Anatomy of a malware attack

By Manny Fernandez

April 10, 2026

Anatomy of a malware attack

Today I was at a stop light and decided to take a look at my calendar for tomorrow to see what I had coming up. I was surprised to see that I had a strange event in my calendar in green. Green is my personal calendar yet it made reference to Payroll. I waited til I got home. From my phone, I could see there was an attachment on the invite.

The event title showed typical PHISH like language often creating a false sense of panic, demanding immediate action to prevent account suspension, legal action, or financial loss. I calendar in an isolated VM. I was able to see the attachment which was a .txt file.

I decided to run the file through my FortiSandbox Cloud.

FortiSandbox has a File on Demand and URL on Demand , then we can choose Upload File

After you submit the file to the FortiSandbox, you can monitor the process

Here is the command the attachment tried to run.

"c:\program files (x86)\microsoft\edge\application
\msedge.exe" --disable-field-trial-config --disable-background-networking --disable-background-timer
-throttling --disable-backgrounding-occluded-windo ws
--disable-back-forward-cache --disable-breakpad
--disable-client-side-phishing-detection --disabl
e-component-extensions-with-background-pages --dis
able-component-update --no-default-browser-check -
-disable-default-apps --disable-dev-shm-usage --di
sable-extensions --disable-features=ImprovedCookie
Controls,LazyFrameLoading,GlobalMediaControls,Dest
royProfileOnBrowserClose,MediaRouter,DialMediaRout
eProvider,AcceptCHFrame,AutoExpandDetailsElement,C
ertificateTransparencyComponentUpdater,AvoidUnnece
ssaryBeforeUnloadCheckSync,Translate,HttpsUpgrades ,
PaintHolding,PlzDedicatedWorker --allow-pre-commi t-input
--disable-hang-monitor --disable-ipc-flood ing-protection
--disable-popup-blocking --disable- prompt-on-repost
--disable-renderer-backgrounding --force-color-profile=srgb
--metrics-recording-onl y --no-first-run --enable-automation
--password-st ore=basic --use-mock-keychain
--no-service-autorun --export-tagged-pdf
--disable-search-engine-choic e-screen
--unsafely-disable-devtools-self-xss-warn ings --no-sandbox
--headless --disable-gpu "--user -agent=Mozilla/5.0
(Macintosh; Intel Mac OS X 10_1 5_3) AppleWebKit/537.36
(KHTML, like Gecko) Chrome /80.0.3987.132 Safari/537.36"
--ignore-certificate -errors --enable-features=NetworkService
--no-sand box --disable-dev-shm-usage
--disable-web-security --disable-features=TranslateUI
--disable-backgrou nd-timer-throttling
--disable-backgrounding-occlud ed-windows
--disable-renderer-backgrounding --disa
ble-ipc-flooding-protection --memory-pressure-off
--no-first-run --no-default-browser-check --disabl
e-default-apps --disable-component-extensions-with
-background-pages --edge-skip-compat-layer-relaunc h
--disable-background-networking --user-data-dir=
C:\Users\ADMINI~1\AppData\Local\Temp\playwright_ch
romiumdev_profile-8jgU5M --remote-debugging-pipe a

This command is highly suspicious and indicates that the phishing file you analyzed is likely a component of a larger automated attack chain, potentially using a framework like Playwright or Puppeteer to perform “Browser-in-the-Browser” (BitB) operations or credential relaying.

Here is the breakdown of the command and its security implications.

The command launches Microsoft Edge with dozens of flags specifically designed to strip away security features, prevent user interaction, and automate the browsing session.

Disabling Security Controls

The attacker is explicitly turning off the browser’s built-in protections to ensure their malicious scripts run without interference:

--disable-client-side-phishing-detection: Disables Edge’s SmartScreen/Phishing protection, preventing the browser from blocking the very phishing sites it is trying to reach.

--disable-web-security: Disables the Same-Origin Policy (SOP). This is a critical security boundary; disabling it allows scripts on a malicious page to read data from other open tabs or sites.

--no-sandbox: Completely disables the browser sandbox. This is extremely dangerous as it allows a web-based exploit to potentially break out of the browser and execute code directly on the underlying operating system.

--ignore-certificate-errors: Forces the browser to ignore SSL/TLS certificate warnings, which is useful if the attacker is using self-signed certs or performing a Man-in-the-Middle (MitM) attack.

Automation and Headless Mode

The flags indicate this is not a human user opening a browser, but a script:

--headless: The browser runs in the background without a visible window. This allows the attack to happen silently without the victim noticing a new browser instance.

--enable-automation: Informs the browser it is being controlled by software (like Playwright), which often disables certain user-side prompts.

--user-data-dir=...playwright_chromiumdev_profile...: This confirms the use of Playwright, a browser automation library often used by developers for testing, but increasingly used by threat actors to automate login spoofing or data exfiltration

Fingerprint Manipulation (Evasion)

The attacker is trying to hide the true nature of the machine running the command:

--user-agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3)...: Even though the file path shows this is running on Windows(C:\program files (x86)...), it is telling websites it is a Macintosh. This is used to bypass conditional access policies or to appear as a generic user to security monitors.

Essentially, this attack will load a logo of Excel and then prompt you for your credentials to Office 365. But this can be integrated with so many other attacks and payloads.

Anatomy of a malware attack

Disabling Security Controls

Fingerprint Manipulation (Evasion)

Recent posts