Between May 15-22, 2024, Blackpoint’s Security Operations Center (SOC) responded to 113 total incidents. These incidents included 27 on-premises MDR incidents, no Cloud Responses for Google Workspace, and 86 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:

In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.

Return to Top

ChromeLoader Incidents with Multiple Industry Partners from 2025 May 15-19

Topline Takeaways

  • Industry targets:
    • Financials
    • Retail
    • Government
    • Healthcare
  • Attack information (all analyzed attacks):
    • Registry value “ChromeBrowserAutoLaunch”
    • Scheduled tasks:
      • “PDFFlexUpdateOnce-11084167-216b-47cc-ba50-b83930d36f13”
      • “PDFFlexUpdateOnce-c6e41cc7-280f-452d-ad59-fcd0012abb58”
      • “PDFFlexUpdateOnce-a6073c80-7665-4e35-b99a-eb0c91faae1a”
      • “PDFFlexUpdateOnce-0a653a0a-c2ff-4d07-9dd5-4a96d26e609a”
      • “PDFFlexUpdateOnce-fd778ccc-6165-4a9a-9220-1f84de9c88bd”
    • ChromeLoader
    • update.js and PDFFlex
    • .msi and / or .exe initial payload file
  • Antivirus (AV) and / or EDR present in environments? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use ChromeLoader to exploit other organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Heuristics-based activity monitoring and remediation
    • Zero trust network architecture
    • Scripting language controls

ChromeLoader Incidents Overview for 2024 May 15-19

Between May 15-18, 2024, Blackpoint’s MDR+R technology alerted to multiple incidents that were detected as ChromeLoader. These incidents included five different partners’ end clients in the Financials, Retail, Government, and two Healthcare organizations. All five instances contain similar IoCs and behaviors.

  1. Last Wednesday, Blackpoint’s MDR+R technology alerted to an event for the addition of a registry value, “ChromeBrowserAutoLaunch”, on a Financials industry partner endpoint, setting it to automativally launch Google Chrome with a specific extension. Upon further investigation, Blackpoint’s Active SOC identified a scheduled task “PDFFlexUpdateOnce-11084167-216b-47cc-ba50-b83930d36f13”. Additionally, the investigation identified that the initial payload was likely delivered in a .msi file that appeared in the user’s downloads folder. Blackpoint’s Active SOC isolated the device to prevent further compromise or malicious activity.
  2. Last Thursday, Blackpoint’s MDR+R technology alerted to a Retail partner’s user account adding a registry key to the current user’s startup folder to allow Google Chrome to run when the user logged in. Upon further investigation, Blackpoint’s Active SOC identified a scheduled task “PDFFlexUpdateOnce-c6e41cc7-280f-452d-ad59-fcd0012abb58”. Additionally, the investigation identified that the initial payload was likely delivered in a .msi file that was located in the user’s downloads folder. Blackpoint’s Active SOC isolated the device to prevent further compromise or malicious activity.
  3. Last Thursday, Blackpoint’s MDR+R technology alerted to a file “update.js” that was detected as ChromeLoader on a Government partner’s endpoint. Upon investigation, Blackpoint’s Active SOC identified a scheduled task “PDFFlexUpdateOnce-a6073c80-7665-4e35-b99a-eb0c91faae1a”. Additionally, Blackpoint’s Active SOC identified that the initial payload was likely delivered via a .msi file found in the user’s download folder. Blackpoint’s Active SOC isolated the device to prevent further malicious activity.
  4. Last Thursday, Blackpoint’s MDR+R technology alerted to a file “update.js” that was detected on a Healthcare’s user account that was detected as ChromeLoader. Upon investigation, Blackpoint’s Active SOC identified a scheduled task “PDFFlexUpdateOnce-0a653a0a-c2ff-4d07-9dd5-4a96d26e609a”. Additionally, Blackpoint’s Active SOC identified two .msi files and two .exe files in the user’s download folder, indicating that one of these were likely the initial payload. Blackpoint’s Active SOC isolated the device to prevent further malicious activity.
  5. Last Saturday, Blackpoint’s MDR+R technology alerted to a file “update.js” that was detected on a Healthcare’s user account that was detected as ChromeLoader. Upon investigation, Blackpoint’s Active SOC identified a scheduled task “PDFFlexUpdateOnce-fd778ccc-6165-4a9a-9220-1f84de9c88bd”. Additionally, Blackpoint’s Active SOC identified one .msi file and three .exe files in the user’s download folder, indicating that one of these were likely the initial payload. Blackpoint’s Active SOC isolated the device to prevent further malicious activity.

