The security team noticed strange activity in a business setting in mid-January 2026, which at first did not seem concerning This article explores source cystack attackers. . The indicators were subtle and did not cause antivirus software or other common endpoint protection tools to issue alerts.

Before a more thorough investigation showed that the incident was a sophisticated, multi-stage cyberattack, it seemed inconsequential. Organizations that depend on data integrity and trust are at serious risk from this type of low-profile, high-impact intrusion. The Attack Unfolds CyStack's investigation was centered on a single customer support team workstation. When a member of the support staff clicked on a link in a Zendesk ticket, a suspicious program was downloaded and executed.pif file.

The file was an executable file disguised with a file name, but it looked innocuous at first.In contemporary systems where file extensions are hidden by default, the pif extension is frequently disregarded. Corporate Defenses Are Evaded by APT-Q-27 (Source: Cystack) Attackers were able to install and execute more malicious payloads on the system after the downloaded file, known as the Dropper, started a sequence of actions. When the file was distributed, it was digitally signed, which gave it an air of legitimacy and allowed it to evade common security measures like SmartScreen filters and reputation-based scanners.

Subsequent investigation showed that the attack had multiple phases: File System Residues: Traces found in files and system logs indicated a staged attack that employed methods like memory-based obfuscated executables and DLL sideloading to evade detection. Registry Entries and Service Configuration: To guarantee persistence across system reboots, important registry entries and Windows service configurations were changed. Execution of the Final Payload in Memory: The final payload was carried out entirely in memory, which decreased the likelihood that file-based defenses would detect it.

Despite the attack's stealth, it was evident that the hackers wanted to blend the malicious activity with regular system operations in order to avoid setting off any alarms. The malware did not appear to have spread laterally to other systems.

Nonetheless, the attack's architecture implies that, if left unnoticed, the threat actor could readily broaden the compromise. Evading Corporate Defenses APT-Q-27 (Source: Cystack) Indicates APT-Q-27 The attack was linked to a command-and-control (C&C) infrastructure with multiple indicators that closely matched known activity associated with the APT-Q-27 group, also known as GoldenEyeDog, according to Cystack. The resemblances were strong enough to cause concern even though it couldn't be directly linked to APT-Q-27.

The C2 infrastructure's naming conventions, the backdoor's modular design, and the multi-stage architecture—a defining feature of previous APT-Q-27 campaigns—were important indicators.

Interestingly, the C&C servers were dispersed throughout multiple regions, such as the US, Japan, and Hong Kong, which is in line with the geographic distribution frequently seen in advanced persistent threat (APT) operations. Similar to previous APT-Q-27 campaigns, the attackers used a file called updat.log, a container made to carry encrypted payloads. Corporate Defenses Are Evaded by APT-Q-27 (Source: Cystack) The attackers also used a plugin-based backdoor architecture, which allowed them to turn on and off different attack features as needed.

Details of the IOC Category C2 Domains/IPs wk.goldeyeuu.io (Tokyo), 192.252.182.53 (CA, US), 27.124.41.140 (HK), 103.145.87.3 (HK), 1.32.250.21 (HK), and 103.151.44.6 (India) 64B07B1C385CF94A3559E323009F7641 (updat.exe), 30917B5ABB991DF495827A9D7C7EBCBC (crashreport.dll), 543023ACE4F10B736C4C4109E005F0EF (updat.log), and B591EE37860F35A788B10531A00BBBD2 URLs hxxps://yyupdats[.]hxxps://yy-service[. ]s3.ap-northeast-, s3.ap-southeast-1.amazonaws.com/{updat.txt/exe/dll/log}2.amazonaws.com/{yy.txt/exe/dll/log} MITRE T1566.002 (phishing), T1553.002 (signing), T1620 (reflective), T1543.003 (service), T1548.002 (UAC), and T1070 (cleanup)