FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 49, column 0: content:encoded should not contain decoding attribute (75 occurrences) [help]
```
										<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
```
line 49, column 0: content:encoded should not contain loading attribute (72 occurrences) [help]
```
										<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
```
line 53, column 0: content:encoded should not contain fetchpriority attribute [help]
```
<div id="attachment_117802" style="width: 1441px" class="wp-caption aligncen ...
```
line 53, column 0: content:encoded should not contain aria-describedby attribute (40 occurrences) [help]
```
<div id="attachment_117802" style="width: 1441px" class="wp-caption aligncen ...
```
line 53, column 0: content:encoded should not contain sizes attribute (65 occurrences) [help]
```
<div id="attachment_117802" style="width: 1441px" class="wp-caption aligncen ...
```
line 372, column 0: style attribute contains potentially dangerous content: font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; (41 occurrences) [help]
```
			<span id="urvanov-syntax-highlighter-68f7ac2ed39fd942765759" class="urvan ...
```
line 772, column 3: content:encoded should not contain relative URL references: #loader [help]
```
]]></content:encoded>
   ^
```
line 877, column 0: content:encoded should not contain data-id attribute (7 occurrences) [help]
```
<div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="i ...
```
line 877, column 0: content:encoded should not contain data-type attribute (7 occurrences) [help]
```
<div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="i ...
```
line 877, column 0: content:encoded should not contain data-title attribute (7 occurrences) [help]
```
<div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="i ...
```
line 990, column 0: content:encoded should not contain script tag (3 occurrences) [help]
```
<p><script data-b24-form="inline/1808/7dlezh" data-skip-moving="true">
```

Source: https://securelist.com/feed/

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Securelist</title>
<atom:link href="https://securelist.com/feed/" rel="self" type="application/rss+xml" />
<link>https://securelist.com</link>
<description></description>
<lastBuildDate>Tue, 21 Oct 2025 13:20:13 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.8.3</generator>
<image>
<url>https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-32x32.png</url>
<title>Securelist</title>
<link>https://securelist.com</link>
<width>32</width>
<height>32</height>
</image>
<item>
<title>The evolving landscape of email phishing attacks: how threat actors are reusing and refining established techniques</title>
<link>https://securelist.com/email-phishing-techniques-2025/117801/</link>
<comments>https://securelist.com/email-phishing-techniques-2025/117801/#respond</comments>
<dc:creator><![CDATA[Roman Dedenok]]></dc:creator>
<pubDate>Tue, 21 Oct 2025 10:00:06 +0000</pubDate>
<category><![CDATA[Spam and phishing]]></category>
<category><![CDATA[Spammer techniques]]></category>
<category><![CDATA[Spam Letters]]></category>
<category><![CDATA[Phishing]]></category>
<category><![CDATA[CAPTCHA]]></category>
<category><![CDATA[Phishing websites]]></category>
<category><![CDATA[QR-codes]]></category>
<category><![CDATA[2FA]]></category>
<category><![CDATA[Spam and Phishing]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117801</guid>
<description><![CDATA[Common email phishing tactics in 2025 include PDF attachments with QR codes, password-protected PDF documents, calendar phishing, and advanced websites that validate email addresses.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/20200617/SL-email-phishing-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
<p>Cyberthreats are constantly evolving, and email phishing is no exception. Threat actors keep coming up with new methods to bypass security filters and circumvent user vigilance. At the same time, established – and even long-forgotten – tactics have not gone anywhere; in fact, some are getting a second life. This post details some of the unusual techniques malicious actors are employing in 2025.</p>
<h2 id="using-pdf-files-from-qr-codes-to-passwords">Using PDF files: from QR codes to passwords</h2>
<p>Emails with PDF attachments are becoming increasingly common in both mass and targeted phishing campaigns. Whereas in the past, most PDF files contained phishing links, the main trend in these attacks today is the use of QR codes.</p>
<div id="attachment_117802" style="width: 1441px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142213/email-phishing1.png" class="magnificImage"><img fetchpriority="high" decoding="async" aria-describedby="caption-attachment-117802" class="size-full wp-image-117802" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142213/email-phishing1.png" alt="Email with a PDF attachment that contains a phishing QR code" width="1431" height="2040" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142213/email-phishing1.png 1431w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142213/email-phishing1-210x300.png 210w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142213/email-phishing1-718x1024.png 718w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142213/email-phishing1-768x1095.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142213/email-phishing1-1077x1536.png 1077w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142213/email-phishing1-246x350.png 246w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142213/email-phishing1-701x1000.png 701w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142213/email-phishing1-196x280.png 196w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142213/email-phishing1-631x900.png 631w" sizes="(max-width: 1431px) 100vw, 1431px" /></a><p id="caption-attachment-117802" class="wp-caption-text">Email with a PDF attachment that contains a phishing QR code</p></div>
<p>This represents a logical progression from the trend of <a href="https://securelist.com/qr-codes-in-phishing/110676/" target="_blank" rel="noopener">using QR codes directly in the email body</a>. This approach simplifies the process of disguising the phishing link while motivating users to open the link on their mobile phone, which may lack the security safeguards of a work computer.</p>
<p>Email campaigns that include phishing links embedded in PDF attachments continue to pose a significant threat, but attackers are increasingly employing additional techniques to evade detection. For example, some PDF files are encrypted and protected with a password.</p>
<div id="attachment_117803" style="width: 1242px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142353/email-phishing2.png" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-117803" class="size-full wp-image-117803" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142353/email-phishing2.png" alt="Phishing email with a password-protected PDF attachment" width="1232" height="1016" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142353/email-phishing2.png 1232w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142353/email-phishing2-300x247.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142353/email-phishing2-1024x844.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142353/email-phishing2-768x633.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142353/email-phishing2-424x350.png 424w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142353/email-phishing2-740x610.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142353/email-phishing2-340x280.png 340w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142353/email-phishing2-800x660.png 800w" sizes="(max-width: 1232px) 100vw, 1232px" /></a><p id="caption-attachment-117803" class="wp-caption-text">Phishing email with a password-protected PDF attachment</p></div>
<p>The password may be included in the email that contains the PDF, or it may be sent in a separate message. From the cybersecurity standpoint, this approach complicates quick file scanning, while for the recipients it lends an air of legitimacy to attackers’ efforts and can be perceived as adherence to high security standards. Consequently, these emails tend to inspire more user trust.</p>
<div id="attachment_117804" style="width: 1372px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142428/email-phishing3.jpeg" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-117804" class="size-full wp-image-117804" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142428/email-phishing3.jpeg" alt="PDF file after the user enters the password" width="1362" height="841" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142428/email-phishing3.jpeg 1362w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142428/email-phishing3-300x185.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142428/email-phishing3-1024x632.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142428/email-phishing3-768x474.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142428/email-phishing3-567x350.jpeg 567w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142428/email-phishing3-740x457.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142428/email-phishing3-453x280.jpeg 453w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142428/email-phishing3-800x494.jpeg 800w" sizes="(max-width: 1362px) 100vw, 1362px" /></a><p id="caption-attachment-117804" class="wp-caption-text">PDF file after the user enters the password</p></div>
<h2 id="phishing-and-calendar-alerts">Phishing and calendar alerts</h2>
<p>The use of calendar events as a spam technique, which was popular in the late 2010s but gradually faded away after 2019, is a relatively old tactic. The concept is straightforward: attackers send an email that contains a calendar appointment. The body of the email may be empty, but a phishing link is concealed in the event description.</p>
<div id="attachment_117805" style="width: 846px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142516/email-phishing4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117805" class="size-full wp-image-117805" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142516/email-phishing4.png" alt="Blank email with a phishing link in the calendar appointment " width="836" height="386" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142516/email-phishing4.png 836w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142516/email-phishing4-300x139.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142516/email-phishing4-768x355.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142516/email-phishing4-758x350.png 758w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142516/email-phishing4-740x342.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142516/email-phishing4-606x280.png 606w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142516/email-phishing4-800x369.png 800w" sizes="auto, (max-width: 836px) 100vw, 836px" /></a><p id="caption-attachment-117805" class="wp-caption-text">Blank email with a phishing link in the calendar appointment</p></div>
<p>When the recipient opens the email, the event is added to their calendar – along with the link. If the user accepts the meeting without thoroughly reviewing it, they will later receive a reminder about it from the calendar application. As a result, they risk landing on the phishing website, even if they chose not to open the link directly in the original message.</p>
<p>In 2025, phishers revived this old tactic. However, unlike the late 2010s, when these campaigns were primarily mass mailshots designed with Google Calendar in mind, they are now being used in B2B phishing and specifically target office workers.</p>
<div id="attachment_117806" style="width: 593px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142602/email-phishing5.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117806" class="size-full wp-image-117806" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142602/email-phishing5.jpeg" alt="Phishing sign-in form for a Microsoft account from a calendar phishing attack" width="583" height="1080" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142602/email-phishing5.jpeg 583w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142602/email-phishing5-162x300.jpeg 162w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142602/email-phishing5-553x1024.jpeg 553w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142602/email-phishing5-189x350.jpeg 189w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142602/email-phishing5-540x1000.jpeg 540w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142602/email-phishing5-151x280.jpeg 151w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142602/email-phishing5-486x900.jpeg 486w" sizes="auto, (max-width: 583px) 100vw, 583px" /></a><p id="caption-attachment-117806" class="wp-caption-text">Phishing sign-in form for a Microsoft account from a calendar phishing attack</p></div>
<h2 id="verifying-existing-accounts">Verifying existing accounts</h2>
<p>Attackers are not just updating the methods they use to deliver phishing content, but also the phishing websites. Often, even the most primitive-looking email campaigns distribute links to pages that utilize new techniques.</p>
<div id="attachment_117807" style="width: 770px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142722/email-phishing6.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117807" class="size-full wp-image-117807" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142722/email-phishing6.jpeg" alt="Voice message phishing" width="760" height="287" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142722/email-phishing6.jpeg 760w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142722/email-phishing6-300x113.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142722/email-phishing6-740x279.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142722/email-phishing6-741x280.jpeg 741w" sizes="auto, (max-width: 760px) 100vw, 760px" /></a><p id="caption-attachment-117807" class="wp-caption-text">Voice message phishing</p></div>
<p>For example, we observed a minimalistic email campaign crafted to look like an alert about a voice message left for the user. The body of the email contained only a couple of sentences, often with a space in the word “voice”, and a link. The link led to a simple landing page that invited the recipient to listen to the message.</p>
<div id="attachment_117808" style="width: 589px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142808/email-phishing7.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117808" class="size-full wp-image-117808" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142808/email-phishing7.png" alt="Landing page that opens when clicking the link in the phishing email" width="579" height="408" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142808/email-phishing7.png 579w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142808/email-phishing7-300x211.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142808/email-phishing7-497x350.png 497w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142808/email-phishing7-397x280.png 397w" sizes="auto, (max-width: 579px) 100vw, 579px" /></a><p id="caption-attachment-117808" class="wp-caption-text">Landing page that opens when clicking the link in the phishing email</p></div>
<p>However, if the user clicks the button, the path does not lead to a single page but rather a chain of verification pages that employ CAPTCHA. The purpose is likely to evade detection by security bots.</p>
<div id="attachment_117809" style="width: 1234px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142905/email-phishing8.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117809" class="size-full wp-image-117809" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142905/email-phishing8.png" alt="The CAPTCHA verification chain" width="1224" height="447" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142905/email-phishing8.png 1224w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142905/email-phishing8-300x110.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142905/email-phishing8-1024x374.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142905/email-phishing8-768x280.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142905/email-phishing8-958x350.png 958w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142905/email-phishing8-740x270.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142905/email-phishing8-767x280.png 767w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17142905/email-phishing8-800x292.png 800w" sizes="auto, (max-width: 1224px) 100vw, 1224px" /></a><p id="caption-attachment-117809" class="wp-caption-text">The CAPTCHA verification chain</p></div>
<p>After repeatedly proving they are not a bot, the user finally lands on a website designed to mimic a Google sign-in form.</p>
<div id="attachment_117810" style="width: 787px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143024/email-phishing9.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117810" class="size-full wp-image-117810" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143024/email-phishing9.jpeg" alt="The phishing sign-in form" width="777" height="583" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143024/email-phishing9.jpeg 777w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143024/email-phishing9-300x225.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143024/email-phishing9-768x576.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143024/email-phishing9-200x150.jpeg 200w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143024/email-phishing9-466x350.jpeg 466w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143024/email-phishing9-740x555.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143024/email-phishing9-373x280.jpeg 373w" sizes="auto, (max-width: 777px) 100vw, 777px" /></a><p id="caption-attachment-117810" class="wp-caption-text">The phishing sign-in form</p></div>
<p>This page is notable for validating the Gmail address the user enters and displaying an error if it is not a registered email.</p>
<div id="attachment_117811" style="width: 788px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143113/email-phishing10.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117811" class="size-full wp-image-117811" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143113/email-phishing10.jpeg" alt="Error message" width="778" height="584" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143113/email-phishing10.jpeg 778w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143113/email-phishing10-300x225.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143113/email-phishing10-768x576.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143113/email-phishing10-200x150.jpeg 200w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143113/email-phishing10-466x350.jpeg 466w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143113/email-phishing10-740x555.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143113/email-phishing10-373x280.jpeg 373w" sizes="auto, (max-width: 778px) 100vw, 778px" /></a><p id="caption-attachment-117811" class="wp-caption-text">Error message</p></div>
<p>If the victim enters a valid address, then, regardless whether the password is correct or not, the phishing site will display another similar page, with a message indicating that the password is invalid. In both scenarios, clicking “Reset Session” opens the email input form again. If a distracted user attempts to log in by trying different accounts and passwords, all of these end up in the hands of the attackers.</p>
<h2 id="mfa-evasion">MFA evasion</h2>
<p>Because many users protect their accounts with multi-factor authentication, scammers try to come up with ways to steal not just passwords but also <a href="https://securelist.com/2fa-phishing/112805/" target="_blank" rel="noopener">one-time codes</a> and <a href="https://securelist.com/new-phishing-and-scam-trends-in-2025/117217/#hunting-for-new-data" target="_blank" rel="noopener">other verification data</a>. Email phishing campaigns that redirect users to sites designed to bypass MFA can vary significantly in sophistication. Some campaigns employ primitive tactics, while others use well-crafted messages that are initially difficult to distinguish from legitimate ones. Let’s look at an email that falls in the latter category.</p>
