Beware the Blur: Phishing Scam Drops Byakugan Malware via Fake PDF

New Byakugan Malware Steals Data, Grants Remote Access & Uses OBS Studio to Spy! Fortinet reveals a phishing campaign distributing Byakugan malware disguised as a PDF. Don’t click! Learn how to stay safe.
Beware the Blur: Phishing Scam Drops Byakugan Malware via Fake PDF

Cybersecurity firm Fortinet alerts users of a phishing scam campaign distributing the Byakugan malware. This malware steals sensitive information and grants attackers remote access to infected Windows devices.

Malware Found in PDF File:

In January 2024, FortiGuard Labs discovered a PDF file in Portuguese language distributing Byakugan, a multi-functional malware. Researchers found a blurred table in the PDF and instructions for the victims to click a malicious link to view the content.

Beware the Blur: Phishing Scam Drops Byakugan Malware via Fake PDF
Screenshot of the PDF files used in the attack and the installer embedded in the downloader (Credit: Fortinet)

Once clicked, the downloader drops a file titled require.exe, which is its copy. Then a clean installer is downloaded to the temp folder followed by a DLL, which is executed via DLL-hijacking to run require.exe to download the main module. 

The downloader, named “require.exe” and located in the temp folder, executes the copy and not the Reader_Install_Setup.exe, and exhibits different behaviour in both files. Byakugan’s main module is downloaded from, a C2 server that may also serve as an attacker’s control panel, with a login page on port 8080.

AhnLab SEcurity Intelligence Center (ASEC) also discovered an Infostealer disguised as an Adobe Reader installer through a fake PDF file in Portuguese, urging users to download Adobe Reader, which led to the execution of a malicious file Reader_Install_Setup.exe.

It further creates two malicious files and runs a Windows system file, msdt.exe as an administrator, loading the malicious BluetoothDiagnosticUtil.dll and loading the malicious DLL file. The threat actor can bypass User Account Control (UAC) via DLL hijacking. 

Byakugan Malware Key Features

Byakugan is a node.js-based malware that uses OBS Studio to monitor the target’s desktop and perform various functions. It has several libraries, including a screen monitor, miner, keylogger, file manipulation, and browser information stealer. 

Moreover, Byakugan can choose between mining with CPU or GPU to prevent system overloading and downloads from popular miners like Xmrig, t-rex, and NBMiner. It also stores data in the kl folder and can steal information about “cookies, credit cards, downloads, and auto-filled profiles,” researchers wrote.

Byakugan also has anti-analysis features, such as pretending to be a memory manager and setting the path to the Windows Defender’s exclusion path. Additionally, it drops a task scheduler configuration file into the Defender folder, enabling it to execute automatically when starting up. However, this newer variant does not download the software from its domain.

Beware the Blur: Phishing Scam Drops Byakugan Malware via Fake PDF
Infection flow (Credit: Fortinet)

How to Stay Safe?

Threat actors are using both clean and malicious components in malware, such as Byakugan, making detection difficult, FortiGuard researchers noted, Therefore, to stay protected from phishing attacks and such deceptive malware, users must be cautious with emails, and verify sender legitimacy.

Additionally, use strong passwords and two-factor authentication, keep software updated, and prefer installing security software that can detect and block phishing emails/malware. Avoid clicking on links or downloading attachments from suspicious emails, and contacting the sender directly.

  1. Tycoon Linked to Phishing Attacks on US Schools
  2. Microsoft Warns of New Tax Returns Phishing Scam
  3. Dropbox Abused in Phishing Scam to Steal SaaS Logins
  4. New iMessage Phishing Scam Hits Postal Service Users
  5. Phishing Scam Hooks META Businesses with Trademark Threats
Related Posts