A recent cybersecurity incident has revealed a new cyber attack campaign that uses fake MSIX Windows app package files to distribute a malware loader called GHOSTPULSE . This campaign targets popular software installers like Google Chrome, Microsoft Edge   , Brave   , Grammarly   , and Cisco Webex   . The attackers employ various tactics , such as compromised websites, SEO poisoning  , and malvertising  , to entice potential victims into downloading these packages. Once the MSIX file is launched  , it prompts the user to click the Install button  , resulting in the stealthy download of GHOSTPULSE from a remote server via a PowerShell script .
The attack unfolds in multiple stages. Initially, a TAR archive file is used as the first payload, containing an executable that disguises itself as the Oracle VM VirtualBox service . Additionally, the malware exploits vulnerabilities in gup.exe through DLL side-loading. GHOSTPULSE acts as a loader and utilizes process doppelgänging to execute the final malware  , which includes SectopRAT , Rhadamanthys   , Vidar   , Lumma   , and NetSupport RAT   .
The initial payload of GHOSTPULSE is a TAR archive file that includes a legitimate binary bundled with Notepad++. The archive also contains a trojanized version of libcurl.dll , which exploits DLL side-loading . The tampered DLL file then proceeds to execute an encrypted payload via mshtml.dll , ultimately loading GHOSTPULSE .
This new cyber attack strategy is a significant concern as it specifically targets popular software and employs sophisticated techniques to evade detection by antivirus scans. Organizations and individuals must remain vigilant and take necessary precautions to protect themselves from this evolving threat. The use of fake MSIX Windows app package files and the exploitation of DLL side-loading vulnerabilities highlight the need for robust cybersecurity measures. It is crucial to stay updated on the latest security practices and technologies to mitigate the risks posed by such attacks in the future.