More About ChromeLoader and PDFFlex

Click for details

ChromeLoader

ChromeLoader is a Google Chrome browser hijacker actively deployed since at least 2022 (1). The malware modifies the browser settings and redirects traffic.
ChromeLoader has previously gained initial access via:

  • Social engineering tactics, such as phishing emails with malicious attachments;
  • QR codes posted on social media sites; and
  • Malicious advertisements.

ChromeLoader has been observed gaining persistence via scheduled tasks. ChromeLoader is able to collect browser data, which could include passwords stored in the browser password vaults.

PDFFlex

Due to the number of incidents observed this week that were detected as ChromeLoader, Blackpoint’s APG conducted a deeper investigation into the file named “update.js”. This file relates to a software named PDFFlex.exe, a signed desktop application used as a wrapper for www.sodapdf[.]com. The software was packaged in a Microsoft Installer (MSI) file with varying names that appear related to legitimate PDF editing software. The installer and PDFFlex.exe were both signed with a certificate owned by Eclipse Media Inc, however, open-source research provided no evidence of a company creating this software. Indicating it is likely that the certificate was stolen. When run, the victim was presented with a GUI application using a web view for Soda PDF, a legitimate PDF editing application for both web and desktop. It gave the appearance of a native desktop application, when it was really a wrapper around the above mentioned domain. The installer created registry keys and scheduled tasks with the naming convention “PDFFlexUpdateOne-. The installer (2), main executable (3), and JavaScript file (4) were uploaded to VirusTotal by unknown parties; all three have very few detections.

APG Threat Analysis of ChromeLoader for 2024

Click for details

The APG predicts that threat actors will likely continue to use ChromeLoader over the next 12 months.

Blackpoint’s APG assesses that threat actors will likely continue to deploy ChromeLoader malware in an attempt to collect browser data, including passwords and browsing habits.
This assessment is based on internal Blackpoint observed attacks and external reporting detailing ChromeLoader incidents.

In February 2023, AhnLab Security Emergency response Center (ASEC) released a report detailing a ChromeLoader incident. The malware was delivered via virtual hard disk (VHD) files that appeared to be related to hacks or cracks for Nintendo and Steam games (5).

In June 2023, HP researchers released a report detailing a ChromeLoader campaign that tricked users into installing a malicious Chrome extension “Shampoo”. The extension could redirect victim’s search queries to malicious websites and used scheduled tasks to re-launch itself every 50 minutes (6).

Recommended ChromeLoader Mitigations and Remediations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate ChromeLoader malware infections and persistence actions. (Note: Many of the mitigations for ChromeLoader are the same as mitigations for other malware variants.)

  • Monitor system activity through heuristics-based triggers and alerts, which can help identify anomalous scheduled tasks and user activity.
  • Operate from a zero-trust mentality, which assumes that all requests to each resource is malicious and embodies aggressive and continuous monitoring and management.
  • Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors often rely on scripting languages to deploy malware and conduct malicious activities.
  • Implement browser extension allowlists, which can prevent the installation of unauthorized or malicious browser extensions.

Return to Top

Telegram App Abuse Incident with Professional & Commercial Services Partner on 2024 May 17

Topline Takeaways

  • Industry target: Professional & Commercial Services
  • Attack information:
    • Telegram
    • supl.dll
    • RFileStpjR.exe
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use Telegram messenger app to exploit other Professional & Commercial Services organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Controls preventing unauthorized use of legitimate tools and / or allowlisted applications
    • Employee security training
    • Improve endpoint, asset, and overall environment visibility
    • Regularly audit both environment and endpoints

Telegram App Abuse Incident Analysis for 2024 May 17

  • Blackpoint’s MDR+R technology alerted to a detection on a Professional & Commercial Services partner’s host, flagging the file “supl.dll”.
  • Upon further investigation, the Blackpoint Active SOC identified Telegram making outbound connections to four IP addresses in the Netherlands and Great Britain and four scheduled tasks associated with Telegram.
    • Telegram was only identified on one device, indicating that the installation was likely unauthorized.
  • The Blackpoint Active SOC identified multiple unconventional executables running in Windows processes associated with other scheduled tasks.
  • The Blackpoint’s Active SOC isolated the device and contacted the Professional & Commercial Services partner to provide details of the investigation and remediation advice.

