A new phishing campaign is spreading a highly evasive malware — and evidence suggests the threat is more sophisticated than previously thought.

The Axur Research Team (ART) has identified and analyzed a new version of Byakugan, a malware with multiple capabilities (stealer, spyware, miner, keylogger) that has been used in attacks against companies in the financial and cryptocurrency sectors. The campaign observed in 2025 demonstrates a high level of social engineering and anti-forensic techniques, with extremely low detection by traditional antivirus solutions.

This article provides an initial overview of how the malware operates, the attackers’ tactics, and the potential impact of the campaign — and invites you to read the full technical report with in-depth analysis, IOCs, and MITRE ATT&CK mapping.

Targeted Phishing and Low Detection

The attack starts with a phishing email that impersonates a legitimate vendor communication. The message contains a fake PDF invoice, claiming that the recipient must install an Adobe Reader version to view the document.

Clicking the button in the file leads the victim to a shortened URL — and then to GitHub, where a malicious executable is downloaded, disguised with the name and icon of the official Reader installer. The social engineering is carefully crafted to appear legitimate, and the file goes undetected by many antivirus engines.

Byakugan's Capabilities: From Evasion to Mining

Once executed, the malware begins a chain of actions:

• UAC bypass and DLL hijacking
• Windows Defender exclusions
• Execution of a fake “chrome.exe” process
• Data extraction from the system and browsers
• Communication with C2 servers
  
  

In addition to credential theft and keylogging, the malware also enables browser emulation, crypto mining, and remote control of infected devices. Communication with the C2 servers is carried out via open ports on domains such as tunneloop[.]com[.]br and floravirtual[.]com[.]br, both with virtually no VirusTotal detection history.

Infrastructure and Attribution Evidence

During the investigation, the ART identified public GitHub repositories used to distribute the campaign, as well as access to command dashboards hosted on domains and IPs. One of the panels displays infected devices and available actions — including file capture, browser emulation, and mining tools.

There’s also a Vimeo video demo of the tool, uploaded by a user. Infections have been recorded in the United States, Germany, Ukraine, and the Netherlands.

MITRE ATT&CK Mapping

The Byakugan 2025 campaign incorporates various tactics and techniques based on the MITRE ATT&CK framework, including:

• Initial Access: T1566.002 – Spearphishing Link
• Defense Evasion: T1036, T1027, T1497
• Discovery: T1082, T1057
• Command & Control: T1071.001, T1095, T1573, T1219
  
  

This mapping helps security teams understand the threat lifecycle and define detection and mitigation strategies.

Read the Full Analysis from the ART

The in-depth analysis by the Axur Research Team (ART) offers a technical deep dive into the Byakugan 2025 campaign, including a detailed attack chain, infrastructure and domain evidence, malicious code breakdowns, IOCs, and actionable mitigation recommendations. The report also features screenshots of dashboards and infection flows captured during the investigation.

If you want to understand how this malware operates — and how to protect your organization — access the full report now.