Hackers Use Weaponized PDF Files to Deliver Byakugan Malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

Due to their high level of trust and popularity, hackers frequently use weaponized PDF files as attack vectors.

Even PDFs can contain harmful codes or exploits that abuse the flaws in PDF readers.

Once this malicious PDF is opened by a user unaware of it, the payload runs and infiltrates the system.

Cybersecurity researchers at Fortinet recently identified that hackers have been actively using weaponized PDF files to deliver Byakugan malware.

Free Webinar forDIFR/SOC Teams: Securing the Top 3 SME cyber Attack Vectors - Register for Free

Technical analysis

FortiGuard Labs discovered a Portuguese PDF file distributing the multi-functional Byakugan malware in January 2024.

The malicious PDF tricks people into clicking a link by presenting a blurred table.

This in turn activates a downloader that puts a copy (requires.exe) and takes down DLL for DLL-hijacking.

This runs require.exe to retrieve the main module (chrome.exe). In particular, the downloader behaves differently when called require.exe in temp because malware evasion is evident.

Infection flow (Source – Fortinet)

A blurred table is displayed on the victims’ screens, prompting them to click a link that enables them to download a DLL for DLL-hijacking and drop a copy (require.exe) that starts a downloader. 


Run Free ThreatScan on Your Mailbox

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

To fetch the main module (chrome.exe), require.exe is run.

However, its behavior slightly varies depending on whether it has been renamed or not while being placed in the temp folder, which signifies its evasiveness.

The login page (Source – Fortinet)

This is a node.js malware package that can be executed using pkg. It contains the main script and a few feature libraries.

According to a Fortnet report shared with Cyber Security News, downloading additional files from the %APPDATA%ChromeApplication folder, which is malware-generated data, also demonstrates its adaptability and persistence.

Byakugan features

Here below, we have mentioned all the features of Byakugan:-

  • Screen monitor
  • Screen capture
  • Miner
  • Keylogger
  • File manipulation
  • Browser information stealer
  • Anti-analysis
  • Persistence

It is part of an increasing trend to merge malicious components in malware, making it hard for them to be accurately identified due to increased noise. 

The downloaded files, though, showed some important things about how Byakugan works inside, making it easier to analyze the harmful modules of the Trojan.

Are you from SOC & DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free 


Git repository

  • github[.]com/thomasdev33k
  • github[.]com/fefifojs
  • github[.]com/wonderreader

C2 Server










Click Here For The Original Story From This Source.


National Cyber Security