Countries in the Middle East were the targets of an attack campaign that leveraged the WinTapix loader.
The malware injects an embedded shellcode into a local process and executes an encrypted .NET payload.
WinTapix uses the Donut Framework for execution and is partially protected by the VMProtect software protection tool.
SkyWatchSM Alert Legend
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
Disclosure is Not Limited.
Limited Disclosure, Restricted Only to the Community.
Limited Disclosure, restricted to the Participant's Organization.
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.