MSC Files and Phishing: The FLUX#CONSOLE Threat Unveiled

Fluxconsole Uses Msc Files for Stealthy Backdoor Payloads Uncovered by Securonix.

“Unmasking the FLUX#CONSOLE: Securonix Threat Research Exposes Evolving Phishing Tactics with MSC Files”

Overview Of The FLUX#CONSOLE Campaign

The Securonix Threat Research team has recently uncovered a rather alarming phishing campaign that’s got everyone on edge. Dubbed the “FLUX#CONSOLE campaign,” this sneaky operation is all about using Microsoft Common Console Document (MSC) files to deliver a stealthy backdoor payload. Now, if you’re wondering why this is such a big deal, it’s because these MSC files are being used in ways we haven’t quite seen before, marking a potential shift from the usual malicious LNK shortcut files that have been giving us headaches for years.

So, here’s how the attack unfolds. It all starts with a phishing email that looks like it’s about taxes—something like a PDF titled “Income-Tax-Deduction-and-Rebates202441712.pdf.” Sounds official, right? But here’s the kicker: while the PDF itself is just a decoy and doesn’t do any harm, it’s got an MSC file embedded in it that’s up to no good. Unlike those pesky LNK files, MSC files are now being used more and more because they can run scripts under the guise of legit6ad632f0e879f045048080e7646b871fimate Windows tools. It’s like they’re wearing a disguise, and it’s working.

The FLUX#CONSOLE campaign is pulling out all the stops to stay under the radar. They’re using tax-themed lures to gain trust, exploiting MSC files to execute hidden code, and even sideloading malicious DLLs using DISM.exe—a legitimate Windows process. They’ve got scheduled tasks set up to keep the malware running even after you reboot your system. And let’s not forget their advanced obfuscation techniques; they’re layering code with encryption and hiding it so well that detecting it becomes a nightmare.

Imagine being tricked into opening what looks like a harmless PDF but is actually a malicious MSC file. This file has XML commands embedded in it, ready to download or extract a nasty DLL payload called DismCore.dll. The MSC file acts as both a loader and dropper, delivering the payload right under your nose. Then, using Dism.exe, this DLL gets sideloaded and starts communicating with a Command-and-Control server at “hxxps://siasat[.]top.” It’s all very hush-hush, with data being exfiltrated through encrypted HTTPS traffic to avoid detection.

What’s even more concerning is that during their research, Securonix found that attackers had “hands-on-keyboard” access for about 24 hours. That’s plenty of time to exfiltrate data and maybe even plan for further attacks. The campaign seems to be targeting folks in Pakistan, given the tax-themed lures and filenames mimicking official documents. While Pakistan has dealt with threats from groups like Sidewinder and Lazarus Group before, the tactics used in FLUX#CONSOLE don’t match any known APT groups.

This whole situation highlights how MSC files are becoming a growing threat vector. They’re typically seen as harmless administrative tools, but their ability to execute embedded scripts makes them an attractive option for attackers looking to bypass traditional detection methods. By disguising these files as PDFs or other common types and embedding malicious code, threat actors are finding new ways to slip past our defenses. It’s enough to make anyone worried about what might come next.