Hello and welcome to the Tuesday, February 24, 2026 edition of the Sands and the Net Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sense.edu bachelor's degree program in applied

cybersecurity. Well, in diaries today, we have a malware analysis diary from Jan. Jan looked at,

well, as you called it, yet another malicious JPEG file, an image in this case, but what actually arrived initially and

Jan focused a little bit more on the downloader here. It was, well, a good old compressed,

sip compressed JavaScript file. Once decompressed, there was over a megabyte of data. However,

most of the data was garbage.

So first obfuscation technique here where the attacker is just adding some random garbage to the file

in order to extend its size, make it a little bit more difficult to sort of analyze it,

sometimes also full than anti-malbar engines into not actually looking at the file.

Well, once all of that was removed, there were only a couple kilobytes left.

Actually, in the end, only about a dozen or so lines that Jan actually had to deobuscate further.

And, well, that's where he ended up with your standard downloader.

That would then download an image with attached scripts.

That would then in the end end up installing the REMCO-RAT, well, remote access tool.

So overall, fairly standard malware. A couple lessons here

from this one. The from was actually faked and would not make it past properly configured.

D-Mark, D-KM-KM-SPF. So those techniques are definitely very useful. Often, even simple stuff like this

gets missed by some anti-malmer engines, so having that extra layer of basically fairly

straightforward and simple defenses like DMARC certainly can make a difference here.

And if you're using caliber in order to read e-books, well, pay attention.

...