Cybersecurity researchers have recently uncovered a new and sophisticated malware campaign utilizing the PEAKLIGHT downloader. This memory-only dropper is designed to deploy additional malicious payloads on Windows systems, primarily targeting users who download files disguised as pirated movies. The campaign starts with a Windows shortcut (LNK) file, which is delivered through drive-by download techniques—users inadvertently download these files while searching for movies on the internet. The LNK files are embedded in ZIP archives posing as pirated content.
Once the LNK file is executed, it connects to a content delivery network (CDN) hosting an obfuscated JavaScript dropper. This dropper then decrypts and runs a PowerShell-based script known as PEAKLIGHT. The PEAKLIGHT downloader script is responsible for fetching and executing further malicious payloads from a command-and-control (C2) server. The downloaded malware includes variants like Lumma Stealer, Hijack Loader, and CryptBot, which are distributed as part of a malware-as-a-service (SaaS) model.
The PEAKLIGHT downloader employs various techniques to evade detection and ensure successful execution. The malware uses both hex-encoded and Base64-encoded PowerShell payloads, which are unpacked and executed on the compromised system. In addition to deploying malware, the downloader often downloads a legitimate movie trailer as a distraction to mask its true intentions. This multi-stage execution chain is designed to compromise systems discreetly while minimizing detection.
This new threat highlights an ongoing trend of targeting users through malicious downloads disguised as legitimate content. Similar tactics have been observed in past campaigns, such as those involving Hijack Loader and other malware strains. As this sophisticated malware campaign continues to evolve, cybersecurity experts emphasize the importance of cautious downloading practices and robust security measures to protect against these types of attacks.
Reference:
