The Trustwave SpiderLabs report on the Facebook Malvertising Epidemic Part 2 details the evolution of the SYS01 malware, active since 2022 and attributed to Vietnamese actors. The latest variants add defenses like WMIC-based evasion, TeraCopy for efficient file collection, browser termination, updated exfiltration, and fallback C2 via Google Sites and Telegram. Infrastructure analysis shows consistent domain registration, fresh Let’s Encrypt certificates, and Cloudflare hosting, underscoring persistence. Researchers link SYS01 with the Rilide Stealer, noting overlaps in malicious ZIPs, DLL sideloading, and campaign delivery through fraudulent ads. This highlights the adaptability of SYS01 and the need for proactive, multi-layered defenses.

Join for free to read