<div id="attachment_117812" style="width: 1403px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143237/email-phishing11.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117812" class="size-full wp-image-117812" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143237/email-phishing11.jpeg" alt="Phishing email that mimics a pCloud notification" width="1393" height="801" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143237/email-phishing11.jpeg 1393w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143237/email-phishing11-300x173.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143237/email-phishing11-1024x589.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143237/email-phishing11-768x442.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143237/email-phishing11-609x350.jpeg 609w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143237/email-phishing11-740x426.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143237/email-phishing11-487x280.jpeg 487w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143237/email-phishing11-800x460.jpeg 800w" sizes="auto, (max-width: 1393px) 100vw, 1393px" /></a><p id="caption-attachment-117812" class="wp-caption-text">Phishing email that mimics a pCloud notification</p></div>
<p>Unlike most phishing emails that try to immediately scare the user or otherwise grab their attention, the subject here is quite neutral: a support ticket update from the secure cloud storage provider pCloud that asks the user to evaluate the quality of the service. No threats or urgent calls to action. If the user attempts to follow the link, they are taken to a phishing sign-in form visually identical to the original, but with one key difference: instead of pcloud.com, the attackers use a different top-level domain, p-cloud.online.</p>
<div id="attachment_117813" style="width: 1164px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143327/email-phishing12.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117813" class="size-full wp-image-117813" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143327/email-phishing12.jpeg" alt="The phishing sign-in form" width="1154" height="666" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143327/email-phishing12.jpeg 1154w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143327/email-phishing12-300x173.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143327/email-phishing12-1024x591.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143327/email-phishing12-768x443.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143327/email-phishing12-606x350.jpeg 606w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143327/email-phishing12-740x427.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143327/email-phishing12-485x280.jpeg 485w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143327/email-phishing12-800x462.jpeg 800w" sizes="auto, (max-width: 1154px) 100vw, 1154px" /></a><p id="caption-attachment-117813" class="wp-caption-text">The phishing sign-in form</p></div>
<p>At every step of the user’s interaction with the form on the malicious site, the site communicates with the real pCloud service via an API. Therefore, if a user enters an address that is not registered with the service, they will see an error, as if they were signing in to pcloud.com. If a real address is entered, a one-time password (OTP) input form opens, which pCloud also requests when a user tries to sign in.</p>
<div id="attachment_117814" style="width: 1160px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143415/email-phishing13.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117814" class="size-full wp-image-117814" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143415/email-phishing13.jpeg" alt="OTP input form" width="1150" height="683" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143415/email-phishing13.jpeg 1150w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143415/email-phishing13-300x178.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143415/email-phishing13-1024x608.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143415/email-phishing13-768x456.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143415/email-phishing13-589x350.jpeg 589w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143415/email-phishing13-740x439.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143415/email-phishing13-471x280.jpeg 471w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143415/email-phishing13-800x475.jpeg 800w" sizes="auto, (max-width: 1150px) 100vw, 1150px" /></a><p id="caption-attachment-117814" class="wp-caption-text">OTP input form</p></div>
<p>Since the phishing site relays all entered data to the real service, an attempt to trick the verification process will fail: if a random combination is entered, the site will respond with an error.</p>
<div id="attachment_117815" style="width: 478px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143457/email-phishing14.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117815" class="size-full wp-image-117815" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143457/email-phishing14.jpeg" alt="Attempting to bypass verification" width="468" height="403" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143457/email-phishing14.jpeg 468w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143457/email-phishing14-300x258.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143457/email-phishing14-406x350.jpeg 406w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143457/email-phishing14-325x280.jpeg 325w" sizes="auto, (max-width: 468px) 100vw, 468px" /></a><p id="caption-attachment-117815" class="wp-caption-text">Attempting to bypass verification</p></div>
<p>The real OTP is sent by the pCloud service to the email address the user provided on the phishing site.</p>
<div id="attachment_117816" style="width: 500px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143533/email-phishing15.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117816" class="size-full wp-image-117816" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143533/email-phishing15.jpeg" alt="OTP email" width="490" height="347" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143533/email-phishing15.jpeg 490w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143533/email-phishing15-300x212.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143533/email-phishing15-395x280.jpeg 395w" sizes="auto, (max-width: 490px) 100vw, 490px" /></a><p id="caption-attachment-117816" class="wp-caption-text">OTP email</p></div>
<p>Once the user has “verified” the account, they land on the password input form; this is also requested by the real service. After this step, the phishing page opens a copy of the pCloud website, and the attacker gains access to the victim’s account. We have to give credit to the scammers: this is a high-quality copy. It even includes a default folder with a default image identical to the original, which may delay the user’s realization that they have been tricked.</p>
<div id="attachment_117817" style="width: 555px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143611/email-phishing16.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117817" class="size-full wp-image-117817" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143611/email-phishing16.jpeg" alt="Password input form" width="545" height="398" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143611/email-phishing16.jpeg 545w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143611/email-phishing16-300x219.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143611/email-phishing16-479x350.jpeg 479w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17143611/email-phishing16-383x280.jpeg 383w" sizes="auto, (max-width: 545px) 100vw, 545px" /></a><p id="caption-attachment-117817" class="wp-caption-text">Password input form</p></div>
<h2 id="conclusion">Conclusion</h2>
<p>Threat actors are increasingly employing diverse evasion techniques in their phishing campaigns and websites. In email, these techniques include PDF documents containing QR codes, which are not as easily detected as standard hyperlinks. Another measure is password protection of attachments. In some instances, the password arrives in a separate email, adding another layer of difficulty to automated analysis. Attackers are protecting their web pages with CAPTCHAs, and they may even use more than one verification page. Concurrently, the credential-harvesting schemes themselves are becoming more sophisticated and convincing.</p>
<p>To avoid falling victim to phishers, users must stay sharp:</p>
<ul>
<li>Treat unusual attachments, such as password-protected PDFs or documents using a QR code instead of a link to a corporate website, with suspicion.</li>
<li>Before entering credentials on any web page, verify that the URL matches the address of the legitimate online service.</li>
</ul>
<p>Organizations are advised to conduct regular <a href="https://www.kaspersky.com/enterprise-security/security-awareness?icid=gl_sl_lnk-security-awareness_sm-team_df95e80a3921c34d" target="_blank" rel="noopener">security training</a> for employees to keep them up-to-date on the latest techniques being used by threat actors. We also recommend implementing a reliable solution for email server security. For example, <a href="https://www.kaspersky.com/enterprise-security/mail-server-security?icid=gl_sl_lnk-mail-server-security_sm-team_07351ed8c5ab12ce" target="_blank" rel="noopener">Kaspersky Security for Mail Server</a> detects and blocks all the attack methods described in this article.</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/email-phishing-techniques-2025/117801/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/20200617/SL-email-phishing-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/20200617/SL-email-phishing-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/20200617/SL-email-phishing-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/20200617/SL-email-phishing-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>PassiveNeuron: a sophisticated campaign targeting servers of high-profile organizations</title>
<link>https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/</link>
<comments>https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/#respond</comments>
<dc:creator><![CDATA[Georgy Kucherin, Saurabh Sharma]]></dc:creator>
<pubDate>Tue, 21 Oct 2025 08:00:52 +0000</pubDate>
<category><![CDATA[Malware descriptions]]></category>
<category><![CDATA[GReAT research]]></category>
<category><![CDATA[Malware Technologies]]></category>
<category><![CDATA[Malware Descriptions]]></category>
<category><![CDATA[Malware]]></category>
<category><![CDATA[Backdoor]]></category>
<category><![CDATA[Encryption]]></category>
<category><![CDATA[.NET]]></category>
<category><![CDATA[PowerShell]]></category>
<category><![CDATA[DLL hijacking]]></category>
<category><![CDATA[Microsoft SQL]]></category>
<category><![CDATA[CobaltStrike]]></category>
<category><![CDATA[DLL]]></category>
<category><![CDATA[web shell]]></category>
<category><![CDATA[VBS]]></category>
<category><![CDATA[GitHub]]></category>
<category><![CDATA[Windows Server]]></category>
<category><![CDATA[Windows malware]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117745</guid>
<description><![CDATA[Kaspersky GReAT experts break down a recent PassiveNeuron campaign that targets servers worldwide with custom Neursite and NeuralExecutor APT implants and Cobalt Strike.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/20163102/passiveneuron-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
<p>Back in 2024, we <a href="https://securelist.com/apt-report-q3-2024/114623/#passiveneuron" target="_blank" rel="noopener">gave a brief description</a> of a complex cyberespionage campaign that we dubbed “PassiveNeuron”. This campaign involved compromising the servers of government organizations with previously unknown APT implants, named “Neursite” and “NeuralExecutor”. However, since its discovery, the PassiveNeuron campaign has been shrouded in mystery. For instance, it remained unclear how the implants in question were deployed or what actor was behind them.</p>
<p>After we detected this campaign and prevented its spreading back in June 2024, we did not see any further malware deployments linked to PassiveNeuron for quite a long time, about six months. However, since December 2024, we have observed a new wave of infections related to PassiveNeuron, with the latest ones dating back to August 2025. These infections targeted government, financial and industrial organizations located in Asia, Africa, and Latin America. Since identifying these infections, we have been able to shed light on many previously unknown aspects of this campaign. Thus, we managed to discover details about the initial infection and gather clues on attribution.</p>
<h2 id="sql-servers-under-attack">SQL servers under attack</h2>
<p>While investigating PassiveNeuron infections both in 2024 and 2025, we found that a vast majority of targeted machines were running Windows Server. Specifically, in one particular infection case, we observed attackers gain initial remote command execution capabilities on the compromised server through the Microsoft SQL software. While we do not have clear visibility into how attackers were able to abuse the SQL software, it is worth noting that SQL servers typically get compromised through:</p>
<ul>
<li>Exploitation of vulnerabilities in the server software itself</li>
<li>Exploitation of SQL injection vulnerabilities present in the applications running on the server</li>
<li>Getting access to the database administration account (e.g. by brute-forcing the password) and using it to <a href="https://securelist.com/malicious-tasks-in-ms-sql-server/92167/" target="_blank" rel="noopener">execute malicious SQL queries</a></li>
</ul>
<p>After obtaining the code execution capabilities with the help of the SQL software, attackers deployed an ASPX web shell for basic malicious command execution on the compromised machine. However, at this stage, things did not go as planned for the adversary. The Kaspersky solution installed on the machine was preventing the web shell deployment efforts, and the process of installing the web shell ended up being quite noisy.</p>
<p>In attempts to evade detection of the web shell, attackers performed its installation in the following manner:</p>
<ol>
<li>They dropped a file containing the Base64-encoded web shell on the system.</li>
<li>They dropped a PowerShell script responsible for Base64-decoding the web shell file.</li>
<li>They launched the PowerShell script in an attempt to write the decoded web shell payload to the filesystem.</li>
</ol>
<p>As Kaspersky solutions were preventing the web shell installation, we observed attackers to repeat the steps above several times with minor adjustments, such as:</p>
<ul>
<li>Using hexadecimal encoding of the web shell instead of Base64</li>
<li>Using a VBS script instead of a PowerShell script to perform decoding</li>
<li>Writing the script contents in a line-by-line manner</li>
</ul>
<p>Having failed to deploy the web shell, attackers decided to use more advanced malicious implants to continue the compromise process.</p>
<h2 id="malicious-implants">Malicious implants</h2>
<p>Over the last two years, we have observed three implants used over the course of PassiveNeuron infections, which are:</p>
<ul>
<li>Neursite, a custom C++ modular backdoor used for cyberespionage activities</li>
<li>NeuralExecutor, a custom .NET implant used for running additional .NET payloads</li>
<li>the Cobalt Strike framework, a commercial tool for red teaming</li>
</ul>
<p>While we saw different combinations of these implants deployed on targeted machines, we observed that in the vast majority of cases, they were loaded through a chain of DLL loaders. The first-stage loader in the chain is a DLL file placed in the system directory. Some of these DLL file paths are:</p>
<ul>
<li>C:\Windows\System32\wlbsctrl.dll</li>
<li>C:\Windows\System32\TSMSISrv.dll</li>
<li>C:\Windows\System32\oci.dll</li>
</ul>
<p>Storing DLLs under these paths has been beneficial to attackers, as placing libraries with these names inside the System32 folder makes it possible to automatically ensure persistence. If present on the file system, these DLLs get automatically loaded on startup (the first two DLLs are loaded into the <code>svchost.exe</code> process, while the latter is loaded into <code>msdtc.exe</code>) due to the employed <a href="https://attack.mitre.org/techniques/T1574/001/" target="_blank" rel="noopener">Phantom DLL Hijacking technique</a>.</p>
<p>It also should be noted that these DLLs are more than 100 MB in size — their size is artificially inflated by attackers by adding junk overlay bytes. Usually, this is done to make malicious implants more difficult to detect by security solutions.</p>
<p>On startup, the first-stage DLLs iterate through a list of installed network adapters, calculating a 32-bit hash of each adapter’s MAC address. If neither of the MAC addresses is equal to the value specified in the loader configuration, the loader exits. This MAC address check is designed to ensure that the DLLs get solely launched on the intended victim machine, in order to hinder execution in a sandbox environment. Such detailed narrowing down of victims implies the adversary’s interest towards specific organizations and once again underscores the targeted nature of this threat.</p>
<p>Having checked that it is operating on a target machine, the loader continues execution by loading a second-stage loader DLL that is stored on disk. The paths where the second-stage DLLs were stored as well as their names (examples include <code>elscorewmyc.dll</code> and <code>wellgwlserejzuai.dll</code>) differed between machines. We observed the second-stage DLLs to also have an artificially inflated file size (in excess of 60 MB), and the malicious goal was to open a text file containing a Base64-encoded and AES-encrypted third-stage loader, and subsequently launch it.</p>
<div id="attachment_117746" style="width: 1310px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131035/passiveneuron-campaign-with-apt1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117746" class="size-full wp-image-117746" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131035/passiveneuron-campaign-with-apt1.png" alt="Snippet of the payload file contents" width="1300" height="82" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131035/passiveneuron-campaign-with-apt1.png 1300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131035/passiveneuron-campaign-with-apt1-300x19.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131035/passiveneuron-campaign-with-apt1-1024x65.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131035/passiveneuron-campaign-with-apt1-768x48.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131035/passiveneuron-campaign-with-apt1-740x47.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131035/passiveneuron-campaign-with-apt1-800x50.png 800w" sizes="auto, (max-width: 1300px) 100vw, 1300px" /></a><p id="caption-attachment-117746" class="wp-caption-text">Snippet of the payload file contents</p></div>
<p>This payload is a DLL as well, responsible for launching a fourth-stage shellcode loader inside another process (e.g. <code>WmiPrvSE.exe</code> or <code>msiexec.exe</code>) which is created in suspended mode. In turn, this shellcode loads the final payload: a PE file converted to a custom executable format.</p>
<p>In summary, the process of loading the final payload can be represented with the following graph:</p>
<div id="attachment_117747" style="width: 1912px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131116/passiveneuron-campaign-with-apt2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117747" class="size-full wp-image-117747" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131116/passiveneuron-campaign-with-apt2.png" alt="Final payload loading" width="1902" height="482" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131116/passiveneuron-campaign-with-apt2.png 1902w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131116/passiveneuron-campaign-with-apt2-300x76.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131116/passiveneuron-campaign-with-apt2-1024x259.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131116/passiveneuron-campaign-with-apt2-768x195.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131116/passiveneuron-campaign-with-apt2-1536x389.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131116/passiveneuron-campaign-with-apt2-1381x350.png 1381w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131116/passiveneuron-campaign-with-apt2-740x188.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131116/passiveneuron-campaign-with-apt2-1105x280.png 1105w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131116/passiveneuron-campaign-with-apt2-800x203.png 800w" sizes="auto, (max-width: 1902px) 100vw, 1902px" /></a><p id="caption-attachment-117747" class="wp-caption-text">Final payload loading</p></div>
<p>It is also notable that attackers attempted to use slightly different variants of the loading scheme for some of the target organizations. For example, we have seen cases without payload injection into another process, or with DLL obfuscation on disk with VMProtect.</p>
<h3 id="the-neursite-backdoor">The Neursite backdoor</h3>
<p>Among the three final payload implants that we mentioned above, the Neursite backdoor is the most potent one. We dubbed it so because we observed the following source code path inside the discovered samples: E:\pro\code\Neursite\client_server\nonspec\mbedtls\library\ssl_srv.c. The configuration of this implant contains the following parameters:</p>
<ul>
<li>List of C2 servers and their ports</li>
<li>List of HTTP proxies that can be used to connect to C2 servers</li>
<li>List of HTTP headers used while connecting to HTTP-based C2 servers</li>
<li>A relative URL used while communicating with HTTP-based C2 servers</li>
<li>A range of wait time between two consecutive C2 server connections</li>
<li>A byte array of hours and days of the week when the backdoor is operable</li>
<li>An optional port that should be opened for listening to incoming connections</li>
</ul>
<p>The Neursite implant can use the TCP, SSL, HTTP and HTTPS protocols for C2 communications. As follows from the configuration, Neursite can connect to the C2 server directly or wait for another machine to start communicating through a specified port. In cases we observed, Neursite samples were configured to use either external servers or compromised internal infrastructure for C2 communications.</p>
<p>The default range of commands implemented inside this backdoor allows attackers to:</p>
<ul>
<li>Retrieve system information.</li>
<li>Manage running processes.</li>
<li>Proxy traffic through other machines infected with the Neursite implant, in order to facilitate lateral movement.</li>
</ul>
<p>Additionally, this implant is equipped with a component that allows loading supplementary plugins. We observed attackers deploy plugins with the following capabilities:</p>
<ul>
<li>Shell command execution</li>
<li>File system management</li>
<li>TCP socket operations</li>
</ul>
<h3 id="the-neuralexecutor-loader">The NeuralExecutor loader</h3>
<p>NeuralExecutor is another custom implant deployed over the course of the PassiveNeuron campaign. This implant is .NET based, and we found that it employed the open-source ConfuserEx obfuscator for protection against analysis. It implements multiple methods of network communication, namely TCP, HTTP/HTTPS, named pipes, and WebSockets. Upon establishing a communication channel with the C2 server, the backdoor can receive commands allowing it to load .NET assemblies. As such, the main capability of this backdoor is to receive additional .NET payloads from the network and execute them.</p>
<h2 id="tricky-attribution">Tricky attribution</h2>
<p>Both Neursite and NeuralExecutor, the two custom implants we found to be used in the PassiveNeuron campaign, have never been observed in any previous cyberattacks. We had to look for clues that could hint at the threat actor behind PassiveNeuron.</p>
<p>Back when we started investigating PassiveNeuron back in 2024, we spotted one such blatantly obvious clue:</p>
<div id="attachment_117748" style="width: 915px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131215/passiveneuron-campaign-with-apt3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117748" class="size-full wp-image-117748" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131215/passiveneuron-campaign-with-apt3.png" alt="Function names found inside NeuralExecutor" width="905" height="790" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131215/passiveneuron-campaign-with-apt3.png 905w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131215/passiveneuron-campaign-with-apt3-300x262.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131215/passiveneuron-campaign-with-apt3-768x670.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131215/passiveneuron-campaign-with-apt3-401x350.png 401w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131215/passiveneuron-campaign-with-apt3-740x646.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131215/passiveneuron-campaign-with-apt3-321x280.png 321w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131215/passiveneuron-campaign-with-apt3-800x698.png 800w" sizes="auto, (max-width: 905px) 100vw, 905px" /></a><p id="caption-attachment-117748" class="wp-caption-text">Function names found inside NeuralExecutor</p></div>
<p>In the code of the NeuralExecutor samples we observed in 2024, the names of all functions had been replaced with strings prefixed with “Супер обфускатор”, the Russian for “Super obfuscator”. It is important to note, however, that this string was deliberately introduced by the attackers while using the ConfuserEx obfuscator. When it comes to strings that are inserted into malware on purpose, they should be assessed carefully during attribution. That is because threat actors may insert strings in languages they do not speak, in order to create false flags intended to confuse researchers and incident responders and prompt them to make an error of judgement when trying to attribute the threat. For that reason, we attached little evidential weight to the presence of the “Супер обфускатор” string back in 2024.</p>
<p>After examining the NeuralExecutor samples used in 2025, we found that the Russian-language string had disappeared. However, this year we noticed another peculiar clue related to this implant. While the 2024 samples were designed to retrieve the C2 server addresses straight from the configuration, the 2025 ones did so by using <a href="https://attack.mitre.org/techniques/T1102/001/" target="_blank" rel="noopener">the Dead Drop Resolver technique</a>. Specifically, the new NeuralExecutor samples that we found were designed to retrieve the contents of a file stored in a GitHub repository, and extract a string from it:</p>
<div id="attachment_117749" style="width: 1244px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131302/passiveneuron-campaign-with-apt4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117749" class="size-full wp-image-117749" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131302/passiveneuron-campaign-with-apt4.png" alt="Contents of the configuration file stored on GitHub" width="1234" height="320" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131302/passiveneuron-campaign-with-apt4.png 1234w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131302/passiveneuron-campaign-with-apt4-300x78.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131302/passiveneuron-campaign-with-apt4-1024x266.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131302/passiveneuron-campaign-with-apt4-768x199.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131302/passiveneuron-campaign-with-apt4-740x192.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131302/passiveneuron-campaign-with-apt4-1080x280.png 1080w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131302/passiveneuron-campaign-with-apt4-800x207.png 800w" sizes="auto, (max-width: 1234px) 100vw, 1234px" /></a><p id="caption-attachment-117749" class="wp-caption-text">Contents of the configuration file stored on GitHub</p></div>
<p>The malware locates this string by searching for two delimiters, <code>wtyyvZQY</code> and <code>stU7BU0R</code>, that mark the start and the end of the configuration data. The bytes of this string are then Base64-decoded and decrypted with AES to obtain the C2 server address.</p>
<div id="attachment_117750" style="width: 2058px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131339/passiveneuron-campaign-with-apt5.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117750" class="size-full wp-image-117750" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131339/passiveneuron-campaign-with-apt5.png" alt="Snippet of the implant configuration" width="2048" height="375" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131339/passiveneuron-campaign-with-apt5.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131339/passiveneuron-campaign-with-apt5-300x55.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131339/passiveneuron-campaign-with-apt5-1024x188.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131339/passiveneuron-campaign-with-apt5-768x141.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131339/passiveneuron-campaign-with-apt5-1536x281.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131339/passiveneuron-campaign-with-apt5-1911x350.png 1911w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131339/passiveneuron-campaign-with-apt5-740x135.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131339/passiveneuron-campaign-with-apt5-1529x280.png 1529w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14131339/passiveneuron-campaign-with-apt5-800x146.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a><p id="caption-attachment-117750" class="wp-caption-text">Snippet of the implant configuration</p></div>
<p>It is notable that this exact method of obtaining C2 server addresses from GitHub, using a string containing delimiter sequences, is quite popular among Chinese-speaking threat actors. For instance, we frequently <a href="https://securelist.com/eastwind-apt-campaign/113345/" target="_blank" rel="noopener">observed it being used in the EastWind campaign</a>, which we previously connected to the APT31 and APT27 Chinese-speaking threat actors.</p>
<p>Furthermore, during our investigation, we learned one more interesting fact that could be useful in attribution. We observed numerous attempts to deploy the PassiveNeuron loader in one particular organization. After discovering yet another failed deployment, we have detected a malicious DLL named <code>imjp14k.dll</code>. An analysis of this DLL revealed that it had the PDB path G:\Bee\Tree(pmrc)\Src\Dll_3F_imjp14k\Release\Dll.pdb. This PDB string was referenced in a <a href="https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/" target="_blank" rel="noopener">report by Cisco Talos</a> on activities likely associated with the threat actor APT41. Moreover, we identified that the discovered DLL exhibits the same malicious behavior as described in the Cisco Talos report. However, it remains unclear why this DLL was uploaded to the target machine. Possible explanations could be that the attackers deployed it as a replacement for the PassiveNeuron-related implants, or that it was used by another actor who compromised the organization simultaneously with the attackers behind PassiveNeuron.</p>
<p>When dealing with attribution of cyberattacks that are known to involve false flags, it is difficult to understand which attribution indicators to trust, or whether to trust any at all. However, the overall TTPs of the PassiveNeuron campaign most resemble the ones commonly employed by Chinese-speaking threat actors. Since TTPs are usually harder to fake than indicators like strings, we are, as of now, attributing the PassiveNeuron campaign to a Chinese-speaking threat actor, albeit with a low level of confidence.</p>
<h2 id="conclusion">Conclusion</h2>
<p>The PassiveNeuron campaign has been distinctive in the way that it primarily targets server machines. These servers, especially the ones exposed to the internet, are usually lucrative targets for APTs, as they can serve as entry points into target organizations. It is thus crucial to pay close attention to the <a href="https://www.kaspersky.com/enterprise-security/xdr?icid=gl_sl_lnk-knext-xdr_sm-team_ed7c1cdf035e52cf" target="_blank" rel="noopener">protection of server machines</a>. Wherever possible, the attack surface associated with these servers should be reduced to a minimum, and all server applications should be monitored to prevent emerging infections in a timely manner. Specific attention should be paid to protecting applications against SQL injections, which are commonly exploited by threat actors to obtain initial access. Another thing to focus on is protection against web shells, which are deployed to facilitate compromise of servers.</p>
<h2 id="indicators-of-compromise">Indicators of compromise</h2>
<p><strong>PassiveNeuron-related loader files<br />
</strong><a href="https://opentip.kaspersky.com/12ec42446db8039e2a2d8c22d7fd2946/results?icid=gl_sl_opentip_sm-team_efeb696a93e2484d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">12ec42446db8039e2a2d8c22d7fd2946</a><br />
<a href="https://opentip.kaspersky.com/406db41215f7d333db2f2c9d60c3958b/results?icid=gl_sl_opentip_sm-team_28bf60409c2f5827&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">406db41215f7d333db2f2c9d60c3958b</a><br />
<a href="https://opentip.kaspersky.com/44a64331ec1c937a8385dfeeee6678fd/results?icid=gl_sl_opentip_sm-team_fea31a91566311f9&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">44a64331ec1c937a8385dfeeee6678fd</a><br />
<a href="https://opentip.kaspersky.com/8dcf258f66fa0cec1e4a800fa1f6c2a2/results?icid=gl_sl_opentip_sm-team_88e2ae60d2364f2f&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">8dcf258f66fa0cec1e4a800fa1f6c2a2</a><br />
<a href="https://opentip.kaspersky.com/d587724ade76218aa58c78523f6fa14e/results?icid=gl_sl_opentip_sm-team_94cdd0422e1d2b24&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">d587724ade76218aa58c78523f6fa14e</a><br />
<a href="https://opentip.kaspersky.com/f806083c919e49aca3f301d082815b30/results?icid=gl_sl_opentip_sm-team_6bf7b46e7b929a05&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">f806083c919e49aca3f301d082815b30</a></p>
<p><strong>Malicious imjp14k.dll DLL</strong><br />
<a href="https://opentip.kaspersky.com/751f47a688ae075bba11cf0235f4f6ee/results?icid=gl_sl_opentip_sm-team_d79412667fa405bf&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">751f47a688ae075bba11cf0235f4f6ee</a></p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/20163102/passiveneuron-featured-image-scaled.jpg" width="2912" height="1632"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/20163102/passiveneuron-featured-image-1024x574.jpg" width="1024" height="574"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/20163102/passiveneuron-featured-image-300x168.jpg" width="300" height="168"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/20163102/passiveneuron-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Post-exploitation framework now also delivered via npm</title>
<link>https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/</link>
<comments>https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/#respond</comments>
<dc:creator><![CDATA[Vladimir Gursky, Artem Ushkov]]></dc:creator>
<pubDate>Fri, 17 Oct 2025 10:00:33 +0000</pubDate>
<category><![CDATA[Incidents]]></category>
<category><![CDATA[Malware descriptions]]></category>
<category><![CDATA[Malware Technologies]]></category>
<category><![CDATA[Linux]]></category>
<category><![CDATA[Microsoft Windows]]></category>
<category><![CDATA[Apple MacOS]]></category>
<category><![CDATA[x64]]></category>
<category><![CDATA[Malware Descriptions]]></category>
<category><![CDATA[ARM]]></category>
<category><![CDATA[Malware]]></category>
<category><![CDATA[Supply-chain attack]]></category>
<category><![CDATA[Open source]]></category>
<category><![CDATA[Windows malware]]></category>
<category><![CDATA[Unix and macOS malware]]></category>
<category><![CDATA[Web threats]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117784</guid>
<description><![CDATA[The npm registry contains a malicious package that downloads the AdaptixC2 agent onto victims' devices, Kaspersky experts have found. The threat targets Windows, Linux, and macOS.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17081221/adaptix-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="incident-description">Incident description</h2>
<p>The first version of the AdaptixC2 post-exploitation framework, which can be considered an alternative to the well-known Cobalt Strike, was made publicly available in early 2025. In spring of 2025, the framework was <a href="https://x.com/Unit42_Intel/status/1925206262184026156" target="_blank" rel="noopener">first observed</a> being used for malicious means.</p>
<p>In October 2025, Kaspersky experts found that the npm ecosystem contained a malicious package with a fairly convincing name: <code>https-proxy-utils</code>. It was posing as a utility for using proxies within projects. At the time of this post, the package had already been taken down.</p>
<p>The name of the package closely resembles popular legitimate packages: <code>http-proxy-agent</code>, which has approximately 70 million weekly downloads, and <code>https-proxy-agent</code> with 90 million downloads respectively. Furthermore, the advertised proxy-related functionality was cloned from another popular legitimate package <code>proxy-from-env</code>, which boasts 50 million weekly downloads. However, the threat actor injected a post-install script into <code>https-proxy-utils</code>, which downloads and executes a payload containing the AdaptixC2 agent.</p>
<div id="attachment_117785" style="width: 1486px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117785" class="size-full wp-image-117785" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1.png" alt="Metadata for the malicious (left) and legitimate (right) packages" width="1476" height="518" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1.png 1476w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-300x105.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-1024x359.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-768x270.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-997x350.png 997w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-740x260.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-798x280.png 798w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-800x281.png 800w" sizes="auto, (max-width: 1476px) 100vw, 1476px" /></a><p id="caption-attachment-117785" class="wp-caption-text">Metadata for the malicious (left) and legitimate (right) packages</p></div>
<h2 id="os-specific-adaptation">OS-specific adaptation</h2>
<p>The script includes various payload delivery methods for different operating systems. The package includes loading mechanisms for Windows, Linux, and macOS. In each OS, it uses specific techniques involving system or user directories to load and launch the implant.</p>
<p>In Windows, the AdaptixC2 agent is dropped as a DLL file into the system directory <code>C:\Windows\Tasks</code>. It is then executed via <a href="https://attack.mitre.org/techniques/T1574/001/" target="_blank" rel="noopener">DLL sideloading</a>. The JS script copies the legitimate <code>msdtc.exe</code> file to the same directory and executes it, thus loading the malicious DLL.</p>
<div id="attachment_117786" style="width: 688px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155221/adaptixc2-agent-found2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117786" class="size-full wp-image-117786" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155221/adaptixc2-agent-found2.png" alt="Deobfuscated Windows-specific code for loading AdaptixC2" width="678" height="569" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155221/adaptixc2-agent-found2.png 678w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155221/adaptixc2-agent-found2-300x252.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155221/adaptixc2-agent-found2-417x350.png 417w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155221/adaptixc2-agent-found2-334x280.png 334w" sizes="auto, (max-width: 678px) 100vw, 678px" /></a><p id="caption-attachment-117786" class="wp-caption-text">Deobfuscated Windows-specific code for loading AdaptixC2</p></div>
<p>In macOS, the script downloads the payload as an executable file into the user’s autorun directory: <code>Library/LaunchAgents</code>. The <code>postinstall.js</code> script also drops a plist autorun configuration file into this directory. Before downloading AdaptixC2, the script checks the target architecture (x64 or ARM) and fetches the appropriate payload variant.</p>
<div id="attachment_117787" style="width: 633px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155305/adaptixc2-agent-found3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117787" class="size-full wp-image-117787" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155305/adaptixc2-agent-found3.png" alt="Deobfuscated macOS-specific code for loading AdaptixC2" width="623" height="726" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155305/adaptixc2-agent-found3.png 623w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155305/adaptixc2-agent-found3-257x300.png 257w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155305/adaptixc2-agent-found3-300x350.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155305/adaptixc2-agent-found3-240x280.png 240w" sizes="auto, (max-width: 623px) 100vw, 623px" /></a><p id="caption-attachment-117787" class="wp-caption-text">Deobfuscated macOS-specific code for loading AdaptixC2</p></div>
