Security experts are being targeted by false malware discoveries
- Trend Micro sees a piece of malware advertised as a PoC fork for a major Windows vulnerability
- The malware acts as an information stealer and obtains vital system information
- These types of attacks are often carried out by nation states
Cybercriminals are targeting security researchers with fake proof-of-concept (PoC) solutions and trying to infect their computers with information-stealing malware, experts warn.
Cybersecurity researchers Trend Micro, who noticed the new campaign in January 2025, noted how the crooks would publish a PoC for a popular, critical vulnerability, to get the attention of the cybersecurity crowd.
The researchers would then grab the PoC for analysis and install a piece of malware instead.
Stealing vital PC information
In this particular case, the scammers were promoting a fork of a legitimate, existing PoC for LDAPNightmare, a vulnerability discovered earlier in January that consists of two flaws, CVE-2024-49112 and CVE-2024-49113.
The first serves as a decoy here, as it is a 9.8/10 severity bug that affects the Windows Lightweight Directory Access Protocol (LDAP) and allows remote code execution (RCE).
In her article, Trend Micro researcher Sarah Pearl Camiling said that “both vulnerabilities were considered highly significant due to the widespread use of LDAP in Windows environments.” Both bugs were fixed in December 2024 via the Patch Tuesday cumulative update.
In the fake PoC, the scammers have replaced some legitimate files with an executable file called “poc.exe”. This would deploy a PowerShell script which would in turn deploy another script that steals data from the computer.
This is what the infostealer is going for:
– PC information
– Process list
– Directory lists (Downloads, Recents, Documents and Desktop)
– Network IPs
– Network adapters
– Updates installed
This type of attack is nothing new; In the past, criminals have regularly been observed using the same tactics.
Although not alluded to in the report, these types of attacks are often carried out by national actors in an effort to gather vital information about the cybersecurity practices of large technology organizations, government companies, critical infrastructure players, and more.
Via The registry