: Deploy EDR (Endpoint Detection and Response) solutions to monitor for unusual DLL loading behavior from legitimate system binaries.
: The file is primarily distributed via Spear Phishing emails. These emails often use topical lures related to regional geopolitics or government directives to entice victims into downloading and extracting the archive. Analysis of the Infection Chain
: Once the user extracts "HogFarming.7z", they find what appears to be a legitimate document or application. HogFarming.7z
: Launching the primary file triggers the sideloading of a malicious component (often disguised as a library like MpsSvc.dll or similar).
: Analysis suggests the archive often carries variants of the PlugX or ToneIns malware. PlugX is a modular Remote Access Trojan (RAT) used for data exfiltration, keystroke logging, and remote command execution. : Deploy EDR (Endpoint Detection and Response) solutions
Security teams should monitor for the following indicators related to this specific file name and associated threat actor behavior: : HogFarming.7z
: It is frequently utilized in campaigns that leverage DLL Side-Loading techniques. In these scenarios, a legitimate, digitally signed executable is bundled with a malicious DLL that the executable is forced to load. Analysis of the Infection Chain : Once the
: Educate staff on the risks of opening unexpected compressed archives, even if the sender appears legitimate.