Public
- Public
- Network
- Groups
- Featured
- Popular
- People

A detailed screenshot showing multiple open windows related to the BOINC client setup. Clockwise from left to right: Malicious installation using legitimate BOINC files. Legitimate BOINC client used in malicious setup. Scheduled task 1/3: Run BOINC client. Scheduled task 2/3: Run PowerShell script. Scheduled task 3/3: Run (another) PowerShell script. Red arrows highlight the relationship between the tasks and the scripts used.

Download link

A detailed screenshot showing multiple open windows related to the BOINC client setup. Clockwise from left to right: Malicious installation using legitimate BOINC files. Legitimate BOINC client used in malicious setup. Scheduled task 1/3: Run BOINC client. Scheduled task 2/3: Run PowerShell script. Scheduled task 3/3: Run (another) PowerShell script. Red arrows highlight the relationship between the tasks and the scripts used.
https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/828/178/962/474/298/original/eb4d38e1f39c2951.png

Notices where this attachment appears

Embed this notice
Brad (malware_traffic@infosec.exchange)'s status on Wednesday, 15-Jan-2025 19:38:07 JST Brad

From social media posts I wrote for my employer at https://www.linkedin.com/posts/unit42_kongtuke-boinc-activity-7284986403476717568-InKv/ and https://x.com/Unit42_Intel/status/1879220778173870556
2025-01-13 (Monday): Legitimate websites infected with #KongTuke script present "verify you are human" pages that ask victims to paste PowerShell script into a Run window. Lately, this has led to infections abusing the #BOINC platform. More info at: https://bit.ly/3DU2H2R
A #pcap from an example of the infection traffic and the associated files/artifacts are available at https://www.malware-traffic-analysis.net/2025/01/13/index.html

In conversation about 16 days ago from infosec.exchange permalink