Unveiling 0bj3ctivityStealer’s Execution Chain: New Capabilities and Exfiltration Techniques Exposed

In the ever-evolving infostealer landscape, 0bj3ctivityStealer emerges as a formidable threat, blending advanced obfuscation with targeted data exfiltration.

Discovered earlier this year by HP Wolf Security researchers, this .NET-based malware has been observed in proactive threat hunting by the Trellix Advanced Research Center, revealing a novel phishing-driven campaign.

The infection initiates through spearphishing emails themed around “Quotation offer,” featuring low-resolution images of fabricated purchase orders that lure victims to click a “Download” link redirecting to Mediafire-hosted JavaScript files.

This initial script, heavily obfuscated with over 3,000 lines of junk code, decodes into a PowerShell payload that fetches a steganographically concealed .NET loader from a JPG image hosted on archive.org.

Sophisticated Delivery Mechanism

By scanning for a specific hexadecimal pattern (0x42 0x4D 0x32 0x55 0x36 0x00 0x00 0x00 0x00 0x00 0x36 0x00 0x00 0x00 0x28 0x00), the script extracts RGB pixel values to reconstruct the loader ...