Researchers at Cisco Talos published a report detailing a remote access trojan (RAT) campaign using public cloud services like Amazon and Microsoft that is estimated to have begun on October 26, 2021. The campaign utilizes the Nanocore, Netwire, and AsyncRAT remote access trojan variants. Initial exploitation is accomplished via phishing emails that contain a zip archive, which in turn contains a malicious ISO image with either a JavaScript, batch file, or VBscript loader. Registered subdomains at duckdns.org are utilized to avoid detection of payload downloads and command-and-control (C2) communication.