<p>In Linux, the framework’s agent is downloaded into the temporary directory <code>/tmp/.fonts-unix</code>. The script delivers a binary file tailored to the specific architecture (x64 or ARM) and then assigns it execute permissions.</p>
<div id="attachment_117788" style="width: 889px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117788" class="size-full wp-image-117788" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4.png" alt="Deobfuscated Linux-specific code for loading AdaptixC2" width="879" height="549" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4.png 879w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4-300x187.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4-768x480.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4-560x350.png 560w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4-740x462.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4-448x280.png 448w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4-800x500.png 800w" sizes="auto, (max-width: 879px) 100vw, 879px" /></a><p id="caption-attachment-117788" class="wp-caption-text">Deobfuscated Linux-specific code for loading AdaptixC2</p></div>
<p>Once the AdaptixC2 framework agent is deployed on the victim’s device, the attacker gains capabilities for remote access, command execution, file and process management, and various methods for achieving persistence. This both allows the attacker to maintain consistent access and enables them to conduct network reconnaissance and deploy subsequent stages of the attack.</p>
<h2 id="conclusion">Conclusion</h2>
<p>This is not the first attack targeting the npm registry in recent memory. A month ago, similar infection methods utilizing a post-install script were employed in the <a href="https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/" target="_blank" rel="noopener">high-profile incident</a> involving the Shai-Hulud worm, which infected more than 500 packages<strong>. </strong>The AdaptixC2 incident clearly demonstrates the growing trend of abusing open-source software ecosystems, like npm, as an attack vector. Threat actors are <a href="https://securelist.com/tag/supply-chain-attack/" target="_blank" rel="noopener">increasingly exploiting the trusted open-source supply chain</a> to distribute post-exploitation framework agents and other forms of malware. Users and organizations involved in development or using open-source software from ecosystems like npm in their products are susceptible to this threat type.</p>
<p>To stay safe, be vigilant when installing open-source modules: verify the exact name of the package you are downloading, and more thoroughly vet unpopular and new repositories. When using popular modules, it is critical to monitor <a href="https://www.kaspersky.com/open-source-feed?icid=gl_sl_post-link-open-source-feed_sm-team_cc8b77692a32ebbc" target="_blank" rel="noopener">frequently updated feeds on compromised packages and libraries</a>.</p>
<h2 id="indicators-of-compromise">Indicators of compromise</h2>
<p><strong>Package name</strong><br />
https-proxy-utils</p>
<p><strong>Hashes</strong><br />
<a href="https://opentip.kaspersky.com/dfbc0606e16a89d980c9b674385b448e/results?icid=gl_sl_post-link-opentip_sm-team_9a4fb45257066833&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">DFBC0606E16A89D980C9B674385B448E</a> – package hash<br />
<a href="https://opentip.kaspersky.com/b8e27a88730b124868c1390f3bc42709/results?icid=gl_sl_post-link-opentip_sm-team_c62dd3c8ffe2ed1b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">B8E27A88730B124868C1390F3BC42709</a><br />
<a href="https://opentip.kaspersky.com/669bdbef9e92c3526302ca37dc48d21f/results?icid=gl_sl_post-link-opentip_sm-team_972755ad1f67ef7f&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">669BDBEF9E92C3526302CA37DC48D21F</a><br />
<a href="https://opentip.kaspersky.com/edac632c9b9ff2a2da0eacaab63627f4/results?icid=gl_sl_post-link-opentip_sm-team_cf39ec80bf7cdde8&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">EDAC632C9B9FF2A2DA0EACAAB63627F4</a><br />
<a href="https://opentip.kaspersky.com/764c9e6b6f38df11dc752cb071ae26f9/results?icid=gl_sl_post-link-opentip_sm-team_375c37e00fb6f5e7&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">764C9E6B6F38DF11DC752CB071AE26F9</a><br />
<a href="https://opentip.kaspersky.com/04931b7dfd123e6026b460d87d842897/results?icid=gl_sl_post-link-opentip_sm-team_76f48f8715dd6b3c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">04931B7DFD123E6026B460D87D842897</a></p>
<p><strong>Network indicators</strong><br />
<a href="https://opentip.kaspersky.com/cloudcenter.top%2fsys%2fupdate/?icid=gl_sl_post-link-opentip_sm-team_67aaee30ceb5fe92&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cloudcenter[.]top/sys/update</a><br />
<a href="https://opentip.kaspersky.com/cloudcenter.top%2fmacos_update_arm/?icid=gl_sl_post-link-opentip_sm-team_87ea43b039efcf34&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cloudcenter[.]top/macos_update_arm</a><br />
<a href="https://opentip.kaspersky.com/cloudcenter.top%2fmacos_update_x64/?icid=gl_sl_post-link-opentip_sm-team_0bdec936559c877d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cloudcenter[.]top/macos_update_x64</a><br />
<a href="https://opentip.kaspersky.com/cloudcenter.top%2fmacosupdate%5b.%5dplist/?icid=gl_sl_post-link-opentip_sm-team_423c8ff0ce467cbf&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cloudcenter[.]top/macosUpdate[.]plist</a><br />
<a href="https://opentip.kaspersky.com/cloudcenter.top%2flinux_update_x64/?icid=gl_sl_post-link-opentip_sm-team_9b4e0d2a0cdfec13&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cloudcenter[.]top/linux_update_x64</a><br />
<a href="https://opentip.kaspersky.com/cloudcenter.top%2flinux_update_arm/?icid=gl_sl_post-link-opentip_sm-team_16b93246956b263a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cloudcenter[.]top/linux_update_arm</a></p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17081221/adaptix-featured-image.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17081221/adaptix-featured-image-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17081221/adaptix-featured-image-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17081221/adaptix-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>SEO spam and hidden links: how to protect your website and your reputation</title>
<link>https://securelist.com/seo-spam-hidden-links/117782/</link>
<comments>https://securelist.com/seo-spam-hidden-links/117782/#respond</comments>
<dc:creator><![CDATA[Anna Larkina]]></dc:creator>
<pubDate>Fri, 17 Oct 2025 07:00:55 +0000</pubDate>
<category><![CDATA[Publications]]></category>
<category><![CDATA[Website Hacks]]></category>
<category><![CDATA[Content Filtering]]></category>
<category><![CDATA[XSS]]></category>
<category><![CDATA[Vulnerabilities]]></category>
<category><![CDATA[SQL injection]]></category>
<category><![CDATA[SEO]]></category>
<category><![CDATA[Black Hat SEO]]></category>
<category><![CDATA[Web threats]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117782</guid>
<description><![CDATA[Are you seeing your website traffic drop, and security systems blocking it for pornographic content that is not there? Hidden links, a type of SEO spam, could be the cause.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16210132/SL-seo-spam-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>When analyzing the content of websites in an attempt to determine what category it belongs to, we sometimes get an utterly unexpected result. It could be the official page of a metal structures manufacturer or online flower shop, or, say, a law firm website, with completely neutral content, but our solutions would place it squarely in the “Adult content” category. On the surface, it is completely unclear how our systems arrived at that verdict, but one look at the content categorization engine’s page analysis log clears it up.</p>
<h2 id="invisible-html-block-or-seo-spam">Invisible HTML block, or SEO spam</h2>
<p>The website falls into the questionable category because it contains an HTML block with links to third-party sites, invisible to regular users. These sites typically host content of a certain kind – which, in our experience, is most often pornographic or gambling materials – and in the hidden block, you will find relevant keywords along with the links. These practices are a type of Black Hat SEO, or SEO spam: the manipulation of website search rankings in violation of ethical search engine optimization (SEO) principles. Although there are many techniques that attackers use to raise or lower websites in search engine rankings, we have encountered hidden blocks more frequently lately, so this is what this post focuses on.</p>
<p>Website owners rarely suspect a problem until they face obvious negative consequences, such as a sharp drop in traffic, warnings from search engines, or complaints from visitors. Those who use Kaspersky solutions may see their sites blocked due to being categorized as prohibited, a sign that something is wrong with them. Our engine detects both links and their descriptions that are present in a block like that.</p>
<h2 id="how-hidden-links-work">How hidden links work</h2>
<p>Hyperlinks that are invisible to regular users but still can be scanned by various analytical systems, such as search engines or our web categorization engine, are known as “hidden links”. They are often used for scams, inflating website rankings (positions in search results), or pushing down the ranking of a victim website.</p>
<p>To understand how this works, let us look at how today’s SEO functions in the first place. A series of algorithms is responsible for ranking websites in search results, such as those served by Google. The oldest and most relevant one to this article is known as <a href="https://en.wikipedia.org/wiki/PageRank" target="_blank" rel="noopener">PageRank</a>. The PageRank metric, or weight in the context of this algorithm, is a numerical value that determines the importance of a specific page. The higher the number of links from other websites pointing to a page, and the greater those websites’ own weights, the higher the page’s PageRank.</p>
<p>So, to boost their own website’s ranking in search results, the malicious actor places hidden links to it on the victim website. The higher the victim website’s PageRank, the more attractive it is to the attacker. High-traffic platforms like blogs or forums are of particular interest to them.</p>
<p>However, PageRank is no longer the only method search engines use to measure a website’s value. Google, for example, also applies other algorithms, such as the artificial intelligence-based <a href="https://en.wikipedia.org/wiki/RankBrain" target="_blank" rel="noopener">RankBrain</a> or the <a href="https://en.wikipedia.org/wiki/BERT_(language_model)" target="_blank" rel="noopener">BERT language model</a>. These algorithms use more sophisticated metrics, such as <a href="https://en.wikipedia.org/wiki/Domain_authority" target="_blank" rel="noopener">Domain Authority</a> (that is, how much authority the website has on the subject the user is asking about), link quality, and context. Placing links on a website with a high PageRank can still be beneficial, but this tactic has a severely limited effect due to advanced algorithms and filters aimed at demoting sites that break the search engine’s rules. Examples of these filters are as follows:</p>
<ul>
<li><a href="https://en.wikipedia.org/wiki/Google_Penguin" target="_blank" rel="noopener">Google Penguin</a>, which identifies and penalizes websites that use poor-quality or manipulative links, including hidden ones, to boost their own rankings. When links like these are detected, their weight can be zeroed out, and the ranking may be lowered for both sites: the victim and the spam website.</li>
<li><a href="https://en.wikipedia.org/wiki/Google_Panda" target="_blank" rel="noopener">Google Panda</a>, which evaluates content quality. If the website has a high PageRank, but the content is of low quality, duplicated, auto-generated, or otherwise substandard, the site may be demoted.</li>
<li><a href="https://spambrain.com/" target="_blank" rel="noopener">Google SpamBrain</a>, which uses machine learning to analyze HTML markup, page layouts, and so forth to identify manipulative patterns. This algorithm is integrated into Google Penguin.</li>
</ul>
<h2 id="what-a-black-hat-seo-block-looks-like-in-a-pages-html-markup">What a Black Hat SEO block looks like in a page’s HTML markup</h2>
<p>Let us look at some real examples of hidden blocks we have seen on legitimate websites and determine the attributes by which these blocks can be identified.</p>
<h3 id="example-1">Example 1</h3>
<pre class="urvanov-syntax-highlighter-plain-tag"><div style="display: none;">
افلام سكس اعتصاب <a href="https://www.azcorts.com/" rel="dofollow" target="_self">azcorts.com</a> قنوات جنسية
free indian porn com <a href="https://porngun.mobi" target="_self">porngun.mobi</a> xharmaster
石原莉紅 <a href="https://javclips.mobi/" target="_blank" title="javclips.mobi">javclips.mobi</a> ちっぱい
bank porn <a href="https://pimpmpegs.net" target="_self" title="pimpmpegs.net free video porn">pimpmpegs.net</a> wwwporm
salamat lyrics tagalog <a href="https://www.teleseryeone.com/" target="_blank" title="teleseryeone.com sandro marcos alexa miro">teleseryeone.com</a> play desi
</div>
<div style="display: none;">
كسى بيوجعنى <a href="https://www.sexdejt.org/" rel="dofollow">sexdejt.org</a> سكس سانى
indian sex video bp <a href="https://directorio-porno.com/" rel="dofollow" target="_self" title="directorio-porno.com">directorio-porno.com</a> xvideos indian pussy
swara bhaskar porn <a href="https://greenporn.mobi" title="greenporn.mobi lesbian porn hq">greenporn.mobi</a> kannada sexy video
bp sex full <a href="https://tubepornmix.info" target="_blank" title="tubepornmix.info aloha tube porn video">tubepornmix.info</a> lily sex
pinayflix pamasahe <a href="https://www.gmateleserye.com/" rel="dofollow" target="_blank">gmateleserye.com</a> family feud november 17
</div>
<div style="display: none;">
sunny leone ki bp download <a href="https://eroebony.info" target="_self" title="eroebony.info">eroebony.info</a> hansika xvideos
موقع سكس ايطالى <a href="https://bibshe.com/" target="_self" title="bibshe.com سكس العادة السرية">bibshe.com</a> صور احلى كس
raja rani coupon result <a href="https://booketube.mobi" rel="dofollow">booketube.mobi</a> exercise sex videos
indianbadwap <a href="https://likeporn.mobi" rel="dofollow" target="_blank" title="likeporn.mobi free hd porn">likeporn.mobi</a> rabi pirzada nude video
marathi porn vidio <a href="https://rajwap.biz" rel="dofollow" target="_blank" title="rajwap.biz">rajwap.biz</a> www.livesex.com
</div></pre>
This example utilizes a simple CSS style,
<span id="urvanov-syntax-highlighter-68f7ac2ed39fd942765759" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-o"><</span><span class="crayon-e">div </span><span class="crayon-v">style</span><span class="crayon-o">=</span><span class="crayon-s">"display: none;"</span><span class="crayon-o">></span></span></span>. This is one of the most basic and widely known methods for concealing content; the parameter
<span id="urvanov-syntax-highlighter-68f7ac2ed3a29949346588" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span></span></span>; stands for “do not display”. We also see that each invisible
<span id="urvanov-syntax-highlighter-68f7ac2ed3a2d523812603" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-o"><</span><span class="crayon-v">div</span><span class="crayon-o">></span></span></span> section contains a set of links to low-quality pornographic websites along with their keyword-stuffed descriptions. This clearly indicates spam, as the website where we found this block has no relation whatsoever to the type of content being linked to.</p>
<p>Another sign of Black Hat SEO in the example is the attribute
<span id="urvanov-syntax-highlighter-68f7ac2ed3a2f609918225" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">rel</span><span class="crayon-o">=</span><span class="crayon-s">"dofollow"</span></span></span>. This instructs search engines that the link carries link juice, meaning it passes weight. Spammers intentionally set this attribute to transfer authority from the victim website to the ones they are promoting. In standard practice, webmasters may, conversely, use
<span id="urvanov-syntax-highlighter-68f7ac2ed3a31474861181" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">rel</span><span class="crayon-o">=</span><span class="crayon-s">"nofollow"</span></span></span>, which signifies that the presence of the link on the site should not influence the ranking of the website where it leads.</p>
<p>Thus, the combination of a hidden block (
<span id="urvanov-syntax-highlighter-68f7ac2ed3a33990218168" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span><span class="crayon-sy">;</span></span></span>) and a set of external pornographic (in this instance) links with the
<span id="urvanov-syntax-highlighter-68f7ac2ed3a35980258040" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">rel</span><span class="crayon-o">=</span><span class="crayon-s">"dofollow"</span></span></span> attribute unequivocally point to a SEO spam injection.</p>
<p>Note that all
<span id="urvanov-syntax-highlighter-68f7ac2ed3a37436682779" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-o"><</span><span class="crayon-v">div</span><span class="crayon-o">></span></span></span> sections are concentrated in one spot, at the end of the page, rather than scattered throughout the page code. This block demonstrates a classic Black Hat SEO approach.</p>
<h3 id="example-2">Example 2</h3>
<pre class="urvanov-syntax-highlighter-plain-tag"><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">سكس انجليز <a href="https://wfporn.com/" target="_self" title="wfporn.com افلام سحاق مترجم">wfporn.com</a> سكس كلاسيك مترجم</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">فيلم سكس <a href="https://www.keep-porn.com/" rel="dofollow" target="_blank">keep-porn.com</a> سكس هندى اغتصاب</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">desi nude tumbler <a href="https://www.desixxxv.net" title="desixxxv.net free hd porn video">desixxxv.net</a> kanpur sexy video</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">www wap sex video com <a href="https://pornorado.mobi" target="_self">pornorado.mobi</a> sexy film video mp4</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">mom yes porn please <a href="https://www.movsmo.net/" rel="dofollow" title="movsmo.net">movsmo.net</a> yes porn please brazzers</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">xxx download hd <a href="https://fuxee.mobi" title="fuxee.mobi">fuxee.mobi</a> fat woman sex</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">bangalore xxx <a href="https://bigassporntrends.com" rel="dofollow" target="_self" title="bigassporntrends.com">bigassporntrends.com</a> sexy video kashmir</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">xnxx sister sex <a href="https://wetwap.info" rel="dofollow" target="_self" title="wetwap.info hd porn streaming">wetwap.info</a> blue film a video</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">tamilschoolsexvideo <a href="https://tubetria.mobi" rel="dofollow" title="tubetria.mobi">tubetria.mobi</a> sex free videos</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">سكس من اجل المال مترجم <a href="https://www.yesexyporn.com/" title="yesexyporn.com فوائد لحس الكس">yesexyporn.com</a> نسوان شرميط</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">kamapishi <a href="https://desisexy.org/" target="_blank" title="desisexy.org free porn gay hd online">desisexy.org</a> savita bhabhi xvideo</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">aflamk2 <a href="https://www.pornvideoswatch.net/" target="_self" title="pornvideoswatch.net">pornvideoswatch.net</a> نيك ثمينات</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">hentaifox futanari <a href="https://www.hentaitale.net/" target="_blank" title="hentaitale.net pisuhame">hentaitale.net</a> hen hentai</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">video sexy wallpaper <a href="https://povporntrends.com" target="_blank">povporntrends.com</a> bengolibf</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">persona 5 hentai manga <a href="https://www.younghentai.net/" rel="dofollow" target="_self" title="younghentai.net oni hentai">younghentai.net</a> toys hentai</div></pre>
This example demonstrates a slightly more sophisticated approach to hiding the block containing Black Hat SEO content. It suggests an attempt to bypass the automated search engine filters that easily detect the
<span id="urvanov-syntax-highlighter-68f7ac2ed3a3b888549912" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span><span class="crayon-sy">;</span></span></span> parameter.</p>
<p>Let us analyze the set of CSS styles:
