Researchers have an analysis of malicious files related to Hidden Cobra’s BLINDINGCAN RAT. The campaign that these malicious files were discovered in targeted government contractors via job posting themed phishing emails. The first four analyzed files were all lure documents in Microsoft Word format containing a decoy image. An embedded XML file in each of these samples attempts to connect to a remote URL in order to download a next-stage payload. At time of analysis, none of the URLs were accessible so the next-stage executable was unable to be obtained for analysis. Researchers also also analyzed two DLL files, one 32-bit and one 64-bit, both with identical functionality. The first DLL is responsible for extracting, decoding, installing, and executing a seconday DLL. Once installed, this secondary DLL extracts two additional embedded DLLs, which are decrypted and loaded into memory. The payload running in memory was identified to be a RAT, which the researchers dubbed “BLINDINGCAN.” It first exfiltrates RC4-encoded system information to the C2 server. In response, the C2 server is capable of issuing commands to retrieve additional information, create/start/terminate processes, search/read/write/move/execute files, delete malicious artifacts, and more.