26th February 2025 – A new wave of cyberattacks is targeting industrial organizations across Taiwan, Malaysia, China, Japan, Thailand, South Korea, Singapore, the Philippines, Vietnam, and Hong Kong using a powerful malware called FatalRAT. Attackers are using phishing emails and disguising their activities through legitimate Chinese cloud services like Myqcloud and Youdao Cloud Notes to evade detection.
The attack begins with a phishing email containing a ZIP file with a Chinese-language filename. Once opened, it initiates a multi-stage infection, retrieving a DLL loader and FatalRAT configurator from Youdao Cloud Notes. The malware is then downloaded from myqcloud.com while displaying a fake error message to avoid raising suspicion. To avoid this, the attackers use DLL side-loading, allowing FatalRAT to blend into legitimate processes.
Once installed, FatalRAT gives cybercriminals full control over the infected system. It can log keystrokes, corrupt the Master Boot Record, delete browsing data, download remote access tools like AnyDesk and UltraViewer, manipulate files, start or stop proxy services and terminate processes. The malware also runs 17 security checks to detect if it’s operating in a virtual machine or sandbox environment, terminating itself if any of these checks fail.
While the exact threat actor remains unknown, researchers suggest a Chinese-speaking group may be behind the attack due to the consistent use of Chinese-language services. This campaign also shares similarities with previous FatalRAT intrusions linked to bogus Google Ads and the Silver Fox APT group.
With cyber threats becoming more sophisticated, organizations in industrial and government sectors must strengthen their cybersecurity measures. Companies should implement stronger email security, educate employees on phishing tactics and deploy advanced endpoint protection to prevent such attacks.
For more such updates and recent news, visit our website and stay informed!
