Ddos 
The S2 Group’s intelligence team has uncovered a new and sophisticated phishing campaign deploying Snake Keylogger, a .NET-based stealer of Russian origin. This campaign strategically leverages current geopolitical instability in the Middle East, notably the conflict between Iran and Israel, to manipulate victims in the energy and logistics sectors.
Attackers impersonate Kazakhstan’s prominent energy firm, LLP KSK Petroleum LTD Oil and Gas, to lure victims with emails offering fictitious oil deals. These emails include ZIP attachments containing malicious executables disguised as legitimate software.
“The campaign has been identified as using spearphishing emails offering oil products… intended to impersonate one of Kazakhstan’s main oil companies,” the team explains.
The geopolitical narrative—centered on fears of oil shortages and supply chain disruption due to the potential closure of the Strait of Hormuz—is exploited to boost the believability of these phishing emails.
What sets this campaign apart is its use of a previously undocumented technique involving jsadebugd.exe, a legitimate Java debugger tool, in a DLL sideloading attack. The malware payload (concrt141.dll) is disguised and injected through the InstallUtil.exe process.
“Its malicious use has recently been observed, something that has not been documented before,” the team notes.
The ZIP archive contains:
- 001 PETROLEUMLTD LLP KSK SCO 1 ORIGINAL (1).exe (a renamed version of jsadebugd.exe)
- Malicious DLLs including jli.dll and the stealer embedded in concrt141.dll
Persistence is achieved via the Windows Registry and a hidden directory: %USERPROFILE%\SystemRootDoc.
Once deployed, Snake Keylogger extracts:
- Browser credentials from over 50 different browsers, including Chrome, Edge, Firefox, and lesser-known variants like xVast and 360 Browser.
- Email client credentials (Outlook, Thunderbird, Foxmail)
- FTP credentials (FileZilla)
- Windows product keys
- Personal files such as .txt, .pdf, .jpg, and .docx
“Snake Keylogger will also exfiltrate passwords from various applications and browsers… In addition, the malware will collect the Windows product key of the device,” the team warns.
All stolen data is exfiltrated via SMTP, routed through compromised email accounts such as serverhar244@gpsamsterdamqroup[.]com to harrysnakelogger@dklak[.]cam.
Researchers identified at least 29 related samples, all employing the same technique with jsadebugd.exe, pointing to a coordinated and evolving threat actor:
“This behaviour has not been observed previously and seems to be characteristic of this specific campaign.”
Notably, the malware has previously been linked to campaigns conducted by groups like UAC-00411 and TA558, indicating the reuse of Snake Keylogger within the Malware-as-a-Service (MaaS) ecosystem.
Related Posts:
- New Snake Keylogger Variant Slithers Into Phishing Campaigns
- Silver Fox APT Targets Philips DICOM Viewers in Healthcare Espionage Campaign
- Google removes hundreds of Android apps that infected with Windows executable files
- Larva-24005: Kimsuky’s Global Cyber Espionage Campaign Exploits RDP and Office Flaws
Donate