Keitaro TDS abused to deliver AutoIT-based loader targeting German speakers

Sublime has uncovered a cyberattack campaign targeting German speakers using a romance or adult-themed scam that employs Keitaro Traffic Distribution Service (TDS) to deliver malware. The attack leverages explicit emails containing links to malicious domains, which redirect users to a 300MB ISO file from a Russian host. This file employs a known counter-analysis technique by increasing its size to avoid detection by security platforms and contains an executable and a password-protected text file. Upon execution, the malware extracts and runs multiple files, creating explicit images and dropping additional files into the user's temporary directory. The attack uses a batch script with obfuscation and junk data to manipulate variables and execute logic branches, ultimately constructing an AutoIt interpreter to run a custom, heavily obfuscated script. This script creates a Windows scheduled task to ensure persistent execution of the malware. Sublime's detection engine identified the attack through various indicators, including romance scam elements, suspicious email origins, and password-protected archives. The attack shares similarities with the Rhadamanthys Infostealer and a known malvertising campaign.