.webp)
A newly uncovered phishing campaign is exploiting the growing popularity of CapCut, a video editing tool developed by ByteDance. The attackers are utilizing a technique known as reputational hijacking, which allows them to embed malware within a legitimate-looking package, bypassing Smart App Control (SAC) and leaving users vulnerable to data theft and system compromise. This campaign, centered on the use of JamPlus, represents a significant escalation in the tactics used by threat actors to evade detection.
CapCut’s position as one of the most widely-used video editing applications has made it an attractive target for cybercriminals. Its vast user base spans casual users and professionals alike, making it a trusted brand in the creative space. Cyber attackers recognize that software with a strong reputation offers a perfect opportunity to mask malicious activity. By leveraging CapCut's legitimacy, these attackers can gain the trust of their victims, who are less likely to scrutinize downloads from what they perceive as a reliable source.
In this case, the attackers created a counterfeit CapCut download page, visually identical to the official site, to trick users into downloading malware. Once the user downloads the installer, they unwittingly initiate the infection process. The phishing site effectively impersonates CapCut, presenting no immediate signs of malicious intent, making it difficult for non-technical users to identify the risk.
At the core of this attack is the technique known as reputational hijacking, which exploits the credibility of trusted software to deliver harmful code. In this instance, the attackers have integrated JamPlus, a build utility commonly used in software development, into the phishing package. By combining the legitimate CapCut application with JamPlus and a malicious script, they can manipulate the system’s trust mechanisms to bypass security protocols like SAC.
The attack is triggered when a user downloads the fraudulent installer from the phishing site. Upon extraction, the package reveals what appears to be a standard CapCut installation file. However, alongside the legitimate application are hidden components, including the JamPlus utility and a malicious Lua script designed to compromise the system.
When the victim runs the CapCut installer, they unknowingly execute JamPlus, which sets the attack in motion. JamPlus activates the Lua script, which silently fetches additional payloads from a remote server. These fileless techniques—executing code directly in memory without writing anything to the disk—are specifically designed to evade traditional antivirus software, which often rely on disk-based signatures to detect malware.
The malicious installer package is crafted to appear legitimate in every way. When users visit the phishing site, they are prompted to download a file named in a way that mimics typical installers, such as “CapCut_{random number}_Installer.zip”. Once extracted, the archive contains the CapCut app, along with the malicious elements concealed from the user's view.
In most legitimate installations, CapCut is launched from:
C:\Users<User_Name>\AppData\Local\CapCut\Apps\capcut.exe
However, in this attack, the attackers rename the JamPlus utility to “capcut.exe.” This clever deception allows JamPlus to masquerade as the CapCut application, effectively bypassing Smart App Control and other security measures. Upon launch, JamPlus reads from a configuration file—".jam"—which instructs it to execute the hidden Lua script.
The Lua script, in turn, connects to a remote server, downloading a batch file that initiates the next stage of the attack. The batch file is responsible for:
Installing Persistence Mechanisms - It downloads a file named “WindowSafety.bat” from a GitHub repository and saves it in the system's startup folder. This ensures that the malicious script runs automatically whenever the system is rebooted, giving the attackers long-term access to the victim’s machine.
Downloading Additional Malware - Another file, “Document.zip,” is fetched from a different GitHub source. The archive contains a Python script, which is extracted to C:\Users\Public\Document. Once extracted, the Python script is executed, setting the stage for the final payload delivery.
The Python script plays a crucial role in delivering the campaign’s primary malware, NodeStealer. NodeStealer is a highly sophisticated piece of malware designed to steal sensitive data from the victim’s machine. It focuses on gathering a wide range of personal information, including:
What makes this campaign even more difficult to detect is the way NodeStealer exfiltrates the stolen data. Instead of using traditional command-and-control servers that might raise alarms, the attackers use Telegram, a popular messaging app, as their exfiltration channel. This adds an additional layer of obfuscation, making it challenging for cybersecurity teams to trace the attack back to its origin.
This type of attack is not an isolated case. Reputational hijacking has been observed in other phishing campaigns, where attackers embed malicious payloads within widely-used software to bypass security. A notable example involves Postman, another legitimate application that has been exploited in a similar fashion.
These campaigns signal a troubling trend: cybercriminals are increasingly using trusted applications to mask their malicious activities. By leveraging well-known software, they can evade detection and slip past even advanced security defenses. This method represents an evolution in phishing techniques, as attackers focus on exploiting the trust users place in popular applications to further their malicious goals.
The JamPlus-based attack on CapCut highlights the evolving landscape of cyber threats. By embedding malicious code within legitimate software and utilizing advanced techniques like fileless malware, attackers are finding new ways to evade detection and exploit users. The use of NodeStealer to steal sensitive data further illustrates the sophistication of these attacks.
As cybercriminals continue to refine their tactics, it’s essential for individuals and organizations to stay vigilant. Employing a multi-layered security approach—one that includes behavioral analysis, threat intelligence, and robust endpoint protection—will be key in defending against these increasingly complex threats. While traditional detection methods struggle to keep pace with the latest attack techniques, awareness and proactive security measures can help mitigate the risk posed by reputational hijacking and similar phishing campaigns.
In a world where trusted software is no longer immune from exploitation, everyone must remain cautious when downloading applications, even from seemingly legitimate sources.
On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.
As we conclude our 'ransomware readiness week' of this Cybersecurity Awareness Month, it's time to take a critical look at your organization's defenses. Ransomware attacks are becoming more sophisticated, and no business is immune. In our latest article, we explore essential strategies to bolster your ransomware preparedness. Don't miss this vital information to help protect your business from emerging threats.
Ethical hacking has become an essential response to an IT industry kept on its toes by a spectrum of bad actors with malicious intent. This article introduces two prominent methodologies that help the good guys fight back: penetration testing (pen-testing) and red teaming. Learn more here.
Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.
