ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins

Fortinet Labs describes a phishing-driven campaign attributed to the 8220 Gang that leverages SVG attachments and a layered delivery chain (BatCloak, ScrubCrypt) to install VenomRAT and multiple plugins (NanoCore, Remcos, XWorm, and a crypto wallet stealer). The attack uses advanced evasion and persistence techniques (AMSI/ETW bypass, scheduled tasks, process hollowing, steganography) and maintains encrypted C2 communications to fetch and execute plugins; the report includes C2 domains, URLs, and numerous file hashes as IOCs and notes Fortinet detections and mitigations.