<span id="urvanov-syntax-highlighter-68f7ac2ed3a48616025787" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-o"><</span><span class="crayon-e">div </span><span class="crayon-v">style</span><span class="crayon-o">=</span><span class="crayon-s">"overflow: auto; position: absolute; height: 0pt; width: 0pt;"</span><span class="crayon-o">></span></span></span>. The properties position:
<span id="urvanov-syntax-highlighter-68f7ac2ed3a4a109037157" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">absolute</span><span class="crayon-sy">;</span><span class="crayon-h"> </span><span class="crayon-v">height</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-cn">0pt</span><span class="crayon-sy">;</span><span class="crayon-h"> </span><span class="crayon-v">width</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-cn">0pt</span><span class="crayon-sy">;</span></span></span> remove the block from the visible area of the page, while overflow: auto prevents the content from being displayed even if it exceeds zero dimensions. This makes the links inaccessible to humans, but it does not prevent them from being preserved in the <a href="https://en.wikipedia.org/wiki/Document_Object_Model" target="_blank" rel="noopener">DOM (document object model)</a>. That’s why HTML code scanning systems, such as search engines, are able to see it.</p>
<p>In addition to the zero dimensions of the block, in this example, just as in the previous one, we see the attribute
<span id="urvanov-syntax-highlighter-68f7ac2ed3a4c233869869" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">rel</span><span class="crayon-o">=</span><span class="crayon-s">"dofollow"</span></span></span>, as well as many links to pornographic websites with relevant keywords.</p>
<p>The combination of styles that sets the block dimensions to zero is less obvious than
<span id="urvanov-syntax-highlighter-68f7ac2ed3a4e609517983" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span><span class="crayon-sy">;</span></span></span> because the element is technically present in the rendering, although it is not visible to the user. Nevertheless, it is worth noting that modern search engine security algorithms, such as Google Penguin, detect this technique too. To counter this, malicious actors may employ more complex techniques for evading detection. Here is another example:</p><pre class="urvanov-syntax-highlighter-plain-tag"><script src="files/layout/js/slider3d.js?v=0d6651e2"></script><script src="files/layout/js/layout.js?v=51a52ad1"></script>
<style type="text/css">.ads-gold {height: 280px;overflow: auto;color: transparent;}.ads-gold::-webkit-scrollbar { display: none;}.ads-gold a {color: transparent;}.ads-gold {font-size: 10px;}.ads-gold {height: 0px;overflow: hidden;}</style>
<div class="ads-gold">
Ganhe Rápido nos Jogos Populares do Cassino Online <a href="https://580-bet.com" target="_blank">580bet</a>
Cassino <a href="https://bet-7k.com" target="_blank">bet 7k</a>: Diversão e Grandes Vitórias Esperam por Você
Aposte e Vença no Cassino <a href="https://leao-88.com" target="_blank">leao</a> – Jogos Fáceis e Populares
Jogos Populares e Grandes Prêmios no Cassino Online <a href="https://luck-2.com" target="_blank">luck 2</a>
Descubra os Jogos Mais Populares no Cassino <a href="https://john-bet.com" target="_blank">john bet</a> e Ganhe
<a href="https://7755-bet.com" target="_blank">7755 bet</a>: Apostas Fáceis, Grandes Oportunidades de Vitória
Jogue no Cassino Online <a href="https://cbet-88.com" target="_blank">cbet</a> e Aumente suas Chances de Ganhar
Ganhe Prêmios Incríveis com Jogos Populares no Cassino <a href="https://bet7-88.com" target="_blank">bet7</a>
Cassino <a href="https://pk55-88.com" target="_blank">pk55</a>: Onde a Sorte Está ao Seu Lado
Experimente o Cassino <a href="https://8800-bet.com" target="_blank">8800 bet</a> e Ganhe com Jogos Populares
Ganhe Facilmente no Cassino Online <a href="https://doce-88.com" target="_blank">doce</a>
Aposte e Vença no Cassino <a href="https://bet-4-br.com" target="_blank">bet 4</a>
Jogos Populares e Grandes Premiações na <a href="https://f12--bet.com" target="_blank">f12bet</a>
Descubra a Diversão e Vitória no Cassino <a href="https://bet-7-br.com" target="_blank">bet7</a>
Aposte nos Jogos Mais Populares do Cassino <a href="https://ggbet-88.com" target="_blank">ggbet</a>
Ganhe Prêmios Rápidos no Cassino Online <a href="https://bet77-88.com" target="_blank">bet77</a>
Jogos Fáceis e Rápidos no Cassino <a href="https://mrbet-88.com" target="_blank">mrbet</a>
Jogue e Ganhe com Facilidade no Cassino <a href="https://bet61-88.com" target="_blank">bet61</a>
Cassino <a href="https://tvbet-88.com" target="_blank">tvbet</a>: Onde a Sorte Está Ao Seu Lado
Aposte nos Melhores Jogos do Cassino Online <a href="https://pgwin-88.com" target="_blank">pgwin</a>
Ganhe Grande no Cassino <a href="https://today-88.com" target="_blank">today</a> com Jogos Populares
Cassino <a href="https://fuwin-88.com" target="_blank">fuwin</a>: Grandes Vitórias Esperam por Você
Experimente os Melhores Jogos no Cassino <a href="https://brwin-88.com" target="_blank">brwin</a>
</div></body></pre><p>
Aside from the parameters we are already familiar with, which are responsible for concealing a block (
<span id="urvanov-syntax-highlighter-68f7ac2ed3a52976172691" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">height</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-cn">0px</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">color</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">transparent</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">overflow</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">hidden</span></span></span>), and the name that hints at its contents (
<span id="urvanov-syntax-highlighter-68f7ac2ed3a54396643866" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-sy">\</span><span class="crayon-o"><</span><span class="crayon-e">style </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"text/css"</span><span class="crayon-sy">\</span><span class="crayon-o">></span><span class="crayon-sy">.</span><span class="crayon-v">ads</span><span class="crayon-o">-</span><span class="crayon-v">gold</span></span></span>), strings with scripts in this example can be found at the very beginning:
<span id="urvanov-syntax-highlighter-68f7ac2ed3a56850215013" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-ta"><script </span><span class="crayon-e ">src</span><span class="crayon-o">=</span><span class="crayon-s">"files/layout/js/slider3d.js?v=0d6651e2"</span><span class="crayon-o">></span><span class="crayon-ta"></script></span></span></span> and
<span id="urvanov-syntax-highlighter-68f7ac2ed3a58197612789" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-ta"><script </span><span class="crayon-e ">src</span><span class="crayon-o">=</span><span class="crayon-s">"files/layout/js/layout.js?v=51a52ad1"</span><span class="crayon-o">></span><span class="crayon-ta"></script></span></span></span>. These indicate that external JavaScript can dynamically control the page content, for example, by adding or changing hidden links, that is, modifying this block in real time.</p>
<p>This is a more advanced approach than the ones in the previous examples. Yet it is also detected by filters responsible for identifying suspicious manipulations.</p>
<p>Other parameters and attributes exist that attackers use to conceal a link block. These, however, can also be detected:</p>
<ul>
<li>the parameter
<span id="urvanov-syntax-highlighter-68f7ac2ed3a5a725040589" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">visibility</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">hidden</span><span class="crayon-sy">;</span></span></span> can sometimes be seen instead of
<span id="urvanov-syntax-highlighter-68f7ac2ed3a5c489373822" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span><span class="crayon-sy">;</span></span></span>.</li>
<li>Within
<span id="urvanov-syntax-highlighter-68f7ac2ed3a5e597759334" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">position</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">absolute</span><span class="crayon-sy">;</span></span></span>, the block with hidden links may not have a zero size, but rather be located far beyond the visible area of the page. This can be set, for example, via the property
<span id="urvanov-syntax-highlighter-68f7ac2ed3a60001831097" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">left</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-cn">9232px</span><span class="crayon-sy">;</span></span></span>, as in the example below.</li>
</ul>
<pre class="urvanov-syntax-highlighter-plain-tag"><div style="position: absolute; left: -9232px">
<a href="https://romabet.cam/">روما بت</a><br>
<a href="https://mahbet.cam/">ماه بت</a><br>
<a href="https://pinbahis.com.co/">پین باهیس</a><br>
<a href="https://bettingmagazine.org/">بهترین سایت شرط بندی</a><br>
<a href="https://1betcart.com/">بت کارت</a><br>
<a href="https:// yasbet.com.co/">یاس بت</a><br>
<a href="https://yekbet.cam/">یک بت</a><br>
<a href="https://megapari.cam/">مگاپاری </a><br>
<a href="https://onjabet.net/">اونجا بت</a><br>
<a href="https://alvinbet.org/">alvinbet.org</a><br>
<a href="https://2betboro.com/">بت برو</a><br>
<a href="https://betfa.cam/">بت فا</a><br>
<a href="https://betforward.help/">بت فوروارد</a><br>
<a href="https://1xbete.org/">وان ایکس بت</a><br>
<a href="https://1win-giris.com.co/">1win giriş</a><br>
<a href="https://betwiner.org/">بت وینر</a><br>
<a href="https://4shart.com/">بهترین سایت شرط بندی ایرانی</a><br>
<a href="https://1xbetgiris.cam">1xbet giriş</a><br>
<a href="https://1kickbet1.com/">وان کیک بت</a><br>
<a href="https://winbet-bet.com/">وین بت</a><br>
<a href="https://ritzobet.org/">ریتزو بت</a><br></pre>
<h2 id="how-attackers-place-hidden-links-on-other-peoples-websites">How attackers place hidden links on other people’s websites</h2>
<p>To place hidden links, attackers typically exploit website configuration errors and vulnerabilities. This may be a weak or compromised password for an administrator account, plugins or an engine that have not been updated in a long time, poor filtering of user inputs, or security issues on the hosting provider’s side. Furthermore, attackers may attempt to exploit the human factor, for example, by setting up targeted or mass phishing attacks in the hope of obtaining the website administrator’s credentials.</p>
<p>Let us examine in detail the various mechanisms through which an attacker gains access to editing a page’s HTML code.</p>
<ul>
<li><strong>Compromise of the administrator password</strong>. An attacker may guess the password, use phishing to trick the victim into giving it away, or steal it with the help of malware. Furthermore, the password may be found in a database of leaked credentials. Site administrators frequently use simple passwords for control panel protection or, even worse, leave the default password, thereby simplifying the task for the attacker.<br />
After gaining access to the admin panel, the attacker can directly edit the page’s HTML code or install their own plugins with hidden SEO blocks.</li>
<li><strong>Exploitation of CMS (WordPress, Joomla, Drupal) vulnerabilities</strong>. If the engine or plugins are out of date, attackers use known vulnerabilities (SQL Injection, RCE, or XSS) to gain access to the site’s code. After that, depending on the level of access gained by exploiting the vulnerability, they can modify template files (header.php, footer.php, index.php, etc.), insert invisible blocks into arbitrary site pages, and so on.<br />
In SQL injection attacks, the hacker injects their malicious SQL code into a database query. Many websites, from news portals to online stores, store their content (text, product descriptions, and news) in a database. If an SQL query, such as
<span id="urvanov-syntax-highlighter-68f7ac2ed3a65958827777" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-e ">SELECT *</span><span class="crayon-h"> </span><span class="crayon-e">FROM </span><span class="crayon-e">posts </span><span class="crayon-e">WHERE </span><span class="crayon-v">id</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-s">'$id'</span></span></span> allows passing arbitrary data, the attacker can use the
<span id="urvanov-syntax-highlighter-68f7ac2ed3a67095356611" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-sy">$</span><span class="crayon-v">id</span></span></span> field to inject their code. This allows the attacker to change the content of records, for example, by inserting HTML with hidden blocks.<br />
In RCE (remote code execution) attacks, the attacker gains the ability to run their own commands on the server where the website runs. Unlike SQL injections, which are limited to the database, RCE provides almost complete control over the system. For example, it allows the attacker to create or modify site files, upload malicious scripts, and, of course, inject invisible blocks.<br />
In an XSS (cross-site scripting) attack, the attacker injects their JavaScript code directly into the web page by using vulnerable input fields, such as those for comments or search queries. When another user visits this page, the malicious script automatically executes in their browser. Such a script enables the attacker to perform various malicious actions, including stealthily adding a hidden
<span id="urvanov-syntax-highlighter-68f7ac2ed3a69255157078" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-o"><</span><span class="crayon-v">div</span><span class="crayon-o">></span></span></span> block with invisible links to the page. For XSS, the attacker does not need direct access to the server or database, as in the case with SQL injection or RCE; they only need to find a single vulnerability on the website.</li>
<li><strong>An attack via the hosting provider</strong>. In addition to directly hacking the target website, an attacker may attempt to gain access to the website through the hosting environment. If the hosting provider’s server is poorly secured, there is a risk of it being compromised. Furthermore, if multiple websites or web applications run on the same server, a vulnerability in one of them can jeopardize all other projects. The attacker’s capabilities depend on the level of access to the server. These capabilities may include: injecting hidden blocks into page templates, substituting files, modifying databases, connecting external scripts to multiple websites simultaneously, and so forth. Meanwhile, the website administrator may not notice the problem because the vulnerability is being exploited within the server environment rather than the website code.</li>
</ul>
<p>Note that hidden links appearing on a website is not always a sign of a cyberattack. The issue often arises during the development phase, for example, if an illegal copy of a template is downloaded to save money or if the project is executed by an unscrupulous web developer.</p>
<h2 id="why-attackers-place-hidden-blocks-on-websites">Why attackers place hidden blocks on websites</h2>
<p>One of the most obvious goals for injecting hidden blocks into other people’s websites is to steal the PageRank from the victim. The more popular and authoritative the website is, the more interesting it is to attackers. However, this does not mean that moderate- or low-traffic websites are safe. As a rule, administrators of popular websites and large platforms do their best to adhere to security rules, so it is not so easy to get close to them. Therefore, attackers may target less popular – and less protected – websites.</p>
<p>As previously mentioned, this approach to promoting websites is easily detected and blocked by search engines. In the short term, though, attackers still benefit from this: they manage to drive traffic to the websites that interest them until search engine algorithms detect the violation.</p>
<p>Even though the user does not see the hidden block and cannot click the links, attackers can use scripts to boost traffic to their websites. One possible scenario involves JavaScript creating an iframe in the background or sending an HTTP request to the website from the hidden block, which then receives information about the visit.</p>
<p>Hidden links can lead not just to pornographic or other questionable websites but also to websites with low-quality content whose sole purpose is to be promoted and subsequently sold, or to phishing and malicious websites. In more sophisticated schemes, the script that provides “visits” to such websites may load malicious code into the victim’s browser.</p>
<p>Finally, hidden links allow attackers to lower the reputation of the targeted website and harm its standing with search engines. This threat is especially relevant in light of the fact that algorithms such as Google Penguin penalize websites hosting questionable links. Attackers may use these techniques as a tool for unfair competition, hacktivism, or any other activity that involves discrediting certain organizations or individuals.</p>
<p>Interestingly, in 2025, we have more frequently encountered hidden blocks with links to pornographic websites and online casinos on various legitimate websites. With low confidence, we can suggest that this is partly due to the development of neural networks, which make it easy to automate such attacks, and partly due to the regular <a href="https://developers.google.com/search/docs/appearance/spam-updates" target="_blank" rel="noopener">updates to Google’s anti-spam systems</a>, the latest of which was completed at the end of September 2025: attackers may have rushed to maximize their gains before the search engine made it a little harder for them.</p>
<h2 id="consequences-for-the-victim-website">Consequences for the victim website</h2>
<p>The consequences for the victim website can vary in severity. At a minimum, the presence of hidden links placed by unauthorized parties hurts search engine reputation, which may lead to lower search rankings or even complete exclusion from search results. However, even without any penalties, the links disrupt the internal linking structure because they lead to external websites and pass on a portion of the victim’s weight to them. This negatively impacts the rankings of key pages.</p>
<p>Although unseen by visitors, hidden links can be discovered by external auditors, content analysis systems, or researchers who report such findings in public reports. This is something that can undermine trust in the website. For example, sites where our categorization engine detects links to pornography pages will be classified as “Adult content”. Consequently, all of our clients who use web filters to block this category will be unable to visit the website. Furthermore, information about a website’s category is published on our <a href="https://opentip.kaspersky.com/" target="_blank" rel="noopener">Kaspersky Threat Intelligence Portal</a> and available to anyone wishing to look up its reputation.</p>
<p>If the website is being used to distribute illegal or fraudulent content, the issue enters the legal realm, with the owner potentially facing lawsuits from copyright holders or regulators. For example, if the links lead to websites that distribute pirated content, the site may be considered an intermediary in copyright infringement. If the hidden block contains malicious scripts or automatic redirects to questionable websites, such as phishing pages, the owner can be charged with fraud or some other cybercrime.</p>
<h2 id="how-to-detect-a-hidden-link-block-on-your-website">How to detect a hidden link block on your website</h2>
<p>The simplest and most accessible method for any user to check a website for a hidden block is to view its source code in the browser. This is very easy to do. Navigate to the website, press Control+U, and the website’s code will open in the next tab. Search (Control+F) the code for the following keywords:
<span id="urvanov-syntax-highlighter-68f7ac2ed3a6c852685536" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">visibility</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">hidden</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">opacity</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-cn">0</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">height</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-cn">0</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">width</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-cn">0</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">position</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">absolute</span></span></span>. In addition, you can check for keywords that are characteristic of the hidden content itself. When it comes to links that point to adult or gambling sites, you should look for
