EXECUTIVE SUMMARY
The campaign, tracked as BlackToad, appears to be an affiliate of the Nigerian e‐crime ecosystem often referred to as SilverTerrier. It delivers a remote‐access Trojan through a phishing email written in Thai that masquerades as a legitimate payment‐slip request and directs recipients to a MediaFire download. The primary targets include financial and hospitality organisations in Southeast Asia, with additional outreach toward enterprises that handle cross‐border transactions. The attacker's objective is to gain persistent remote control for credential harvesting, data exfiltration, and potential extortion.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign, tracked as BlackToad, appears to be an affiliate of the Nigerian e‐crime ecosystem often referred to as SilverTerrier. It delivers a remote‐access Trojan through a phishing email written in Thai that masquerades as a legitimate payment‐slip request and directs recipients to a MediaFire download. The primary targets include financial and hospitality organisations in Southeast Asia, with additional outreach toward enterprises that handle cross‐border transactions. The attacker's objective is to gain persistent remote control for credential harvesting, data exfiltration, and potential extortion.[emaillocker id="1283"]
By exploiting familiar business processes, the group aims to maximize compromise rates while remaining under the radar. Once the malicious link is clicked, a self‐extracting archive disguised as a PDF‐scr file unpacks a VBS loader that constructs a command line to disable network connectivity with ipconfig /release. While the host is offline, the loader invokes a legitimate scripting interpreter renamed with an Excel extension to run a secondary script that drops the Remcos remote‐access payload. After execution, the implant registers a Run‐key entry to survive reboots and contacts dynamic‐DNS domains over a non‐standard port for command and control.
The brief network blackout evades many cloud‐based monitoring tools, allowing the RAT to establish persistence before traffic resumes. This threat is noteworthy because the combination of disguised file extensions, legitimate utilities and a temporary network blackout makes detection difficult for both endpoint sensors and network‐based alerts. Organizations that rely on automated phishing filters may miss the Thai‐language lure, while the brief loss of connectivity hides the critical execution phase from cloud security platforms. Recommended mitigations include tightening email gateway policies, blocking executable extensions hidden behind double extensions, and monitoring for unusual ipconfig /release activity. Deploying endpoint protection that can inspect script behavior, enforcing strict application whitelisting, and maintaining offline backups will reduce the impact of a successful compromise.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1036.002 | Masquerading | Right-to-Left Override |
| Defense Evasion | T1027.006 | Obfuscated Files or Information | HTML Smuggling |
| Command and Control | T1568.002 | Dynamic Resolution | Domain Generation Algorithms |
REFERENCES:
The reports contain further technical details:
https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/
https://securityonline.info/remcos-rat-phishing-campaign-blackout/