Polyglot Files – A New Technique Hackers Use to Evade Email Filters and Deliver Malware

Security researchers at BI.ZONE Mail Security has uncovered a coordinated phishing campaign targeting Russian healthcare and IT organizations, which leverages advanced evasion tactics and a newly identified backdoor dubbed PhantomRemote.

Beginning in late June 2025, the Rainbow Hyena cluster orchestrated the distribution of malicious emails by hijacking legitimate corporate accounts, embedding polyglot attachments that slip past conventional defenses.

In this campaign, threat actors posed as well-known partners, dispatching emails with subjects such as “Транспортная накладная ТТН № 391-44 от 26.06.2025” and “Договор РН83-371,” each containing a deceptive .zip file that also served as a PE32+ DLL.

The ingenious polyglot archive contained both a legitimate-looking decoy document and a payload archive with a malicious LNK shortcut.

When victims unwittingly launched the shortcut, a hidden PowerShell command searched for the embedded DLL by filename across multiple directories, the current folder, %USERPROFILE%, and %TEMP%, then invoked rundll32.exe to execute its concealed EntryPoint.

The DLL extracted the genuine-looking decoy file by slicing out a specific byte range and promptly opened it via cmd /c start, masking the attack under the guise of a routine document view.

Polyglot Files – A New Technique Hackers Use to Evade Email Filters and Deliver Malware

Polyglot files blur the line between benign and malicious content by exploiting format ambiguities.

In this operation, the .zip archives masqueraded as dynamic link libraries, fooling email scanners that focus on extension-based rules.

Once loaded with rundll32.exe, the DLL’s DllMain routine checks a global flag; if set, it loops silently, postponing any action.

Otherwise, it directs execution to the exported EntryPoint, initiating the attack chain and ensuring that the embedded decoy distracts the victim from noticing anomalous activity.

PhantomRemote – A Custom Backdoor for Stealthy Control

Upon successful execution, the malicious DLL deploys PhantomRemote, a custom C++–written backdoor disguised as a legitimate Windows component.

Hidden in the DLL’s code, PhantomRemote’s workflow begins with system reconnaissance: it calls CoCreateGuid(), GetComputerNameW(), and GetComputerNameExW() to harvest a unique identifier, hostname, and domain. Fallbacks insert “UNKNOWN” for any failures.

It then establishes a working directory under %PROGRAMDATA%, variably named “YandexCloud” or “MicrosoftAppStore,” to house further payloads.

PhantomRemote’s command-and-control (C2) communication relies on HTTP GET and POST requests to servers such as 91.239.148[.]21, using innocuous User-Agent strings like “YandexCloud/1.0” or “MicrosoftAppStore/2001.0.”

The initial GET request to “/poll” transmits the collected system details.

In reply, the server can issue two primary commands: “cmd:<cmdCommand>” prompts execution via cmd.exe, capturing stdout and stderr for exfiltration, while “download:<URL>” directs PhantomRemote to fetch additional files via WinHTTP APIs.

Following each action, the backdoor posts results back to “/result” and then sleeps between one and ten seconds to mimic normal network latency.

This campaign highlights the increasing sophistication of hacktivist groups, which now combine espionage and financial motives with advanced malware engineering.

By repurposing trusted brands and embracing polyglot binaries, threat actors ensure their phishing emails evade detection and deliver potent tools, such as PhantomRemote, directly into enterprise environments.

Organizations must therefore augment perimeter defenses with behavioral analysis and zero-trust principles to thwart such threats.