<span id="urvanov-syntax-highlighter-68f7ac2ed3a72231804835" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">porn</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">sex</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">casino</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">card</span></span></span>, and the like.</p>
<p>A slightly more complex method is using web developer tools to investigate the DOM for invisible blocks. After the page fully loads, open DevTools (F12) in the browser and go to the Elements tab. Search (Control+F) for keywords such as
<span id="urvanov-syntax-highlighter-68f7ac2ed3a74159582674" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-o"><</span><span class="crayon-v">a</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">iframe</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">hidden</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">opacity</span></span></span>. Hover your cursor over suspicious elements in the code so the browser highlights their location on the page. If the block occupies zero area or is located outside the visible area, that is an indicator of a hidden element. Check the Computed tab for the selected element; there, you can see the applied CSS styles and confirm that it is hidden from the user’s view.</p>
<p>You can also utilize specialized SEO tools. These are typically third-party solutions that scan website SEO data and generate reports. They can provide a report about suspicious links as well. Few of them are free, but when selecting a tool, you should be guided primarily by the vendor’s reputation rather than price. It is better to use tried-and-true, well-known services that are known to be free of malicious or questionable payloads. Examples of these trusted services include Google Search Console, Bing Webmaster Tools, OpenLinkProfiler, and SEO Minion.</p>
<p>Another way to discover hidden SEO spam on a website is to check the CMS itself and its files. First, you should scan the database tables for suspicious HTML tags with third-party links that may have been inserted by attackers, and also carefully examine the website’s template files (header.php, footer.php, and index.php) and included modules for unfamiliar or suspicious code. Pay particular attention to encrypted insertions, unclear scripts, or links that should not originally be present in the website’s structure.</p>
<p>Additionally, you can look up your website’s reputation on the <a href="https://opentip.kaspersky.com/" target="_blank" rel="noopener">Kaspersky Threat Intelligence Portal</a>. If you find it in an uncharacteristic category – typically “Adult content”, “Sexually explicit”, or “Gambling” – there is a high probability that there is a hidden SEO spam block embedded in your website.</p>
<h2 id="how-to-protect-your-website">How to protect your website</h2>
<p>To prevent hidden links from appearing on your website, avoid unlicensed templates, themes, and other pre-packaged solutions. The entire site infrastructure must be built only on licensed and official solutions. The same principle applies to webmasters and companies you hire to build your website: we recommend checking their work for hidden links, but also for vulnerabilities in general. Never cut corners when it comes to security.</p>
<p>Keep your CMS, themes, and plugins up to date, as new versions often patch known vulnerabilities that attackers can exploit. Delete any unused plugins and themes, if any. The less unnecessary components are installed, the lower the risk of an exploit in one of the extensions, plugins, and themes. It is worth noting that this risk never disappears completely – it is still there even if you have a minimal set of components as long as they are outdated or poorly secured.</p>
<p>To protect files and the server, it is important to properly configure access permissions. On servers running Linux and other Unix-like systems, use <strong>644</strong> for files and <strong>755</strong> for folders. This means that the owner can open folders, and read and modify folders and files, while the group and other users can only read files and open folders. If write access is not necessary, for example in template folders, forbid it altogether to lower the risk of malicious actors making unauthorized changes. Furthermore, you must set up regular, automatic website backups so that data can be quickly restored if there is an issue.</p>
<p>Additionally, it is worth using web application firewalls (WAFs), which help block malicious requests and protect the site from external attacks. This solution is available in <a href="https://www.kaspersky.com/small-to-medium-business-security/ddos-protection?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kddosp____debce7fd29f69a6d" target="_blank" rel="noopener">Kaspersky DDoS Protection</a>.</p>
<p>To protect the administrator panel, use only strong passwords and 2FA (Two-Factor Authentication) at all times. You would be well-advised to restrict access to the admin panel by IP address if you can. Only a limited group of individuals should be granted admin privileges.</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/seo-spam-hidden-links/117782/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16210132/SL-seo-spam-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16210132/SL-seo-spam-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16210132/SL-seo-spam-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16210132/SL-seo-spam-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution</title>
<link>https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/</link>
<comments>https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/#respond</comments>
<dc:creator><![CDATA[GReAT]]></dc:creator>
<pubDate>Wed, 15 Oct 2025 13:00:43 +0000</pubDate>
<category><![CDATA[Malware descriptions]]></category>
<category><![CDATA[Malware Technologies]]></category>
<category><![CDATA[Microsoft Internet Explorer]]></category>
<category><![CDATA[Firefox]]></category>
<category><![CDATA[Google Chrome]]></category>
<category><![CDATA[Malware Descriptions]]></category>
<category><![CDATA[Malware]]></category>
<category><![CDATA[Trojan Banker]]></category>
<category><![CDATA[Trojan]]></category>
<category><![CDATA[Brazil]]></category>
<category><![CDATA[Microsoft Edge]]></category>
<category><![CDATA[Coyote]]></category>
<category><![CDATA[Maverick]]></category>
<category><![CDATA[Financial threats]]></category>
<category><![CDATA[Windows malware]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117715</guid>
<description><![CDATA[A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It delivered a new Maverick banker, which features code overlaps with Coyote malware.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It targets mainly Brazilians and uses Portuguese-named URLs. To evade detection, the command-and-control (C2) server verifies each download to ensure it originates from the malware itself.<br />
The whole infection chain is complex and fully fileless, and by the end, it will deliver a new banking Trojan named Maverick, which contains many code overlaps with <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/" target="_blank" rel="noopener">Coyote</a>. In this blog post, we detail the entire infection chain, encryption algorithm, and its targets, as well as discuss the similarities with known threats.</p>
<h2 id="key-findings">Key findings:</h2>
<ul>
<li>A massive campaign disseminated through WhatsApp distributed the new Brazilian banking Trojan named “Maverick” through ZIP files containing a malicious LNK file, which is not blocked on the messaging platform.</li>
<li>Once installed, the Trojan uses the open-source project WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp Web, taking advantage of the access to send the malicious message to contacts.</li>
<li>The new Trojan features code similarities with another Brazilian banking Trojan called <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/" target="_blank" rel="noopener">Coyote</a>; however, we consider Maverick to be a new threat.</li>
<li>The Maverick Trojan checks the time zone, language, region, and date and time format on infected machines to ensure the victim is in Brazil; otherwise, the malware will not be installed.</li>
<li>The banking Trojan can fully control the infected computer, taking screenshots, monitoring open browsers and websites, installing a keylogger, controlling the mouse, blocking the screen when accessing a banking website, terminating processes, and opening phishing pages in an overlay. It aims to capture banking credentials.</li>
<li>Once active, the new Trojan will monitor the victims’ access to 26 Brazilian bank websites, 6 cryptocurrency exchange websites, and 1 payment platform.</li>
<li>All infections are modular and performed in memory, with minimal disk activity, using PowerShell, .NET, and shellcode encrypted using Donut.</li>
<li>The new Trojan uses AI in the code-writing process, especially in certificate decryption and general code development.</li>
<li>Our solutions have blocked 62 thousand infection attempts using the malicious LNK file in the first 10 days of October, only in Brazil.</li>
</ul>
<h2 id="initial-infection-vector">Initial infection vector</h2>
<p>The infection chain works according to the diagram below:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01.png" alt="" width="2093" height="731" class="aligncenter size-full wp-image-117756" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01.png 2093w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-300x105.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-1024x358.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-768x268.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-1536x536.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-2048x715.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-1002x350.png 1002w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-740x258.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-802x280.png 802w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-800x279.png 800w" sizes="auto, (max-width: 2093px) 100vw, 2093px" /></a></p>
<p>The infection begins when the victim receives a malicious .LNK file inside a ZIP archive via a WhatsApp message. The filename can be generic, or it can pretend to be from a bank:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd.jpg" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd.jpg" alt="" width="1009" height="546" class="aligncenter size-full wp-image-117757" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd.jpg 1009w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-300x162.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-768x416.jpg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-647x350.jpg 647w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-740x400.jpg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-517x280.jpg 517w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-800x433.jpg 800w" sizes="auto, (max-width: 1009px) 100vw, 1009px" /></a></p>
<p>The message said, <em>“Visualization allowed only in computers. In case you’re using the Chrome browser, choose “keep file” because it’s a zipped file”.</em></p>
<p>The LNK is encoded to execute cmd.exe with the following arguments:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117718" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5.png" alt="" width="2048" height="111" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-300x16.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-1024x56.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-768x42.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-1536x83.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-740x40.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-1600x87.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-800x43.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a></p>
<p>The decoded commands point to the execution of a PowerShell script:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117720" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1.png" alt="" width="1633" height="39" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1.png 1633w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-300x7.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-1024x24.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-768x18.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-1536x37.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-740x18.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-1600x38.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-800x19.png 800w" sizes="auto, (max-width: 1633px) 100vw, 1633px" /></a></p>
<p>The command will contact the C2 to download another PowerShell script. It is important to note that the C2 also validates the “User-Agent” of the HTTP request to ensure that it is coming from the PowerShell command. This is why, without the correct “User-Agent”, the C2 returns an HTTP 401 code.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd.png" alt="" width="1615" height="883" class="aligncenter size-full wp-image-117758" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd.png 1615w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-300x164.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-1024x560.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-768x420.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-1536x840.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-640x350.png 640w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-740x405.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-512x280.png 512w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-800x437.png 800w" sizes="auto, (max-width: 1615px) 100vw, 1615px" /></a></p>
<p>The entry script is used to decode an embedded .NET file, and all of this occurs only in memory. The .NET file is decoded by dividing each byte by a specific value; in the script above, the value is “174”. The PE file is decoded and is then loaded as a .NET assembly within the PowerShell process, making the entire infection fileless, that is, without files on disk.<br />
<a name="loader"></a></p>
<h3 id="initial-net-loader">Initial .NET loader</h3>
<p>The initial .NET loader is heavily obfuscated using Control Flow Flattening and indirect function calls, storing them in a large vector of functions and calling them from there. In addition to obfuscation, it also uses random method and variable names to hinder analysis. Nevertheless, after our analysis, we were able to reconstruct (to a certain extent) its main flow, which consists of downloading and decrypting two payloads.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117722" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16.png" alt="" width="2048" height="840" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-300x123.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-1024x420.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-768x315.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-1536x630.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-853x350.png 853w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-740x304.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-683x280.png 683w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-800x328.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a></p>
<p>The obfuscation does not hide the method’s variable names, which means it is possible to reconstruct the function easily if the same function is reused elsewhere. Most of the functions used in this initial stage are the same ones used in the final stage of the banking Trojan, which is not obfuscated. The sole purpose of this stage is to download two encrypted shellcodes from the C2. To request them, an API exposed by the C2 on the “/api/v1/” routes will be used. The requested URL is as follows:</p>
<ul>
<li>hxxps://sorvetenopote.com/api/v1/3d045ada0df942c983635e</li>
</ul>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117723" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4.png" alt="" width="1788" height="315" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4.png 1788w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-300x53.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-1024x180.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-768x135.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-1536x271.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-740x130.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-1589x280.png 1589w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-800x141.png 800w" sizes="auto, (max-width: 1788px) 100vw, 1788px" /></a></p>
<p>To communicate with its API, it sends the API key in the “X-Request-Headers” field of the HTTP request header. The API key used is calculated locally using the following algorithm:</p>
<ul>
<li>“Base64(HMAC256(Key))”</li>
</ul>
<p>The HMAC is used to sign messages with a specific key; in this case, the threat actor uses it to generate the “API Key” using the HMAC key “MaverickZapBot2025SecretKey12345”. The signed data sent to the C2 is “3d045ada0df942c983635e|1759847631|MaverickBot”, where each segment is separated by “|”. The first segment refers to the specific resource requested (the first encrypted shellcode), the second is the infection’s timestamp, and the last, “MaverickBot”, indicates that this C2 protocol may be used in future campaigns with different variants of this threat. This ensures that tools like “wget” or HTTP downloaders cannot download this stage, only the malware.</p>
<p>Upon response, the encrypted shellcode is a loader using Donut. At this point, the initial loader will start and follow two different execution paths: another loader for its WhatsApp infector and the final payload, which we call “MaverickBanker”. Each Donut shellcode embeds a .NET executable. The shellcode is encrypted using a XOR implementation, where the key is stored in the last bytes of the binary returned by the C2. The algorithm to decrypt the shellcode is as follows:</p>
<ul>
<li>Extract the last 4 bytes (int32) from the binary file; this indicates the size of the encryption key.</li>
<li>Walk backwards until you reach the beginning of the encryption key (file size – 4 – key_size).</li>
<li>Get the XOR key.</li>
<li>Apply the XOR to the entire file using the obtained key.</li>
</ul>
<h2 id="whatsapp-infector-downloader">WhatsApp infector downloader</h2>
<p>After the second Donut shellcode is decrypted and started, it will load another downloader using the same obfuscation method as the previous one. It behaves similarly, but this time it will download a PE file instead of a Donut shellcode. This PE file is another .NET assembly that will be loaded into the process as a module.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117724" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9.png" alt="" width="2045" height="818" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9.png 2045w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-300x120.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-1024x410.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-768x307.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-1536x614.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-875x350.png 875w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-740x296.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-700x280.png 700w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-800x320.png 800w" sizes="auto, (max-width: 2045px) 100vw, 2045px" /></a></p>
<p>One of the namespaces used by this .NET executable is named “Maverick.StageOne,” which is considered by the attacker to be the first one to be loaded. This download stage is used exclusively to download the WhatsApp infector in the same way as the previous stage. The main difference is that this time, it is not an encrypted Donut shellcode, but another .NET executable—the WhatsApp infector—which will be used to hijack the victim’s account and use it to spam their contacts in order to spread itself.</p>
<p>This module, which is also obfuscated, is the WhatsApp infector and represents the final payload in the infection chain. It includes a script from <a href="https://github.com/wppconnect-team/wppconnect" target="_blank" rel="noopener">WPPConnect</a>, an open-source WhatsApp automation project, as well as the Selenium browser executable, used for web automation.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117725" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8.png" alt="" width="1841" height="745" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8.png 1841w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-300x121.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-1024x414.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-768x311.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-1536x622.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-990x400.png 990w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-865x350.png 865w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-740x299.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-692x280.png 692w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-800x324.png 800w" sizes="auto, (max-width: 1841px) 100vw, 1841px" /></a></p>
