: The malware often creates a scheduled task or modifies registry run keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run ) to ensure it remains active after a system reboot.
: The malware frequently uses dynamic DNS services or compromised legitimate websites to host its command-and-control infrastructure, making IP-based blocking difficult. Indicators of Compromise (IoCs)
: Often uses a double extension (e.g., Project_Specs.pdf.lnk ) and executes a hidden command that launches mshta.exe or powershell.exe to run a remote script. DAHALO.rar
: Connections to unusual domains or direct IP addresses over ports 80/443 that do not match standard web traffic patterns.
The "DAHALO" infection chain is characterized by its use of legitimate system tools to execute malicious code, a technique known as "Living off the Land" (LotL). : The malware often creates a scheduled task
: Once downloaded and extracted, the RAR file typically reveals a shortcut file ( .LNK ) or a heavily obfuscated script (VBScript or PowerShell) disguised as a document.
: Monitor for suspicious child processes originating from archive extractors or office applications. : Connections to unusual domains or direct IP
: DAHALO.rar , DAHALO_Update.rar , or localized variations targeting specific departments (e.g., Finance_Report.rar ).
: The malware often creates a scheduled task or modifies registry run keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run ) to ensure it remains active after a system reboot.
: The malware frequently uses dynamic DNS services or compromised legitimate websites to host its command-and-control infrastructure, making IP-based blocking difficult. Indicators of Compromise (IoCs)
: Often uses a double extension (e.g., Project_Specs.pdf.lnk ) and executes a hidden command that launches mshta.exe or powershell.exe to run a remote script.
: Connections to unusual domains or direct IP addresses over ports 80/443 that do not match standard web traffic patterns.
The "DAHALO" infection chain is characterized by its use of legitimate system tools to execute malicious code, a technique known as "Living off the Land" (LotL).
: Once downloaded and extracted, the RAR file typically reveals a shortcut file ( .LNK ) or a heavily obfuscated script (VBScript or PowerShell) disguised as a document.
: Monitor for suspicious child processes originating from archive extractors or office applications.
: DAHALO.rar , DAHALO_Update.rar , or localized variations targeting specific departments (e.g., Finance_Report.rar ).