TypeLib hijacking technique establishes persistence on Windows
The attacker used a command to make changes in the Windows Registry targeting the TypeLib path, where information about COM objects is stored.The TypeLib entry for a COM object is referenced whenever the object is accessed, and by altering the TypeLib entry to include a malicious script, the threat actor ensures their malware is run every time the object is invoked.In this case, an object related to Internet Explorer components was targeted – although the Internet Explorer browser is no longer widely used, the targeted object is still among those accessed by Explorer.exe at system startup.The TypeLib hijacking technique, though not previously observed in real-world attacks, was previously detailed in a proof-of-concept by penetration testing expert Michael Zhmailo, of the MTS Innovation Center’s CICADA8 team, and discussed on the cybercrime forum XSS, ReliaQuest found.
Custom PowerShell backdoor evades detection
The malicious code was loaded from a Google Drive link and stored in a text file padded with non-functional “junk code” to evade detection by security systems, ReliaQuest said. The functional malware code contained a PowerShell backdoor wrapped in JScript, with the JScript writing the PowerShell code to the path “C:\ProgramData\kcnxrx.ps1” and executing it in a hidden window.The PowerShell backdoor creates a command-and-control (C2) beacon as well as a WebClient object and runs an infinite loop to receive further commands or payloads from the attacker’s infrastructure. Once the backdoor is deployed, the JScript uses Windows Installer’s “InstallProduct” method to send an HTTP request to the attacker’s Telegram bot, which serves as a confirmation of its successful execution, according to ReliaQuest.By searching for PowerShell backdoor code on VirusTotal, ReliaQuest researchers found that the earliest version of the malware was uploaded in January 2025 and was likely a test by the threat actor to check for malicious scoring, based on the use of localhost as the C2 address in the earliest sample. The version found in the wild was only flagged as malicious by one security vendor, the researchers noted.The backdoor was also found to be related to a PowerShell malware strain known as Boxter, which was found by Palto Alto Unit 42 researchers to be spread via Bing ads for fake Microsoft Teams downloads in January 2025.
Mitigating Black Basta-like phishing, malware attacks
Attributing the latest campaign specifically to Storm-1811, or to the same threat actors behind the Bing malvertising campaign, proved difficult, especially as the attacks were disrupted by ReliaQuest before any further payloads could be deployed. However, ReliaQuest hypothesized that the campaign could represent an evolution of Storm-1811’s techniques, or a sign that members of the Black Basta ransomare-as-a-service (RaaS) group have splintered off, resulting in a new combination of techniques.To defend against similar attacks, ReliaQuest recommended organizations disable external communications on Microsoft Teams, blocking Telegram and Google Drive at the network edge, disabling or restricting JScript where possible and setting Windows Defender Application Control (WDAC) to the most restrictive level possible to limit the use of PowerShell functions commonly used in malware code.Additionally, disabling Windows Script Host (WSH) can prevent scripts such as those added to the TypeLib entry from being executed, however, ReliaQuest noted “this change should be tested prior to deployment to ensure it does not disrupt software or processes that rely on Windows Script Host.”