<p>The executable’s namespace name is “ZAP”, a very common word in Brazil to refer to WhatsApp. These files use almost the same obfuscation techniques as the previous examples, but the method’s variable names remain in the source code. The main behavior of this stage is to locate the WhatsApp window in the browser and use WPPConnect to instrument it, causing the infected victim to send messages to their contacts and thus spread again. The file sent depends on the “MaverickBot” executable, which will be discussed in the next section.</p>
<h2 id="maverick-the-banking-trojan">Maverick, the banking Trojan</h2>
<p>The Maverick Banker comes from a different execution branch than the WhatsApp infector; it is the result of the second Donut shellcode. There are no additional download steps to execute it. This is the main payload of this campaign and is embedded within another encrypted executable named “Maverick Agent,” which performs extended activities on the machine, such as contacting the C2 and keylogging. It is described in the next section.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117726" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10.png" alt="" width="1443" height="1124" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10.png 1443w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-300x234.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-1024x798.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-768x598.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-449x350.png 449w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-740x576.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-359x280.png 359w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-800x623.png 800w" sizes="auto, (max-width: 1443px) 100vw, 1443px" /></a></p>
<p>Upon the initial loading of Maverick Banker, it will attempt to register persistence using the startup folder. At this point, if persistence does not exist, by checking for the existence of a .bat file in the “Startup” directory, it will not only check for the file’s existence but also perform a pattern match to see if the string “for %%” is present, which is part of the initial loading process. If such a file does not exist, it will generate a new “GUID” and remove the first 6 characters. The persistence batch script will then be stored as:</p>
<ul>
<li>“C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\” + “HealthApp-” + GUID + “.bat”.</li>
</ul>
<p>Next, it will generate the bat command using the hardcoded URL, which in this case is:</p>
<ul>
<li>“hxxps://sorvetenopote.com” + “/api/itbi/startup/” + NEW_GUID.</li>
</ul>
<p>In the command generation function, it is possible to see the creation of an entirely new obfuscated PowerShell script.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd.png" alt="" width="1719" height="631" class="aligncenter size-full wp-image-117759" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd.png 1719w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-300x110.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-1024x376.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-768x282.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-1536x564.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-953x350.png 953w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-740x272.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-763x280.png 763w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-800x294.png 800w" sizes="auto, (max-width: 1719px) 100vw, 1719px" /></a></p>
<p>First, it will create a variable named “$URL” and assign it the content passed as a parameter, create a “Net.WebClient” object, and call the “DownloadString.Invoke($URL)” function. Immediately after creating these small commands, it will encode them in base64. In general, the script will create a full obfuscation using functions to automatically and randomly generate blocks in PowerShell. The persistence script reassembles the initial LNK file used to start the infection.</p>
<p>This persistence mechanism seems a bit strange at first glance, as it always depends on the C2 being online. However, it is in fact clever, since the malware would not work without the C2. Thus, saving only the bootstrap .bat file ensures that the entire infection remains in memory. If persistence is achieved, it will start its true function, which is mainly to monitor browsers to check if they open banking pages.</p>
<p>The browsers running on the machine are checked for possible domains accessed on the victim’s machine to verify the web page visited by the victim. The program will use the current foreground window (window in focus) and its PID; with the PID, it will extract the process name. Monitoring will only continue if the victim is using one of the following browsers:</p>
<p>* Chrome<br />
* Firefox<br />
* MS Edge<br />
* Brave<br />
* Internet Explorer<br />
* Specific bank web browser</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3.png" alt="" width="1814" height="636" class="aligncenter size-full wp-image-117760" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3.png 1814w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-300x105.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-1024x359.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-768x269.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-1536x539.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-998x350.png 998w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-740x259.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-799x280.png 799w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-800x280.png 800w" sizes="auto, (max-width: 1814px) 100vw, 1814px" /></a></p>
<p>If any browser from the list above is running, the malware will use UI Automation to extract the title of the currently open tab and use this information with a predefined list of target online banking sites to determine whether to perform any action on them. The list of target banks is compressed with gzip, encrypted using AES-256, and stored as a base64 string. The AES initialization vector (IV) is stored in the first 16 bytes of the decoded base64 data, and the key is stored in the next 32 bytes. The actual encrypted data begins at offset 48.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd.png" alt="" width="1689" height="1528" class="aligncenter size-full wp-image-117761" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd.png 1689w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-300x271.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-1024x926.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-768x695.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-1536x1390.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-387x350.png 387w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-740x669.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-310x280.png 310w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-800x724.png 800w" sizes="auto, (max-width: 1689px) 100vw, 1689px" /></a></p>
<p>This encryption mechanism is the same one used by <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/" target="_blank" rel="noopener">Coyote</a>, a banking Trojan also written in .NET and documented by us in early 2024.</p>
<p>If any of these banks are found, the program will decrypt another PE file using the same algorithm described in the <a href="#loader">.NET Loader</a> section of this report and will load it as an assembly, calling its entry point with the name of the open bank as an argument. This new PE is called “Maverick.Agent” and contains most of the banking logic for contacting the C2 and extracting data with it.</p>
<h3 id="maverick-agent">Maverick Agent</h3>
<p>The agent is the binary that will do most of the banker’s work; it will first check if it is running on a machine located in Brazil. To do this, it will check the following constraints:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117732" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3.png" alt="" width="693" height="406" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3.png 693w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3-300x176.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3-597x350.png 597w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3-478x280.png 478w" sizes="auto, (max-width: 693px) 100vw, 693px" /></a></p>
<p>What each of them does is:</p>
<ul>
<li><strong>IsValidBrazilianTimezone()</strong><br />
Checks if the current time zone is within the Brazilian time zone range. Brazil has time zones between UTC-5 (-300 min) and UTC-2 (-120 min). If the current time zone is within this range, it returns “true”.</li>
<li><strong>IsBrazilianLocale()</strong><br />
Checks if the current thread’s language or locale is set to Brazilian Portuguese. For example, “pt-BR”, “pt_br”, or any string containing “portuguese” and “brazil”. Returns “true” if the condition is met.</li>
<li><strong>IsBrazilianRegion()</strong><br />
Checks if the system’s configured region is Brazil. It compares region codes like “BR”, “BRA”, or checks if the region name contains “brazil”. Returns “true” if the region is set to Brazil.</li>
<li><strong>IsBrazilianDateFormat()</strong><br />
Checks if the short date format follows the Brazilian standard. The Brazilian format is dd/MM/yyyy. The function checks if the pattern starts with “dd/” and contains “/MM/” or “dd/MM”.</li>
</ul>
<p>Right after the check, it will enable appropriate DPI support for the operating system and monitor type, ensuring that images are sharp, fit the correct scale (screen zoom), and work well on multiple monitors with different resolutions. Then, it will check for any running persistence, previously created in “C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\”. If more than one file is found, it will delete the others based on “GetCreationTime” and keep only the most recently created one.</p>
<h2 id="c2-communication">C2 communication</h2>
<p>Communication uses the WatsonTCP library with SSL tunnels. It utilizes a local encrypted X509 certificate to protect the communication, which is another similarity to the Coyote malware. The connection is made to the host “casadecampoamazonas.com” on port 443. The certificate is exported as encrypted, and the password used to decrypt it is Maverick2025!. After the certificate is decrypted, the client will connect to the server.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117733" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15.png" alt="" width="2048" height="527" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-300x77.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-1024x264.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-768x198.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-1536x395.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-1360x350.png 1360w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-740x190.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-1088x280.png 1088w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-800x206.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a></p>
<p>For the C2 to work, a specific password must be sent during the first contact. The password used by the agent is “101593a51d9c40fc8ec162d67504e221”. Using this password during the first connection will successfully authenticate the agent with the C2, and it will be ready to receive commands from the operator. The important commands are:</p>
<table>
<tbody>
<tr>
<td><strong>Command</strong></td>
<td><strong>Description</strong></td>
</tr>
<tr>
<td>INFOCLIENT</td>
<td>Returns the information of the agent, which is used to identify it on the C2. The information used is described in the next section.</td>
</tr>
<tr>
<td>RECONNECT</td>
<td>Disconnect, sleep for a few seconds, and reconnect again to the C2.</td>
</tr>
<tr>
<td>REBOOT</td>
<td>Reboot the machine</td>
</tr>
<tr>
<td>KILLAPPLICATION</td>
<td>Exit the malware process</td>
</tr>
<tr>
<td>SCREENSHOT</td>
<td>Take a screenshot and send it to C2, compressed with gzip</td>
</tr>
<tr>
<td>KEYLOGGER</td>
<td>Enable the keylogger, capture all locally, and send only when the server specifically requests the logs</td>
</tr>
<tr>
<td>MOUSECLICK</td>
<td>Do a mouse click, used for the remote connection</td>
</tr>
<tr>
<td>KEYBOARDONECHAR</td>
<td>Press one char, used for the remote connection</td>
</tr>
<tr>
<td>KEYBOARDMULTIPLESCHARS</td>
<td>Send multiple characters used for the remote connection</td>
</tr>
<tr>
<td>TOOGLEDESKTOP</td>
<td>Enable remote connection and send multiple screenshots to the machine when they change (it computes a hash of each screenshot to ensure it is not the same image)</td>
</tr>
<tr>
<td>TOOGLEINTERN</td>
<td>Get a screenshot of a specific window</td>
</tr>
<tr>
<td>GENERATEWINDOWLOCKED</td>
<td>Lock the screen using one of the banks’ home pages.</td>
</tr>
<tr>
<td>LISTALLHANDLESOPENEDS</td>
<td>Send all open handles to the server</td>
</tr>
<tr>
<td>KILLPROCESS</td>
<td>Kill some process by using its handle</td>
</tr>
<tr>
<td>CLOSEHANDLE</td>
<td>Close a handle</td>
</tr>
<tr>
<td>MINIMIZEHANDLE</td>
<td>Minimize a window using its handle</td>
</tr>
<tr>
<td>MAXIMIZEHANDLE</td>
<td>Maximize a window using its handle</td>
</tr>
<tr>
<td>GENERATEWINDOWREQUEST</td>
<td>Generate a phishing window asking for the victim’s credentials used by banks</td>
</tr>
<tr>
<td>CANCELSCREENREQUEST</td>
<td>Disable the phishing window</td>
</tr>
</tbody>
</table>
<p><strong>Agent profile info</strong></p>
<p>In the “INFOCLIENT” command, the information sent to the C2 is as follows:</p>
<ul>
<li><strong>Agent ID:</strong> A SHA256 hash of all primary MAC addresses used by all interfaces</li>
<li>Username</li>
<li>Hostname</li>
<li>Operating system version</li>
<li>Client version (no value)</li>
<li>Number of monitors</li>
<li>Home page (home): “home” indicates which bank’s home screen should be used, sent before the Agent is decrypted by the banking application monitoring routine.</li>
<li>Screen resolution</li>
</ul>
<h2 id="conclusion">Conclusion</h2>
<p>According to our telemetry, all victims were in Brazil, but the Trojan has the potential to spread to other countries, as an infected victim can send it to another location. Even so, the malware is designed to target only Brazilians at the moment.<br />
It is evident that this threat is very sophisticated and complex; the entire execution chain is relatively new, but the final payload has many code overlaps and similarities with the Coyote banking Trojan, which we documented in 2024. However, some of the techniques are not exclusive to Coyote and have been observed in other low-profile banking Trojans written in .NET. The agent’s structure is also different from how Coyote operated; it did not use this architecture before.<br />
It is very likely that Maverick is a new banking Trojan using shared code from Coyote, which may indicate that the developers of Coyote have completely refactored and rewritten a large part of their components.<br />
This is one of the most complex infection chains we have ever detected, designed to load a banking Trojan. It has infected many people in Brazil, and its worm-like nature allows it to spread exponentially by exploiting a very popular instant messenger. The impact is enormous. Furthermore, it demonstrates the use of AI in the code-writing process, specifically in certificate decryption, which may also indicate the involvement of AI in the overall code development. Maverick works like any other banking Trojan, but the worrying aspects are its delivery method and its significant impact.<br />
We have detected the entire infection chain since day one, preventing victim infection from the initial LNK file. Kaspersky products detect this threat with the verdict <strong>HEUR:Trojan.Multi.Powenot.a</strong> and <strong>HEUR:Trojan-Banker.MSIL.Maverick.gen.</strong></p>
<h2 id="iocs">IoCs</h2>
<table>
<tbody>
<tr>
<td>Dominio</td>
<td>IP</td>
<td>ASN</td>
</tr>
<tr>
<td><a href="https://opentip.kaspersky.com/casadecampoamazonas.com/?icid=gl_sl_opentip_sm-team_9d1b9de83ae3bad6&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener"><strong>casadecampoamazonas[.]com</strong></a></td>
<td>181.41.201.184</td>
<td>212238</td>
</tr>
<tr>
<td><a href="https://opentip.kaspersky.com/sorvetenopote.com/?icid=gl_sl_opentip_sm-team_153c14d9b642446a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener"><strong>sorvetenopote[.]com</strong></a></td>
<td>77.111.101.169</td>
<td>396356</td>
</tr>
</tbody>
</table>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Mysterious Elephant: a growing threat</title>
<link>https://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/</link>
<comments>https://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/#respond</comments>
<dc:creator><![CDATA[Noushin Shabab, Ye Jin]]></dc:creator>
<pubDate>Wed, 15 Oct 2025 10:00:11 +0000</pubDate>
<category><![CDATA[APT reports]]></category>
<category><![CDATA[GReAT research]]></category>
<category><![CDATA[Malware Technologies]]></category>
<category><![CDATA[Targeted attacks]]></category>
<category><![CDATA[Google Chrome]]></category>
<category><![CDATA[Malware Descriptions]]></category>
<category><![CDATA[Spear phishing]]></category>
<category><![CDATA[Malware]]></category>
<category><![CDATA[APT]]></category>
<category><![CDATA[RAT Trojan]]></category>
<category><![CDATA[Backdoor]]></category>
<category><![CDATA[WhatsApp]]></category>
<category><![CDATA[Data theft]]></category>
<category><![CDATA[Defense evasion]]></category>
<category><![CDATA[TTPs]]></category>
<category><![CDATA[APAC]]></category>
<category><![CDATA[RC4]]></category>
<category><![CDATA[APT (Targeted attacks)]]></category>
<category><![CDATA[Windows malware]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117596</guid>
<description><![CDATA[Kaspersky GReAT experts describe the latest Mysterious Elephant APT activity. The threat actor exfiltrates data related to WhatsApp and employs tools such as BabShell and MemLoader HidenDesk.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
<p>Mysterious Elephant is a highly active advanced persistent threat (APT) group that we at Kaspersky GReAT discovered in 2023. It has been consistently evolving and adapting its tactics, techniques, and procedures (TTPs) to stay under the radar. With a primary focus on targeting government entities and foreign affairs sectors in the Asia-Pacific region, the group has been using a range of sophisticated tools and techniques to infiltrate and exfiltrate sensitive information. Notably, Mysterious Elephant has been exploiting WhatsApp communications to steal sensitive data, including documents, pictures, and archive files.</p>
<p>The group’s latest campaign, which began in early 2025, reveals a significant shift in their TTPs, with an increased emphasis on using new custom-made tools as well as customized open-source tools, such as BabShell and MemLoader modules, to achieve their objectives. In this report, we will delve into the history of Mysterious Elephant’s attacks, their latest tactics and techniques, and provide a comprehensive understanding of this threat.</p>
<h2 id="the-emergence-of-mysterious-elephant">The emergence of Mysterious Elephant</h2>
<p>Mysterious Elephant is a threat actor <a href="https://securelist.com/apt-trends-report-q2-2023/110231/#mysterious-elephant" target="_blank" rel="noopener">we’ve been tracking since 2023</a>. Initially, its intrusions resembled those of the Confucius threat actor. However, further analysis revealed a more complex picture. We found that Mysterious Elephant’s malware contained code from multiple APT groups, including Origami Elephant, Confucius, and SideWinder, which suggested deep collaboration and resource sharing between teams. Notably, our research indicates that the tools and code borrowed from the aforementioned APT groups were previously used by their original developers, but have since been abandoned or replaced by newer versions. However, Mysterious Elephant has not only adopted these tools, but also continued to maintain, develop, and improve them, incorporating the code into their own operations and creating new, advanced versions. The actor’s early attack chains featured distinctive elements, such as remote template injections and exploitation of <a href="https://www.cve.org/CVERecord?id=CVE-2017-11882" target="_blank" rel="noopener">CVE-2017-11882</a>, followed by the use of a downloader called “Vtyrei”, which was previously connected to Origami Elephant and later abandoned by this group. Over time, Mysterious Elephant has continued to upgrade its tools and expanded its operations, eventually earning its designation as a previously unidentified threat actor.</p>