More About Telegram App Abuse

Click for details

Telegram is a cloud-based messaging application that can be used across multiple devices for encrypted instant messaging (7). Telegram allows users to join channels that are specific to a product or interest and their messages remain private to the channel. This makes Telegram an attractive place for hackers, threat groups, and ransomware operators to sell specific services, leak stolen data, and offer software.

APG Threat Analysis of Telegram App Abuse for 2024

Click for details

The APG predicts that threat actors will likely continue to use Telegram over the next 12 months.

We base this assessment on…As with many other legitimate tools, threat actors have flocked to Telegram for malicious activities over the previous 12 months. Telegram can be used by threat groups to leak data, an example of this is the The Five Families Telegram channel (8). The Five Families is a Telegram channel and cooperative threat group comprised of five distinct threat groups:

  1. Stormous ransomware
  2. ThreatSec
  3. GhostSec
  4. Blackforums
  5. SiegedSec

These groups also operate separate Telegram channels. Stormous is known for leaking victim data via their Telegram channel rather than the traditional method of a TOR data leak site. Telegram can also be used by threat groups for command-and-control (C2) purposes, an example is the Zaraza bot malware (9). Zaraza steal login information and uses Telegram as its C2 and can use the stolen data to carry out additional malicious activities.

Additionally, the ability to create and join specific Telegram channels allows threat groups to create channels that offer specific services, from hacking services to malware-as-a-service (MaaS) or ransomware-as-a-service (RaaS). These channels, unlike most cybercriminal forums, allow threat actors to focus on offering or purchasing the specific tool or service. The ease of access to these channels lower the entry gate to hacking for lower-skill level threat groups and increase collaboration between threat groups and operations (10).

Recommended Telegram App Abuse Mitigations and Remediations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate the malicious use of legitimate tools, including the Telegram messenger app.

  • Implement application controls – application controls should prevent both installation and execution of unauthorized applications, such as Telegram.
  • Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access, security training can help lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
  • Improve security visibility of networks, endpoints, and other managed assets to aid in detecting and alerting to suspicious installs and actions conducted by threat groups using unauthorized but legitimate tools and software.
  • Monitor system activity through heuristics-based triggers and alerts, which can aid in detecting anomalous software installs and activities associated with malicious actors, such as scheduled tasks and unconventional executables.

Return to Top

RustDesk and Tailscale Incident with Healthcare Partner on 2024 May 21

Topline Takeaways

  • Industry target: Healthcare
  • Attack information:
    • RustDesk.exe
    • tailscaled.exe
    • tailscale-ipn.exe
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use RustDesk and Tailscale to exploit other Healthcare organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Heuristics-based activity monitoring and remediation
    • Dedicated software center
    • Controls preventing unauthorized use of legitimate tools and / or allowlisted applications
    • Network segmentation for common ports

RustDesk.exe and Tailscale Incident Analysis for 2024 May 21

  • Last Tuesday, Blackpoint’s MDR+R technology alerted to a Healthcare partner’s user account logging into a host and deploying RustDesk, the open-source remote desktop access solutions tool.
  • Additionally, VPN service Tailscale was identified on the host device as possibly abused for malicious purposes by a threat actor.
  • Out of an abundance of caution, the host was isolated to prevent any further malicious or suspicious activities, and the Healthcare partner was contacted about the security incident and with additional remediation details.

More About RustDesk.exe and Tailscale

Click for details

RustDesk

RustDesk is an open source remote access tool that can enable users to access remote devices and is available for operating systems such as Windows, macOS, iOS, Android, and Linux (11). Remote access software is an attractive target for threat actors for both initial access and persistence; threat actors often target vulnerable instances and use the software to aid in their attacks.

Tailscale

Tailscale is a VPN service that makes devices and applications accessible to users from anywhere. Tailscale enabled encrypted point-to-point connections using the WireGuard protocol (12). VPN software is often an attractive tool for threat actors as they can be used to access sensitive environments, discover connected assets, and blend in with legitimate network traffic.

