Analysis of the embedded obfuscated JavaScript within these fake CAPTCHA pages revealed a multistage payload delivery system that initiated downloads from secondary command-and-control servers:
- 45[.]221[.]64[.]245/mot/
- 104[.]164[.]55[.]7/231/means.d
We assess that the threat actors likely initiated their attack campaign through a sophisticated social engineering scheme involving these fake CAPTCHA pages. The pages appear to have delivered information stealers to the compromised endpoints, which subsequently harvested authentication tokens, browser cookies, and stored credentials from the infected systems. The presence of valid credentials used throughout the attack chain strongly suggests that these stolen credentials provided the Agenda threat actors with the valid accounts necessary for their initial access into the environment. This assessment is further supported by the attackers’ ability to bypass multifactor authentication (MFA) and move laterally using legitimate user sessions, indicating they possessed harvested credentials rather than relying on traditional exploitation techniques.
Privilege Escalation
The attackers deployed a SOCKS proxy DLL to facilitate…
