A new phishing attack is spreading in Poland and Germany, delivering a stealthy backdoor called TorNet. Linked to an APT group, this malware uses the TOR network to evade detection and maintain covert control over infected systems.

📌 How the Attack Works

Since July 2024, attackers have been impersonating banks, manufacturers, and logistics firms, sending phishing emails in German and Polish with fake transactional receipts. These emails contain a malicious .tgz attachment, which, when opened, executes a .NET loader that downloads and decrypts PureCrypter malware in memory. This infection installs TorNet, which enables C2 communication, alongside Agent Tesla and Snake Keylogger to steal sensitive data.

To stay undetected, attackers use scheduled tasks for persistence, disable internet access before deploying malware to bypass cloud security, and employ anti-debugging and anti-malware checks to resist detection.

Researchers have also found English-language phishing samples, suggesting a wider global expansion.

🔒 How to Protect Yourself

As cyber threats evolve, proactive security is crucial. #Abatis offers proven protection to safeguard your data, finances, and reputation.

Stay cautious. Stay secure.