“By hijacking this CLSID, threat actors gain a unique persistence mechanism, allowing them to restore their MucorAgent backdoor during one of these periodic NGEN optimization scans,” the researchers found. “A critical advantage of this method is stealth and execution under the highly privileged SYSTEM account. This particular technique, leveraging CLSID hijacking in conjunction with NGEN, is unprecedented in our observations.”
In addition to MucorAgent, the attackers also deployed a legitimate remote monitoring and management (RMM) tool called Remote Utilities. The abuse of RMM tools has become widespread among both APT and cybercrime groups.
“The campaign analyzed revealed a highly persistent and adaptable threat actor employing a wide range of known and customized techniques to establish and maintain long-term access within targeted environments,” the researchers said. “The attackers relied heavily on publicly available tools, open-source projects, and LOLBins, showing a preference for stealth, flexibility, and minimal detection rather than exploiting novel vulnerabilities.”
