Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A variant of WikiLoader loader for rent, also known as WailingCrab, is being delivered via SEO poisoning and spoofing of GlobalProtect VPN software. The campaign primarily affects U.S. higher education and transportation sectors. The infection chain involves multiple stages, including DLL sideloading, shellcode injection, and the use of MQTT for command and control. The attackers employ various evasion techniques, such as fake error messages, process checking, and encryption. The loader demonstrates sophisticated tradecraft, including the use of compromised WordPress sites and cloud-based Git repositories for infrastructure.
OPENCTI LABELS :
seo poisoning,dll sideloading,globalprotect,loader-for-rent,wailingcrab,wikiloader
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant