ACG-CYBER SECURITY BULLETIN NR 390: Highly Evasive Adaptive Threats Use Drive-By Downloads to Infect Systems

Posted on May 15, 2025

Reference Number ACG-CSB 042125390

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

Cybercriminals are getting smarter and finding new ways to get past standard security defenses. One of the most alarming developments in recent threat activity is the emergence of Highly Evasive Adaptive Threats (HEAT). These sophisticated attacks are designed to exploit trusted cloud apps and web environments, bypassing detection by staying under the radar of antivirus software, firewalls, and even modern endpoint detection tools.

HEAT is especially dangerous because it does not need to exploit system flaws. Instead, it uses trusted tools like email links, web browsers, and cloud storage to deliver harmful content. By hiding its activity, such as sending encrypted files and avoiding detection systems, it does not save anything to the computer’s disk and runs only in memory. This makes it very difficult for regular security tools to detect.

HEAT threats are specifically engineered to bypass antivirus detection by avoiding the behaviors antivirus tools are designed to look for. Instead of delivering executable files or exploiting known vulnerabilities, they operate through web browsers and cloud apps, leveraging encrypted traffic, obfuscated scripts, and in-memory execution. Since no suspicious file is written to disk, and no known malware signature is triggered, antivirus tools often see nothing unusual. These threats also check if they’re running in sandboxes or virtual machines, environments used by security products, and delay execution to avoid detection.

For example, a victim may receive an email with a link to what appears to be a shared document hosted on a cloud service. Clicking the link opens a web page that silently assembles a malicious payload in the background using JavaScript. Because no file is downloaded and everything happens within the browser, conventional security tools have nothing to flag. The attacker gains remote access without tripping any alarms.

Another scenario involves drive-by downloads, a type of cyberattack where malicious software is automatically downloaded to a user’s device without their knowledge or consent, just by visiting a compromised or malicious website, which is embedded in legitimate-looking websites. These sites use obfuscated JavaScript to deliver malware, but only after checking whether the system is a sandbox or virtual machine environment, which are often used for malware analysis. If the check fails, the code stays dormant. If it passes, the malware deploys, potentially harvesting login credentials or creating a backdoor.

To effectively counter HEAT threats, organizations must move beyond conventional perimeter-based defenses and adopt a more dynamic, layered security strategy. This means combining browser isolation, zero trust access controls, and real-time behavioral analysis to detect subtle indicators of compromise. Since HEAT attacks often blend into regular user activity, visibility into web traffic and user behavior is essential. It should also prioritize continuous monitoring of cloud applications and enforce strict controls on how users interact with external content. Just as important is regular security training, empowering employees to question unexpected links and unfamiliar cloud-based prompts is the first line of defense against threats that hide in plain sight.

RECOMMENDATION

The public is advised to follow these tips to avoid being a victim of Highly Evasive Adaptive Threats attacks:

Keep browsers, extensions, and scripts up to date and patched. Regularly updating browser components reduces the risk of them being exploited or abused as part of a HEAT attack chain;
Avoid interacting with suspicious browser messages or pop-ups. Close any unexpected alerts, updates, or prompts from websites unless you know they’re part of your normal work tools;
Log out of work apps when finished, especially on shared devices. Staying logged in can leave one’s account vulnerable to unauthorized access;
Always hover over links to preview their true destination. If the link address looks unfamiliar, mismatched, or suspicious, it should not be clicked;
Storing work-related passwords in browser memory should be avoided. If the browser is compromised, saved credentials could be exposed to attackers;
Unused browser tabs should be closed promptly. Open tabs can continue running scripts or web-based tasks in the background, increasing potential exposure to threats; and
Personal web browsing should be separated from work-related tasks. Mixing personal activity with professional systems may increase the risk of exposure to untrusted content or threats.

For additional information, please refer to the following websites:

https://www.criticalstart.com/threat-research-beat-the-heat/
https://www.anomali.com/glossary/heat-highly-evasive-adaptive-threats
https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat

POINT OF CONTACT

Please contact PLTCOL JERRY V EMPIZO, Officer-In-Charge, Cyber Security Unit, thru e-mail address csradacgroup@gmail.com or contact us by telephone number (632) 723-0401 local 7488 for any inquiries related to this CYBER SECURITY BULLETIN.