage campaign is indiscriminately targeting the manufacturing and government sectors across Europe and the Middle East, using a “Swiss Army Knife” style loader to deploy a variety of remote access trojans (RATs). A new report by Cyble Research and Intelligence Labs (CRIL) details how threat actors are weaponizing legitimate open-source libraries and using clever steganography to slip past defenses.

The campaign, which exhibits a “high degree of regional and sectoral specificity,” has focused its crosshairs primarily on organizations in Italy, Finland, and Saudi Arabia.

While the attacks use various entry points—ranging from weaponized Office documents to malicious SVG files—they all funnel into a single, dangerous choke point: a “unified commodity loader”.

This loader acts as a universal adapter for cybercriminals, capable of delivering a buffet of malware including PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos.

“Our research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure shared across multiple threat actors,” the report states. This suggests the loader is likely being sold or shared as a service in the cybercriminal underground.

The attackers have gone to great lengths to minimize their forensic footprint, employing a “four-stage evasion pipeline” designed to baffle security tools. Central to this strategy is the use of steganography—the art of hiding malicious code inside seemingly harmless image files hosted on legitimate platforms like Archive.org.

“These images contain steganographically embedded payloads, allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic,” the researchers explained.

Once downloaded, a script extracts the hidden code from the image pixels and executes it directly in the system’s memory, never touching the hard drive.

In a move that highlights the group’s technical competence, the campaign employs a “hybrid assembly” technique. The attackers took the legitimate, open-source TaskScheduler library, appended their malicious functions to it, and recompiled it.

By trojanizing a trusted tool, the malware retains its “authentic appearance and functionality,” making it extremely difficult for antivirus signatures to detect the anomaly.

Perhaps the most novel discovery in the report is a unique method for bypassing User Account Control (UAC)—the security prompt that asks users for permission to run administrative tasks.

Instead of trying to force a bypass, the malware waits. It monitors the system for legitimate process creation events. When the user launches a trusted application, the malware opportunistically triggers its own UAC prompt at the same moment.

“The malware monitored system process creation events and opportunistically triggered UAC prompts during legitimate launches, tricking the system or user into granting elevated privileges under the guise of a routine operation,” the report notes.

This campaign represents a significant escalation in commodity malware tradecraft. By combining the stealth of steganography with the reliability of legitimate open-source tools, these actors have created a persistent threat to industrial sectors.

“Our research has uncovered a hybrid threat with striking uniformity of tradecraft, uncovering a persistent architectural blueprint,” CRIL concluded. Organizations in the targeted regions are advised to treat “benign” image files and email attachments with heightened scrutiny.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply