Phishing Campaign Leverages Donut Loader via Spoofed FedEx Alerts

Shipping-themed phishing remains a persistent vector for initial access within corporate environments. A recent campaign, analyzed by the SANS Internet Storm Center (ISC), demonstrates a shift from traditional credential harvesting toward the delivery of modular malware. This specific activity involves localized email notifications masquerading as FedEx delivery alerts, designed to deliver the Donut loader framework.

Phishing Methodology and Delivery

The attack initiates with a spoofed notification informing the recipient of a pending or failed delivery. This social engineering tactic leverages the high volume of legitimate shipping traffic to induce urgency in the victim. Unlike many contemporary phishing attacks that utilize HTML smuggling or malicious URLs to host payloads, this campaign relies on a direct attachment: a ZIP archive typically named FedEx_Delivery_Notice.zip.

Inside the archive, the attacker includes a PE32 executable of the same name. The use of a ZIP container is a deliberate attempt to bypass basic email security filters that might otherwise block or quarantine raw executable files. Once the user extracts and executes the file, the infection chain proceeds to the execution of the Donut-based payload.

Technical Analysis: The Donut Loader

The core of this threat is the Donut loader framework. Originally designed as a red-teaming tool, Donut is a position-independent code (PIC) generator. It is capable of transforming .NET assemblies, VBScript, JScript, and DLL/EXE files into shellcode that can be executed directly in memory. This capability makes it an ideal choice for threat actors seeking to minimize their on-disk footprint and evade traditional security controls.

Shellcode Generation and Injection

The sample identified in the report leverages Donut’s ability to wrap payloads into highly obfuscated shellcode. When the initial executable runs, it functions as a loader. Its primary purpose is not to perform the final malicious action, but to decrypt and inject the Donut-generated shellcode into a target process’s memory space.

Donut-generated shellcode typically utilizes symmetric encryption (such as Chacha20) and a modular header. This ensures the payload remains encrypted until the exact moment of execution. By executing entirely in memory, the malware avoids creating common forensic artifacts on the file system, such as temporary files or dropped secondary stages, which are frequently monitored by legacy antivirus solutions.

Evasion and Detection Challenges

The modularity of the Donut framework allows threat actors to swap the “donut filling”—the final stage payload—without altering the initial delivery mechanism. This means a single phishing template can be used to deliver diverse malware types, ranging from Remote Access Trojans (RATs) to ransomware or info-stealers. The report indicates that these samples often have low initial detection rates on multi-engine scanning platforms due to the effective obfuscation of the shellcode.

Defensive Implications and Recommendations

This campaign underscores the ongoing risk posed by archive-based malware delivery and the increasing adoption of red-team frameworks by cybercriminals. Organizations should prioritize behavioral detection over static file signatures to counter these threats.

Technical Mitigations

1. Aggressive Attachment Filtering: Configure Secure Email Gateways (SEGs) to inspect the contents of all compressed archives. Organizations should consider blocking archives that contain executable extensions such as .exe, .scr, .vbs, or .js entirely if there is no legitimate business need.
2. Endpoint Monitoring: Deploy Endpoint Detection and Response (EDR) solutions to monitor for suspicious API calls associated with process injection, such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.
3. ASR Rule Implementation: Enable Microsoft Defender Attack Surface Reduction (ASR) rules, specifically “Block all Office applications from creating child processes” and “Block executable content from email client and webmail.”
4. Threat Hunting: Regularly hunt for unusual parent-child process relationships, such as common compression utilities (WinZip, 7-Zip) or browsers spawning unknown executables that subsequently establish external network connections.

By focusing on the behavior of the loader rather than the specific attributes of the phishing lure, defenders can build more resilient detection pipelines against evolving shellcode delivery frameworks.