Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A campaign observed in April 2026 used spear-phishing emails with malicious LNK files or executable downloads hosted on Google Cloud Storage. The delivered payload installed a kernel driver called PoisonX together with a modular RAT named 10FXRAT, allowing the attackers to gain kernel-level privileges, disable security tools, and conceal malicious activity. Later variants also adopted BYOVD tactics through legitimate signed drivers such as EneIo64.sys and procexp.sys. The activity has been observed targeting organizations in Japan and China.
Investigation
The report walks through the full execution chain, beginning with an LNK-based downloader that invokes curl.exe, then moving to PXDropper components that deploy the PoisonX driver and 10FXRAT modules. It also describes the driver-based IOCTL routines used to terminate security-related processes and hide network traffic. Researchers documented anti-analysis checks, registry modifications, service creation, and persistence methods, and listed hard-coded command-and-control IP addresses associated with the operation.
Mitigation
Defenders should monitor for unexpected driver installation activity, especially drivers that are unsigned or suspiciously signed, and for creation of services with randomized HID-style filenames. Detection should also cover registry changes that add Microsoft Defender exclusions or disable Defender services. Outbound traffic to the identified command-and-control IP ranges should be blocked, and network monitoring should look for the 0x58463031 magic value in TCP payloads.
Response
If this activity is detected, isolate the affected endpoint immediately, unload the PoisonX driver where possible, and terminate all 10FXRAT processes. Restore altered registry settings, re-enable Microsoft Defender protections, and replace modified files with clean versions from trusted sources. A full forensic investigation should then be performed to identify persistence mechanisms and review traffic to the known command-and-control servers.
"graph TB %% Class definitions classDef action fill:#ffcc99 classDef tool fill:#99ff99 classDef malware fill:#ff9966 classDef process fill:#ccccff %% Nodes email["<b>Tool</b> – <b>Name</b>: Phishing Email<br/><b>Description</b>: Targeted email with malicious Google Cloud Storage link"] class email tool initial_access_phishing["<b>Action</b> – <b>T1566.002 Spearphishing Link</b><br/>Attacker sends email containing a link to a malicious LNK or EXE file"] class initial_access_phishing action lNK_file["<b>Tool</b> – <b>Name</b>: Malicious LNK Shortcut<br/><b>Description</b>: Shortcut that runs curl.exe to fetch the dropper"] class lNK_file tool curl_download["<b>Process</b> – <b>Name</b>: curl.exe<br/><b>Action</b>: Downloads PXDropper payload from the remote server"] class curl_download process pxdropper["<b>Malware</b> – <b>Name</b>: PXDropper<br/><b>Description</b>: Dropper that sets up persistence and prepares privilege escalation"] class pxdropper malware persistence_service["<b>Action</b> – <b>T1547.009 Shortcut Modification</b><br/>Creates or modifies a shortcut to achieve autostart"] class persistence_service action registry_run["<b>Action</b> – <b>T1547.001 Registry Run Keys/Startup Folder</b><br/>Adds a Run registry entry for automatic execution"] class registry_run action service_creation["<b>Action</b> – <b>T1543.003 Create or Modify System Process: Windows Service</b><br/>Installs a Windows service to run the dropper at boot"] class service_creation action priv_esc_exploit["<b>Action</b> – <b>T1068 Exploitation for Privilege Escalation</b><br/>Exploits a vulnerability to load a signed driver"] class priv_esc_exploit action driver_install["<b>Malware</b> – <b>Name</b>: PoisonX Driver<br/><b>Description</b>: Signed kernel driver loaded as a service (BYOVD)"] class driver_install malware kernel_privilege["<b>Action</b> – <b>T1547.006 Boot or Logon Autostart Execution</b><br/>Kernel driver grants SYSTEMu2011level privileges"] class kernel_privilege action defense_evasion["<b>Action</b> – <b>T1497.001 Virtualization/Sandbox Evasion</b><br/>Performs checks for analysis environments"] class defense_evasion action rootkit["<b>Action</b> – <b>T1014 Rootkit</b><br/>Hooks kernel APIs to hide processes and network traffic"] class rootkit action discovery_process["<b>Action</b> – <b>T1057 Process Discovery</b><br/>Enumerates running processes on the host"] class discovery_process action discovery_security["<b>Action</b> – <b>T1518.001 Security Software Discovery</b><br/>Detects installed security products"] class discovery_security action defense_impair["<b>Action</b> – <b>Defense Impairment</b><br/>Uses driver IOCTL commands to terminate security product processes"] class defense_impair action c2_ratat["<b>Malware</b> – <b>Name</b>: 10FXRAT<br/><b>Description</b>: Remote access tool that creates an internal SOCKS5 proxy"] class c2_ratat malware c2_communication["<b>Action</b> – <b>T1219 Remote Access Tools</b><br/>Establishes encrypted C2 