APG Threat Analysis of RustDesk and Tailscale for 2024

Click for details

The APG predicts that threat actors will very likely continue to use RustDesk and Tailscale over the next 12 months.

In August 2023, security researchers with Phylum reported that North Korea-linked threat actors were observed using npm package registry to lure victims into downloading malicious modules. The threat actors used a domain masquerading as the legitimate RustDesk software (13).

In September 2023, security researchers with Logpoint reported that the Akira ransomware operation had been observed using the RustDesk software to gain persistent remote access to victim environments (14). The observation of both nation state and ransomware operators using the tool indicates that there are likely multiple groups that opt for RustDesk during cyberattacks, which will likely continue to be observed over the next 12 months.

In November 2023, the U.S. CISA released an advisory warning of the Scattered Spider ransomware affiliate group, most known for their work with the Alphv (AKA BlackCat) ransomware operation. The advisory warned that Scattered Spider has used legitimate tool to maintain access to victim environments, including Tailscale (15). Threat actors often use legitimate tools during cyberattacks to remain undetected and blend in with what appears to be legitimate network traffic.

Recommended RustDesk and Tailscale Mitigations and Remediations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate the abuse of legitimate remote access and VPN software for malicious activities.

  • Monitor system activity through heuristics-based triggers and alerts, rather than depending solely on indicators of compromise (IoCs) to detect unusual access patterns that could be indicative of malicious behavior by threat actors. User accounts randomly access hosts, outside of normal business or from abnormal IP address location, can be detected and access can be closed prior to significant malicious activities occur.
  • Provide a dedicated software center, which allows employees to download approved software from a safe and monitored location. Dedicated and approved software can aid in detecting software, such as RustDesk, that is installed from a third-party location outside of a dedicated center.
  • Implement application controls – application controls should prevent both installation and execution of portable versions of unauthorized RMM and VPN software.
  • Use network segmentation, to ensure critical systems are isolated from less secure areas and prevent unauthorized communication restrictions between segments. This can help prevent threat actors from using RMM and VPN tools to move laterally and elevate privileges within the network.

References and Resources

A quick note on incident details:

As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.

However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.

Please feel free to reach out to the APG directly if you have any questions about a specific incident!

Click for full reference list
  1. Check Point’s Blog: “August 2023’s Most Wanted Malware: New ChromeLoader Campaign Spreads Malicious Browser Extensions while QBot is Shut Down by FBI” by Check Point Team on 2023-09-11
  2. VirusTotal’s Repository: “9c5d756045fd479a742b81241ccf439d02fc668581a3002913811a341278de43” by VirusTotal on 2024-05-22
  3. VirusTotal’s Repository: “d4c3bbf71e438274848dc1502755b9ec0ce8ee7dfbcd584513c86a8657e9e6cd” by VirusTotal on 2024-05-22
  4. VirusTotal’s Repository: “501571c21ef631b6bb77b0866bde07012fe46ffe58235695c7e9df6302084c6a” by VirusTotal on 2024-05-21
  5. ASEC’s Blog: “ChromeLoader Disguised as Illegal Game Programs Being Distributed” by gygy0101 on 2023-02-23
  6. HP’s Blog: “ChromeLoader malware campaign punishes pirating users, HP warns” by HP on 2023-06-14
  7. Telegram’s FAQ: “What is Telegram? What do I do here?” by Telegram on N/A
  8. Cyberint’s Blog: “New Cyber Alliance: The Five Families Telegram Channel” by Research Team on 2023-09-12
  9. SOCRadar’s Blog: “Zaraza Bot: New Malware Uses Telegram for Command & Control” by SOCRadar on 2023-04-18
  10. Flare’s Blog: “Telegram Hacking Channels: An Emerging Risk” by Flare on 2023-06-06
  11. RustDesk’s website: “About Us” by RustDesk on N/A
  12. Tailscale’s Blog: “What is Tailscale?” by Tailscale on N/A
  13. Phylum’s Blog: “Sophisticated, Highly-Targeted Attacks Continue to Plague npm’ by Phylum Research Team on 2023-08-12
  14. Logpoint’s Whitepaper: “Deciphering Akira’s Arsenal: Tactics for Uncovering and Responding.” by Swachchhanda Shrawan Poudel on 2023-09