Sandro Sana : 26 August 2025 11:29
In early 2025, an Italian organization found itself the victim of a sneaky intrusion. No dramatic exploit, no textbook attack. What opened the door to the attackers was a VPN account left active after a former employee’s departure. A simple oversight allowed the attackers to infiltrate the network with seemingly no effort. From then on, the rest was a game of patience: silent movement, privilege escalation, and months of hidden presence within the infrastructure.
Download the STAGERSHELL report created by Malware Forge
During incident response operations, a Blue Team identified two suspicious artifacts. These weren’t the usual executable files, but PowerShell scripts capable of running directly in memory.
This is where malware enters the scene, the protagonist of the report published by Red Hot Cyber’s Malware Analysis lab Malware Forge, which the lab has named StagerShell. This component is invisible to less advanced systems, designed to prepare the ground for a more aggressive second stage, most likely ransomware.
StagerShell’s main feature is its fileless nature. This means it leaves no files on the disk or litter the environment with obvious traces, but instead insinuates itself into memory processes. This approach allows it to evade most traditional defenses. In practice, the malware isn’t a thief breaking down the door, but an intruder that silently blends in with those already living in the building, making it difficult to recognize.
The name is no coincidence: StagerShell is a “stager,” or a launching pad. Its purpose is not to inflict the final damage, but to open an invisible channel through which the real payload can be delivered. In other words, it prepares the way and makes the work of the main malware easier and quicker, which often only enters the scene in the final, most devastating phase. It is the prelude to an attack that materialises when the attackers have already gained a huge tactical advantage.
Analysts at Malware Forge have noted a strong similarity between StagerShell and tools already used by criminal groups like Black Basta. After the collapse of that acronym, many of its members merged with organizations like Akira and Cactus, which are also very active in Italy, particularly in the Northeast, the same area hit by this episode. It was not possible to attribute the attack with certainty, but the context leaves little doubt: it was a ransomware campaign that was interrupted before the encryption phase. However, the shadow of the exfiltration remains: a 16 GB file was found on a Domain Controller, a clear sign that the data had already been stolen.
This case clearly shows how, often, it’s not super exploits that put companies in crisis, but everyday management errors. An account that’s not disabled, a forgotten credential, a missing control. Added to this is the attackers’ ability to combine known tools with advanced evasion techniques, capable of confusing antivirus and less advanced defense systems. It’s the perfect combination: on the one hand, the victims’ carelessness, on the other, the criminals’ creativity.
The report sends a clear message: security is not static. Having firewalls and antivirus isn’t enough if they aren’t accompanied by continuous monitoring, constant access review, and the ability to respond rapidly to incidents. In this case, it was EDR alerts and the Blue Team’s promptness that prevented the worst. But it’s clear that without greater attention, the operation could have resulted in massive encryption and a complete shutdown of the infrastructure.
Fileless attacks are not a rare phenomenon nor limited to large multinationals. They are a daily reality, affecting companies of all sizes. For attackers, Italy—and especially its production areas—is a lucrative target: critical supply chains, manufacturing companies that cannot stop, valuable information to resell or use as blackmail leverage. It’s a systemic problem that must be addressed with awareness and seriousness.
The Malware Forge document isn’t just a technical analysis. It’s a practical tool for understanding how attackers actually operate, what errors they exploit, and what countermeasures can make a difference. It recounts a real case, with real protagonists and dynamics, and translates it into lessons that every organization can apply. It’s not theory, it’s field experience.
Publishing this type of analysis means turning knowledge into defense. This is the idea that guides Red Hot Cyber: recognize the risk, talk about it, share what you’ve learned. It’s not an academic gesture, but a concrete way to make life more difficult for attackers and make the security community more mature. Because knowledge, in this field, isn’t power if it stays locked away in a drawer: it only becomes power when it’s spread.
StagerShell teaches us that The most dangerous intrusion is often the one you don’t see. It’s the signal that hasn’t yet made any noise, the silent presence preparing a devastating attack. Reading the report means becoming aware of these dynamics and taking home three simple convictions: shut down what’s unnecessary, see what’s important, and react without hesitation.
The next intrusion could have already begun. And, as StagerShell demonstrates, what you don’t see is precisely what puts you most at risk.
The Malware Forge specialists represent the technical core of the Red Hot Cyber Malware Analysis sub-community. These professionals have advanced skills in malware analysis, reverse engineering, and offensive and defensive security. They are capable of reconstructing complex behaviors of malicious code and translating them into practical information for companies, institutions, and industry professionals.
Their work isn’t limited to simply identifying malware: specialists study how attackers operate, which vulnerabilities they exploit, how they move laterally within networks, and how they plan their campaigns (also in collaboration with other Red Hot Cyber groups such as HackerHood, which specializes in ethical hacking, or Dark Lab, which specializes in cyber threat intelligence). Thanks to this expertise, Malware Forge produces detailed reports and technical documents, transforming raw data into operational and tactical intelligence that allows us to prevent and mitigate real-world attacks.
Anyone interested in joining the community and collaborating with Malware Forge can find all the information and how to join in this official article: Malware Forge: Red Hot Cyber’s Malware Analysis Lab is born.
Sandro Sana