Cxclnt

CXCLNT is a potent malware identified by researchers, designed to exploit and damage computer systems. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, CXCLNT has capabilities to upload and download files, clear system traces, and collect victim data such as file listings and system information. It's often deployed alongside another malware payload known as CLNTEND, both of which have been linked to Tidrone attackers. These threat actors have been observed using remote desktop tools, including the open-source remote administration utility UltraVNC, to deploy their custom malware payloads. The execution flow between previous and recent activities involving CXCLNT and CLNTEND demonstrates the evolution of these toolsets and tactics, techniques, and procedures (TTPs). Notably, both CXCLNT and CLNTEND backdoors are launched by sideloading a malicious DLL through the Microsoft Word application, indicating sophisticated attack vectors. The report concludes that these activities involve advanced malware variants such as CXCLNT and CLNTEND being spread through ERP software or remote desktops. Threat actors prefer command and control (C&C) server domains with misquoted names, like symantecsecuritycloud[.]com, microsoftsvc[.]com, and windowswns[.]com, whether it is for CLNTEND and CXCLNT, further complicating the identification and mitigation of these threats. These findings highlight the increasing sophistication of cyber threats and underscore the need for robust cyber defense strategies.