Hidden behind familiar subject lines and legitimate sender addresses, the messages contained archives that looked like ordinary ZIP files yet behaved like executable libraries.
This hybrid format—known as a
polyglot—slipped past most secure mail gateways, allowing attackers to plant malware directly onto employee workstations.
Since
e-mail filters inspected only the ZIP header, the dangerous DLL portion went unchecked until the moment of user interaction.
Compromised corporate mailboxes, rather than spoofed domains, provided additional legitimacy, giving the attackers a near-perfect
delivery mechanism that required no macro-enabled documents or overt executable attachments.
PhantomRemote—the custom payload embedded inside the DLL—provides command execution, file download and system inventory over plain HTTP, adopting User-Agent strings such as “YandexCloud/1.0” or “MicrosoftAppStore/2001.0” to blend into outbound traffic.
Even after perimeter detection, analysts report that workstation-level
persistence allowed the threat actor to maintain footholds until manual remediation.
The Necessity of Simulating the Full Malware Infection Chain for Security Suite Testing
ESET repports that OilRig’s persistent attacks using cloud service-powered downloaders
Deep Research: McAfee GTI, JTI, Artemis and Other Technologies Explained