Fiber

Fiber is a .NET loader/injector used in multi-stage Windows malware delivery chains. In the provided reporting, it is extracted from steganographic image files and reflectively loaded into memory after an initial phishing-delivered script stage, making later stages largely fileless. Fiber is described as a PE32 .NET Framework 4.5 x86 DLL and as a loader identified from internal strings and the Fiber.Program entry point; one sample also contained the namespace HackForums.gigajew.

Observed infection chains begin with phishing or spearphishing attachments masquerading as business documents, including request-for-quote and product/pricing files implemented as obfuscated JScript. The script stage uses WMI Win32_Process.Create to launch hidden PowerShell, downloads a weaponized JPEG from attacker-controlled infrastructure, extracts encoded data between markers such as "IN-" and "-in1," transforms and base64-decodes it, and reflectively loads the Fiber assembly into memory. Fiber then downloads another steganographic image, extracts the next-stage payload from markers including "INICIO" and "FIM," and executes it.

Capabilities directly attributed to Fiber in the content include sandbox/VM detection, anti-debugging, persistence, staged payload retrieval, and process hollowing. VM and sandbox checks include WMI queries for VMware and VirtualBox artifacts and BIOS/virtual machine detection logic. Anti-debugging includes scanning process names for tools such as dnspy, vsdbg, de4dot, and debug. Persistence mechanisms reported for Fiber include dropping JavaScript files such as Q78BmqBbKP.js, creating scheduled tasks including "EmGqzwd3kD," and in another campaign using both a scheduled task and a Registry Run key. Execution techniques include use of signed Windows binaries such as CasPol.exe and, in another cluster, RegAsm.exe as hollowed host processes. Reported hollowing APIs include CreateProcess in suspended mode, ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, GetThreadContext, SetThreadContext, and ResumeThread.

Fiber is associated in the content with delivery of multiple commodity malware families, including Formbook/XLoader, AsyncRAT, and njRAT/Bladabindi derivatives. In the Formbook/XLoader chain, Fiber was delivered from tradedsglobal.com via optimized_MSIlatino.png and then retrieved oboxload.png before hollowing the final payload into CasPol.exe. In the AsyncRAT chain, Fiber was delivered from a Cloudinary-hosted JPEG, downloaded a further stage from 91.92.242.219, used CasPol.exe as a LOLBIN, and supported persistence via scheduled task and Registry Run key before launching an AsyncRAT variant. In the GoLoader-related activity, Fiber was extracted from steganographic carriers in Alibaba Cloud OSS-hosted campaigns and used to hollow njRAT into RegAsm.exe.

Targeting reflected in the content includes procurement, manufacturing, and engineering personnel via business-themed lures, as well as cryptocurrency investors via Simplified Chinese lure content. Language and attribution artifacts mentioned in the reporting include Brazilian Portuguese strings such as "Erro ao iniciar via WMI. Código:" and marker strings "INICIO"/"FIM," and a separate sample containing the namespace HackForums.gigajew, assessed by the source report as an attribution clue tied to the handle "gigajew." High-confidence infrastructure and indicators mentioned for Fiber-related delivery include tradedsglobal.com, Cloudinary account dn6bpc2yo, 91.92.242.219, and Alibaba Cloud OSS bucket jpginfo. Sample hashes explicitly associated with Fiber include 9da3fba7b57421476f3e6e44d0d9c800f6678c845d1b8e83864e219b6c6ae178 and 240068f98bd3e3213351ebdac3a0e9657f9a17506e43425ea3ed19f14e17cf21.