Maximizing the ROI of XDR and MDR Investments
July 2, 2025CVE-2025-49741 – Microsoft Edge Chromium-based Vulnerability
July 2, 2025Maximizing the ROI of XDR and MDR Investments
July 2, 2025CVE-2025-49741 – Microsoft Edge Chromium-based Vulnerability
July 2, 2025Severity
High
Analysis Summary
DarkTortilla is a highly obfuscated, .NET-based malware crypter active since at least 2015. It is primarily linked to the financially motivated threat group GOLD CAMOUFLAGE, which operates DarkTortilla as a malware distribution service. Designed to deliver a wide range of payloads, it is frequently used to deploy info-stealers (AgentTesla, RedLine, NanoCore, AsyncRAT) and sometimes advanced tools like Cobalt Strike.
Known by aliases like "win.darktortilla", this malware features strong anti-analysis and evasion techniques, including process injection and in-memory execution to avoid detection. Its modular design allows for high configurability, enabling threat actors to adjust payloads, persistence methods, and communication protocols.
Recent campaigns show DarkTortilla masquerading as legitimate installers from brands like Grammarly and Cisco, distributed through phishing websites. Victims are lured into downloading malicious files, which then deploy the crypter to establish persistence, contact command-and-control (C2) servers, and deliver secondary payloads for data theft and espionage.
DarkTortilla has been used in targeted attacks in Kazakhstan, where it was coupled with AgentTesla to steal personal data. Its flexibility has made it a tool of choice for attacks across government, finance, critical infrastructure, and individual users, particularly in Central Asia, but its impact is global.
In summary, DarkTortilla serves as a powerful delivery mechanism for cybercriminals, offering stealth, adaptability, and effectiveness in a wide range of malware campaigns.
Impact
- Data Theft
- Cyber Espionage
Indicators of Compromise
MD5
8d44f00f6a87e0bc15b5f244e3eda0c2
4fe147a5e2fa228ebc86c6ec24f53558
c4a82d145f064f891f13640a8e410e4d
19f2e6af33b67455642278cadd1dae49
SHA-256
eb1a02ec53eba0ce4ae75d74d6dff37d4e920390d8bd4f6e525761cb52208a22
322c15b12e8a568690987a09f4e178fff651891b90e902c7ed3025d4b9ef12f5
f0a66970b3fcadd7c7109442630ee152063a8b83b1809c6dbe64bec657c8fcb9
222db8a1d1565c1ffe6425afeca8b3f0eb43924995e2422c13d51fdc5b29efaf
SHA1
071b00a293bb42f091b468716708f23b689cbeee
4f93c59815850f3a7dd3c2b8cb935e26c9c6aecb
6b60ea082d47be1c174a1277e9322049893bc00c
3270df5389342c5750ec624f19a1d2341c4a2ae1
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Upgrade your operating system.
- Don't open files and links from unknown sources.
- Install and run anti-virus scans.