Dahalo.rar
: Often uses a double extension (e.g., Project_Specs.pdf.lnk ) and executes a hidden command that launches mshta.exe or powershell.exe to run a remote script.
: Monitor for suspicious child processes originating from archive extractors or office applications. DAHALO.rar
: Spawning of powershell.exe , cmd.exe , or mshta.exe from parent processes like explorer.exe or web browsers immediately after a file download. Mitigation and Defense : Often uses a double extension (e
: Restrict the download of .rar , .7z , and .lnk files from external email sources or unknown web domains. DAHALO.rar
Hands-On Chinese Fun!