channel with the attacker"] class c2_communication action proxy_setup["<b>Action</b> – <b>T1090 Proxy</b><br/>Sets up internal SOCKS5 tunnel for traffic forwarding"] class proxy_setup action additional_mods["<b>Action</b> – <b>Additional Capabilities</b><br/>Modular plugins provide keylogging, credential theft, and cryptou2011wallet harvesting"] class additional_mods action %% Connections showing the attack flow email –>|delivers| initial_access_phishing initial_access_phishing –>|provides| lNK_file lNK_file –>|executes| curl_download curl_download –>|downloads| pxdropper pxdropper –>|creates| persistence_service persistence_service –>|registers| service_creation service_creation –>|runs| pxdropper pxdropper –>|adds| registry_run pxdropper –>|uses| priv_esc_exploit priv_esc_exploit –>|installs| driver_install driver_install –>|grants| kernel_privilege kernel_privilege –>|enables| rootkit rootkit –>|performs| defense_evasion rootkit –>|performs| discovery_process rootkit –>|performs| discovery_security discovery_process –>|enables| defense_impair pxdropper –>|drops| c2_ratat c2_ratat –>|uses| c2_communication c2_communication –>|establishes| proxy_setup proxy_setup –>|supports| additional_mods "
Attack Flow
Detections
Suspicious CURL Usage (via cmdline)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Disabling Windows Defender Protections (via registry_event)
View
Possible Malicious LNK File with Double Extension (via cmdline)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
Call Suspicious .NET Classes/Methods from Powershell CommandLine (via process_creation)
View
System Processes Execution from Untypical Paths (via process_creation)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Windows Defender Preferences Suspicious Changes (via powershell)
View
Google Api Storage Domain Was Resolved By Unusual Process (via dns_query)
View
IOCs (HashSha256) to detect: PoisonX Driver-Based Attack Campaign Targeting Japanese Organizations Part 2
View
IOCs (HashSha256) to detect: PoisonX Driver-Based Attack Campaign Targeting Japanese Organizations Part 1
View
IOCs (SourceIP) to detect: PoisonX Driver-Based Attack Campaign Targeting Japanese Organizations
View
IOCs (DestinationIP) to detect: PoisonX Driver-Based Attack Campaign Targeting Japanese Organizations
View
Detection of 10FXRAT C2 Communication [Windows Network Connection]
View
Detection of 10FXRAT and Security Service Disabling Commands [Windows Process Creation]
View
Malware Persistence via Windows Defender and Run Key Modifications [Windows Registry Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The attacker first injects a custom shellcode payload intousoclient64.exeto gain a trusted‑process foothold (T1574.009). With the hijacked process, they execute a PowerShell one‑liner that adds the malicious payload folder to Windows Defender’s exclusion list (T1564.012). Finally, they disable core security services using a chainedcmd.execall that stops Windows Defender, Windows Security Center, and any third‑party AV (T1547.001 persistence via service disruption).- Process Hollowing / Injection – simulate by launching
usoclient64.exewith a PowerShell script that sleeps (represents injected code). - Add Defender Exclusion – PowerShell command exactly matching the rule’s string.
- Stop Security Services –
cmd.exeone‑liner that stops the services.
- Process Hollowing / Injection – simulate by launching
-
Regression Test Script:
# ------------------------------------------------------------------------- # Simulation Script – triggers the Sigma rule for 10FXRAT-like behavior # ------------------------------------------------------------------------- # 1. Simulate usoclient64.exe injection (process hollowing placeholder) $usoclient = "$env:SystemRootSystem32usoclient64.exe" Write-Host "[*] Launching usoclient64.exe (simulated injection)..." Start-Process -FilePath $usoclient -ArgumentList "/RunDll32" -WindowStyle Hidden # 2. PowerShell command that adds a Defender exclusion (matches rule) Write-Host "[*] Adding Windows Defender exclusion path..." powershell.exe -NoP -NonI -W Hidden -C "Add-MpPreference -ExclusionPath 'C:TempMalicious'" # 3. Disable security services via cmd (matches rule) Write-Host "[*] Stopping security services..." cmd.exe /c "net stop WinDefend /y >nul 2>&1 & net stop wscsvc /y >nul 2>&1 & net stop Sense /y >nul 2>&1" Write-Host "[+] Simulation complete. Verify alerts in the SIEM." -
Cleanup Commands:
# ------------------------------------------------------------------------- # Cleanup – restores normal security posture # ------------------------------------------------------------------------- # Remove the Defender exclusion powershell.exe -NoP -NonI -W Hidden -C "Remove-MpPreference -ExclusionPath 'C:TempMalicious'" # Restart stopped services cmd.exe /c "net start WinDefend >nul 2>&1 & net start wscsvc >nul 2>&1 & net start Sense >nul 2>&1" # Optionally kill the injected usoclient64.exe instance Get-Process -Name usoclient64 -ErrorAction SilentlyContinue | Stop-Process -Force Write-Host "[+] Cleanup finished."