The malware delivered through these MSIX files serves as a loader, with a single primary purpose: to deliver one of several final payloads. These payloads include SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT. Each of these payloads may have distinct features, but they share common functionalities such as enabling remote access, executing arbitrary code, and facilitating data exfiltration.
For unsuspecting users who fall victim to this scam and execute the file, a prompt appears with an “Install” button. Unfortunately, clicking this button results in the installation of the GHOSTPULSE malware loader on their endpoint.
Explaining the method behind the madness, Elastic Security Labs researcher Joe Desimone noted that MSIX files require access to purchased or stolen code signing certificates, making them attractive to groups with above-average resources.
