Author | Lightnews

Expel @expelsecurity.bsky.social · 5h

Defender takeaway: Signed executables aren't automatically safe. DLL sideloading + indirect syscalls + benign-looking traffic = multiple security layers bypassed.

Small changes to existing attack chains can be enough to slip through.

Expel @expelsecurity.bsky.social · 5h

The C2 server was live during investigation but never delivered a final payload—ultimate goal unclear.

Turns out this was a Red Team engagement by Intrinsec. But the techniques are real and worth understanding.

Expel @expelsecurity.bsky.social · 5h

Evasion layer 2: C2 traffic masquerading as jQuery library requests.

Commands hidden in the cookie field (__cfduid), encrypted and encoded to look like normal Cloudflare cookies. Designed to slip past TLS inspection.

GET /content/js/jquery/v3.4.3/min.js

Expel @expelsecurity.bsky.social · 5h

Evasion layer 1: Indirect syscalls.

Instead of calling hooked functions in ntdll, the malware calculates syscall numbers from nearby unhooked functions (up to 500 away) and jumps directly to syscall instructions already in ntdll.

User-mode EDR hooks are rendered useless.

Expel @expelsecurity.bsky.social · 5h

When launched, the trojanized Greenshot shows a fake compliance progress bar for 3 seconds, then confirms "All compliance checks passed!"

Meanwhile, the malicious DLL loads updater.dll, which creates persistence via scheduled task and decrypts shellcode from logo.ico.

Expel @expelsecurity.bsky.social · 5h

The attack chain, continued ⛓️
↳ Indirect syscalls evade EDR hooks by calculating system call numbers from unhooked functions
↳ C2 traffic masquerading as jQuery library requests to dodge TLS inspection

Patch Tuesday: October 2025 (Expel’s version)

Expel @expelsecurity.bsky.social · 5h

The attack chain ⛓️
↳ Cache smuggling delivers the payload
↳ DLL sideloading uses the legitimate signed Greenshot.exe to load malicious code
↳ Fake UI shows a "FortiClient compliance checker" progress bar while malware runs

1 3

Expel @expelsecurity.bsky.social · 5h

Attackers found a clever way to abuse legitimate, digitally signed software to load malware and it's working.

Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵

1 6 17

Expel @expelsecurity.bsky.social · 8d

Halloween might be the spookiest day in October but this month's Patch Tuesday is a close second.

175 new CVEs from Microsoft, 8 marked critical, 6 zero-days, 2 already exploited in the wild.

But not to fear, our threat intel team breaks down the 3 you should patch first. expel.com/blog/patch-t...

This month, we're highlighting top critical vulnerabilities, including six zero-day vulnerabilities, and one in Cisco IOS.

Cache smuggling: When a picture isn’t a thousand words

Reposted by Expel

Marcus Hutchins @malwaretech.com · 15d

We encountered a unique variant of the ClickFix malware technique. The catch? The user is social engineered into running a PowerShell script which downloads no files, makes no web requests, and embeds no payload.

Regardless, it's still able to install a malicious loader.

expel.com/blog/cache-s...

We recently observed an innovative campaign using the ClickFix attack tactic for cache smuggling. Here's what you need to know.

Cache smuggling: When a picture isn’t a thousand words

6 14 66

Expel @expelsecurity.bsky.social · 15d

This technique isn't widespread yet but we've seen it before. Part 2 drops soon; we'll show you how attackers abuse a legitimate signed executable to load highly evasive shellcode.

Full analysis by Marcus Hutchins (@malwaretech.com), Principal Threat Researcher: expel.com/blog/cache-s...

We recently observed an innovative campaign using the ClickFix attack tactic for cache smuggling. Here's what you need to know.

Expel @expelsecurity.bsky.social · 15d

Defense recommendations:
→ Alert on unexpected processes touching browser cache
→ Restrict PowerShell to users who need it
→ Monitor for suspicious PowerShell execution patterns
→ Block newly created/newly seen domains
→ Educate users on ClickFix social engineering

Expel @expelsecurity.bsky.social · 15d

This bypasses a lot of security tools:
• No explicit file downloads to scan
• No PowerShell web requests to flag
• Just an "image" getting cached (normal behavior) and a script reading local files (also normal)

Simple. Effective. Evasive.

Expel @expelsecurity.bsky.social · 15d

The webpage fetches what claims to be an image (Content-Type: image/jpeg). Browser dutifully caches it.

Open it in a hex editor? No JPG header. Just a zip archive wrapped in those magic strings, sitting in your cache waiting to be extracted.

Expel @expelsecurity.bsky.social · 15d

Here's where it gets interesting: The PowerShell script doesn't download anything. It searches your browser's cache for data wrapped between two strings: "bTgQcBpv" and "mX6o0lBw"

That data? A zip file the page already smuggled into your cache as a fake JPG.

Expel @expelsecurity.bsky.social · 15d

When you click "Open File Explorer," it copies what looks like a harmless file path to your clipboard:

\Public\Support\VPN\ForticlientCompliance.exe

But 139 spaces are hiding a PowerShell command above it that your eyes never see.

Expel @expelsecurity.bsky.social · 15d

The lure pretends to be a Fortinet VPN Compliance Checker. Makes sense. Fortinet's VPN is used by enterprises so compromising it means access to corporate networks.

The page looks unassuming. The command doesn't.

Expel @expelsecurity.bsky.social · 15d

⚠️ Our threat intel team just caught attackers using a clever new trick to bypass security tools: cache smuggling.

Instead of downloading malware, they hide it in fake images that browsers automatically cache. Then PowerShell extracts and runs it—no web requests needed.

Expel Intel | Cybersecurity threat intelligence

Expel @expelsecurity.bsky.social · 15d

This evolution builds on our foundation of integrating actionable threat intel into daily operations. We’re accelerating our capabilities, dedicating expert resources to surface context that benefits customers and the security community.

Learn more: expel.com/intel
(7/7)

Expel’s dedicated threat intelligence team and program, transforming real-world incident findings into actionable defense strategies.

Cache smuggling: When a picture isn’t a thousand words

2

Expel @expelsecurity.bsky.social · 15d

We're also bringing @malwaretech.com into the mix. Marcus’ expertise in malware analysis and reverse engineering adds serious firepower to our ability to understand and counter evolving threats. 👀 Read his first blog post with Expel: expel.com/blog/cache-s...
(6/7)

We recently observed an innovative campaign using the ClickFix attack tactic for cache smuggling. Here's what you need to know.

1 1 15

Expel @expelsecurity.bsky.social · 15d

Our threat intelligence isn't academic. It’s built by operators, for operators. We share what we learn from stopping real attacks. The community gets stronger when we all learn from the same adversaries.
(5/7)

Expel @expelsecurity.bsky.social · 15d

Our approach: When our SOC identifies threats across customer environments, Expel Intel digs deeper, documents what matters, and publishes the findings. When zero-days emerge, we hunt and share results. When attack patterns shift, we explain what's happening and what to do.
(4/7)

Expel @expelsecurity.bsky.social · 15d

For years, our threat intel team has been behind the scenes turning real incidents into actionable defense strategies for our customers. We're expanding our focus to share what we're learning with the broader security community.
(3/7)

Expel @expelsecurity.bsky.social · 15d

You’ve likely seen some of our work.

👉 Added clarity around a specific trojan (ManualFinder): www.reddit.com/r/cybersecur...
👉 Distinguished BaoLoader from other malware via code-signing certificates: expel.com/blog/the-his...
👉 Investigating Latrodectus malware: x.com/ExpelSecurit...
(2/7)