
Hackers are weaponizing a stealthy malware known as MostereRAT in a phishing campaign targeting Japanese users, researchers at Fortinet FortiGuard Labs disclosed.
The operation uses business-themed lures to trick victims into downloading a malicious Word file. Hidden within is an executable that installs MostereRAT, which then deploys tools such as AnyDesk, TigerVNC, and TightVNC.
Researchers say the malware is written in Easy Programming Language (EPL), an obscure scripting language that helps conceal its operations. Once active, it disables Windows security features, blocks traffic from security tools, and even runs as TrustedInstaller — a privileged Windows account — to tamper with system processes and registry entries.
The malware also monitors Alibaba’s Qianniu Seller Tool, captures keystrokes, and executes commands from its operators, ranging from file manipulation to creating hidden administrator accounts. Fortinet compared its traffic-blocking method to EDRSilencer, a red team tool that prevents security software from transmitting detection data.
“These tactics significantly increase the difficulty of detection, prevention, and analysis,” researcher Yurren Wan said.
The disclosure comes as security firms warn of parallel campaigns using ClickFix-style techniques to spread MetaStealer.
Attackers lure victims to fake AnyDesk download sites that serve a malicious Windows shortcut file disguised as a PDF. Opening the file triggers a chain that delivers the stealer.
Researchers also highlighted an emerging threat involving prompt overdose attacks against AI systems. By flooding AI summarizers with malicious instructions, attackers can manipulate outputs to insert step-by-step instructions for malware delivery.
Source: TheHackerNews