<h2 id="latest-campaign">Latest campaign</h2>
<p>The group’s latest campaign, which was discovered in early 2025, reveals a significant shift in their TTPs. They are now using a combination of exploit kits, phishing emails, and malicious documents to gain initial access to their targets. Once inside, they deploy a range of custom-made and open-source tools to achieve their objectives. In the following sections, we’ll delve into the latest tactics and techniques used by Mysterious Elephant, including their new tools, infrastructure, and victimology.</p>
<h3 id="spear-phishing">Spear phishing</h3>
<p>Mysterious Elephant has started using spear phishing techniques to gain initial access. Phishing emails are tailored to each victim and are convincingly designed to mimic legitimate correspondence. The primary targets of this APT group are countries in the South Asia (SA) region, particularly Pakistan. Notably, this APT organization shows a strong interest and inclination towards diplomatic institutions, which is reflected in the themes covered by the threat actor’s spear phishing emails, as seen in bait attachments.</p>
<div id="attachment_117597" style="width: 690px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117597" class="size-full wp-image-117597" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1.png" alt="Spear phishing email used by Mysterious Elephant" width="680" height="617" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1.png 680w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1-300x272.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1-386x350.png 386w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1-309x280.png 309w" sizes="auto, (max-width: 680px) 100vw, 680px" /></a><p id="caption-attachment-117597" class="wp-caption-text">Spear phishing email used by Mysterious Elephant</p></div>
<p>For example, the decoy document above concerns Pakistan’s application for a non-permanent seat on the United Nations Security Council for the 2025–2026 term.</p>
<h3 id="malicious-tools">Malicious tools</h3>
<p>Mysterious Elephant’s toolkit is a noteworthy aspect of their operations. The group has switched to using a variety of custom-made and open-source tools instead of employing known malware to achieve their objectives.</p>
<h4 id="powershell-scripts">PowerShell scripts</h4>
<p>The threat actor uses PowerShell scripts to execute commands, deploy additional payloads, and establish persistence. These scripts are loaded from C2 servers and often use legitimate system administration tools, such as curl and certutil, to download and execute malicious files.</p>
<div id="attachment_117598" style="width: 696px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101409/mysterious-elephant2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117598" class="size-full wp-image-117598" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101409/mysterious-elephant2.png" alt="Malicious PowerShell script seen in Mysterious Elephant's 2025 attacks" width="686" height="138" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101409/mysterious-elephant2.png 686w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101409/mysterious-elephant2-300x60.png 300w" sizes="auto, (max-width: 686px) 100vw, 686px" /></a><p id="caption-attachment-117598" class="wp-caption-text">Malicious PowerShell script seen in Mysterious Elephant’s 2025 attacks</p></div>
<p>For example, the script above is used to download the next-stage payload and save it as <code>ping.exe</code>. It then schedules a task to execute the payload and send the results back to the C2 server. The task is set to run automatically in response to changes in the network profile, ensuring persistence on the compromised system. Specifically, it is triggered by network profile-related events (Microsoft-Windows-NetworkProfile/Operational), which can indicate a new network connection. A four-hour delay is configured after the event, likely to help evade detection.</p>
<h4 id="babshell">BabShell</h4>
<p>One of the most recent tools used by Mysterious Elephant is BabShell. This is a reverse shell tool written in C++ that enables attackers to connect to a compromised system. Upon execution, it gathers system information, including username, computer name, and MAC address, to identify the machine. The malware then enters an infinite loop of performing the following steps:</p>
<ol>
<li>It listens for and receives commands from the attacker-controlled C2 server.</li>
<li>For each received command, BabShell creates a separate thread to execute it, allowing for concurrent execution of multiple commands.</li>
<li>The output of each command is captured and saved to a file named <code>output_[timestamp].txt</code>, where [timestamp] is the current time. This allows the attacker to review the results of the commands.</li>
<li>The contents of the <code>output_[timestamp].txt</code> file are then transmitted back to the C2 server, providing the attacker with the outcome of the executed commands and enabling them to take further actions, for instance, deploy a next-stage payload or execute additional malicious instructions.</li>
</ol>
<p>BabShell uses the following commands to execute command-line instructions and additional payloads it receives from the server:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117599" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3.png" alt="" width="808" height="76" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3.png 808w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3-300x28.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3-768x72.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3-800x75.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3-740x70.png 740w" sizes="auto, (max-width: 808px) 100vw, 808px" /></a></p>
<h4 id="customized-open-source-tools">Customized open-source tools</h4>
<p>One of the latest modules used by Mysterious Elephant and loaded by BabShell is MemLoader HidenDesk.</p>
<p>MemLoader HidenDesk is a reflective PE loader that loads and executes malicious payloads in memory. It uses encryption and compression to evade detection.</p>
<p>MemLoader HidenDesk operates in the following manner:</p>
<ol>
<li>The malware checks the number of active processes and terminates itself if there are fewer than 40 processes running — a technique used to evade sandbox analysis.</li>
<li>It creates a shortcut to its executable and saves it in the autostart folder, ensuring it can restart itself after a system reboot.</li>
<li>The malware then creates a hidden desktop named “MalwareTech_Hidden” and switches to it, providing a covert environment for its activities. This technique is borrowed from an open-source project on GitHub.</li>
<li>Using an RC4-like algorithm with the key <code>D12Q4GXl1SmaZv3hKEzdAhvdBkpWpwcmSpcD</code>, the malware decrypts a block of data from its own binary and executes it in memory as a shellcode. The shellcode’s sole purpose is to load and execute a PE file, specifically a sample of the commercial RAT called “Remcos” (MD5: 037b2f6233ccc82f0c75bf56c47742bb).</li>
</ol>
<p>Another recent loader malware used in the latest campaign is MemLoader Edge.</p>
<p>MemLoader Edge is a malicious loader that embeds a sample of the VRat backdoor, utilizing encryption and evasion techniques.</p>
<p>It operates in the following manner:</p>
<ol>
<li>The malware performs a network connectivity test by attempting to connect to the legitimate website <code>bing.com:445</code>, which is likely to fail since the 445 port is not open on the server side. If the test were to succeed, suggesting that the loader is possibly in an emulation or sandbox environment, the malware would drop an embedded picture on the machine and display a popup window with three unresponsive mocked-up buttons, then enter an infinite loop. This is done to complicate detection and analysis.</li>
<li>If the connection attempt fails, the malware iterates through a 1016-byte array to find the correct XOR keys for decrypting the embedded PE file in two rounds. The process continues until the decrypted data matches the byte sequence of <code>MZ\x90</code>, indicating that the real XOR keys are found within the array.</li>
<li>If the malware is unable to find the correct XOR keys, it will display the same picture and popup window as before, followed by a message box containing an error message after the window is closed.</li>
<li>Once the PE file is successfully decrypted, it is loaded into memory using reflective loading techniques. The decrypted PE file is based on the open-source RAT vxRat, which is referred to as VRat due to the PDB string found in the sample:<br />
<pre class="urvanov-syntax-highlighter-plain-tag">C:\Users\admin\source\repos\vRat_Client\Release\vRat_Client.pdb</pre>
</li>
</ol>
<h4 id="whatsapp-specific-exfiltration-tools">WhatsApp-specific exfiltration tools</h4>
<p>Spying on WhatsApp communications is a key aspect of the exfiltration modules employed by Mysterious Elephant. They are designed to steal sensitive data from compromised systems. The attackers have implemented WhatsApp-specific features into their exfiltration tools, allowing them to target files shared through the WhatsApp application and exfiltrate valuable information, including documents, pictures, archive files, and more. These modules employ various techniques, such as recursive directory traversal, XOR decryption, and Base64 encoding, to evade detection and upload the stolen data to the attackers’ C2 servers.</p>
<ul>
<li><strong>Uplo Exfiltrator</strong></li>
</ul>
<p>The Uplo Exfiltrator is a data exfiltration tool that targets specific file types and uploads them to the attackers’ C2 servers. It uses a simple XOR decryption to deobfuscate C2 domain paths and employs a recursive <a href="https://en.wikipedia.org/wiki/Depth-first_search" target="_blank" rel="noopener">depth-first directory traversal algorithm</a> to identify valuable files. The malware specifically targets file types that are likely to contain potentially sensitive data, including documents, spreadsheets, presentations, archives, certificates, contacts, and images. The targeted file extensions include .TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .CSV, .PPT, .PPTX, .ZIP, .RAR, .7Z, .PFX, .VCF, .JPG, .JPEG, and .AXX.</p>
<ul>
<li><strong>Stom Exfiltrator</strong></li>
</ul>
<p>The Stom Exfiltrator is a commonly used exfiltration tool that recursively searches specific directories, including the “Desktop” and “Downloads” folders, as well as all drives except the C drive, to collect files with predefined extensions. Its latest variant is specifically designed to target files shared through the WhatsApp application. This version uses a hardcoded folder path to locate and exfiltrate such files:</p><pre class="urvanov-syntax-highlighter-plain-tag">%AppData%\\Packages\\xxxxx.WhatsAppDesktop_[WhatsApp ID]\\LocalState\\Shared\\transfers\\</pre><p>
<p>The targeted file extensions include .PDF, .DOCX, .TXT, .JPG, .PNG, .ZIP, .RAR, .PPTX, .DOC, .XLS, .XLSX, .PST, and .OST.</p>
<ul>
<li><strong>ChromeStealer Exfiltrator</strong></li>
</ul>
<p>The ChromeStealer Exfiltrator is another exfiltration tool used by Mysterious Elephant that targets Google Chrome browser data, including cookies, tokens, and other sensitive information. It searches specific directories within the Chrome user data of the most recently used Google Chrome profile, including the IndexedDB directory and the “Local Storage” directory. The malware uploads all files found in these directories to the attacker-controlled C2 server, potentially exposing sensitive data like chat logs, contacts, and authentication tokens. The response from the C2 server suggests that this tool was also after stealing files related to WhatsApp. The ChromeStealer Exfiltrator employs string obfuscation to evade detection.</p>
<h2 id="infrastructure">Infrastructure</h2>
<p>Mysterious Elephant’s infrastructure is a network of domains and IP addresses. The group has been using a range of techniques, including wildcard DNS records, to generate unique domain names for each request. This makes it challenging for security researchers to track and monitor their activities. The attackers have also been using virtual private servers (VPS) and cloud services to host their infrastructure. This allows them to easily scale and adapt their operations to evade detection. According to our data, this APT group has utilized the services of numerous VPS providers in their operations. Nevertheless, our analysis of the statistics has revealed that Mysterious Elephant appears to have a preference for certain VPS providers.</p>
<div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="interactive" data-title="01-EN-RU-Mysterious Elephant charts" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>VPS providers most commonly used by Mysterious Elephant (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30102127/mysterious-elephant4.png" target="_blank" rel="noopener">download</a>)</em></p>
<h2 id="victimology">Victimology</h2>
<p>Mysterious Elephant’s primary targets are government entities and foreign affairs sectors in the Asia-Pacific region. The group has been focusing on Pakistan, Bangladesh, and Sri Lanka, with a lower number of victims in other countries. The attackers have been using highly customized payloads tailored to specific individuals, highlighting their sophistication and focus on targeted attacks.</p>
<p>The group’s victimology is characterized by a high degree of specificity. Attackers often use personalized phishing emails and malicious documents to gain initial access. Once inside, they employ a range of tools and techniques to escalate privileges, move laterally, and exfiltrate sensitive information.</p>
<ul>
<li>Most targeted countries: Pakistan, Bangladesh, Afghanistan, Nepal and Sri Lanka</li>
</ul>
<div class="js-infogram-embed" data-id="_/R4Utu2bH5IoYCk7MIBoH" data-type="interactive" data-title="01 EN Mysterious Elephant charts 2" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Countries targeted most often by Mysterious Elephant (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14095041/02-en-mysterious-elephant-charts.png" target="_blank" rel="noopener">download</a>)</em></p>
<ul>
<li>Primary targets: government entities and foreign affairs sectors</li>
</ul>
<div class="js-infogram-embed" data-id="_/NNQDAbzeYeYkE3UXVrZ5" data-type="interactive" data-title="03 EN Mysterious Elephant charts" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Industries most targeted by Mysterious Elephant (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13125733/03-en-mysterious-elephant-charts.png" target="_blank" rel="noopener">download</a>)</em></p>
<h2 id="conclusion">Conclusion</h2>
<p>In conclusion, Mysterious Elephant is a highly sophisticated and active Advanced Persistent Threat group that poses a significant threat to government entities and foreign affairs sectors in the Asia-Pacific region. Through their continuous evolution and adaptation of tactics, techniques, and procedures, the group has demonstrated the ability to evade detection and infiltrate sensitive systems. The use of custom-made and open-source tools, such as BabShell and MemLoader, highlights their technical expertise and willingness to invest in developing advanced malware.</p>
<p>The group’s focus on targeting specific organizations, combined with their ability to tailor their attacks to specific victims, underscores the severity of the threat they pose. The exfiltration of sensitive information, including documents, pictures, and archive files, can have significant consequences for national security and global stability.</p>
<p>To counter the Mysterious Elephant threat, it is essential for organizations to implement <a href="https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___knext____b31b3f3de449f764" target="_blank" rel="noopener">robust security measures</a>, including regular software updates, <a href="https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kata____86b6b7fe75e32725" target="_blank" rel="noopener">network monitoring</a>, and <a href="https://asap.kaspersky.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kasap____b3c004b7eec21817" target="_blank" rel="noopener">employee training</a>. Additionally, international cooperation and information sharing among cybersecurity professionals, governments, and industries are crucial in tracking and disrupting the group’s activities.</p>
<p>Ultimately, staying ahead of Mysterious Elephant and other APT groups requires a proactive and collaborative approach to cybersecurity. By understanding their TTPs, sharing threat intelligence, and implementing effective countermeasures, we can reduce the risk of successful attacks and protect sensitive information from falling into the wrong hands.</p>
<h2 id="indicators-of-compromise">Indicators of compromise</h2>
<h3 id="file-hashes">File hashes</h3>
<p><strong>Malicious documents</strong><br />
<a href="https://opentip.kaspersky.com/c12ea05baf94ef6f0ea73470d70db3b2/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______09ab9e63c2fbae18&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">c12ea05baf94ef6f0ea73470d70db3b2</a> M6XA.rar<br />
<a href="https://opentip.kaspersky.com/8650fff81d597e1a3406baf3bb87297f/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a7b7bdc14f0ecf16&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">8650fff81d597e1a3406baf3bb87297f</a> 2025-013-PAK-MoD-Invitation_the_UN_Peacekeeping.rar</p>
<p><strong>MemLoader HidenDesk</strong><br />
<a href="https://opentip.kaspersky.com/658eed7fcb6794634bbdd7f272fcf9c6/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c1ee1e8efe731ce5&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">658eed7fcb6794634bbdd7f272fcf9c6</a> STI.dll<br />
<a href="https://opentip.kaspersky.com/4c32e12e73be9979ede3f8fce4f41a3a/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______39679c1e6198215a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">4c32e12e73be9979ede3f8fce4f41a3a</a> STI.dll</p>
<p><strong>MemLoader Edge</strong><br />
<a href="https://opentip.kaspersky.com/3caaf05b2e173663f359f27802f10139/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______517ed2c79ff6857a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">3caaf05b2e173663f359f27802f10139</a> Edge.exe, debugger.exe, runtime.exe<br />
<a href="https://opentip.kaspersky.com/bc0fc851268afdf0f63c97473825ff75/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4f3755f64aba0268&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">bc0fc851268afdf0f63c97473825ff75</a></p>
<p><strong>BabShell</strong><br />
<a href="https://opentip.kaspersky.com/85c7f209a8fa47285f08b09b3868c2a1/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5fd77beb36827bdb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">85c7f209a8fa47285f08b09b3868c2a1</a><br />
<a href="https://opentip.kaspersky.com/f947ff7fb94fa35a532f8a7d99181cf1/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cff906b0140720d0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">f947ff7fb94fa35a532f8a7d99181cf1</a></p>
<p><strong>Uplo Exfiltrator</strong><br />
<a href="https://opentip.kaspersky.com/cf1d14e59c38695d87d85af76db9a861/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ffa5f9bd347e41df&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cf1d14e59c38695d87d85af76db9a861</a> SXSHARED.dll</p>
<p><strong>Stom Exfiltrator</strong><br />
<a href="https://opentip.kaspersky.com/ff1417e8e208cadd55bf066f28821d94/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4bbcc5b773fb873b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">ff1417e8e208cadd55bf066f28821d94</a><br />
<a href="https://opentip.kaspersky.com/7ee45b465dcc1ac281378c973ae4c6a0/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______64062702f8c05486&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">7ee45b465dcc1ac281378c973ae4c6a0</a> ping.exe<br />
<a href="https://opentip.kaspersky.com/b63316223e952a3a51389a623eb283b6/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______34280e71815f9819&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">b63316223e952a3a51389a623eb283b6</a> ping.exe<br />
<a href="https://opentip.kaspersky.com/e525da087466ef77385a06d969f06c81/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______00c019d83beca9e0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">e525da087466ef77385a06d969f06c81</a><br />
<a href="https://opentip.kaspersky.com/78b59ea529a7bddb3d63fcbe0fe7af94/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______02431ea07e815c6c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">78b59ea529a7bddb3d63fcbe0fe7af94</a></p>
<p><strong>ChromeStealer Exfiltrator</strong><br />
<a href="https://opentip.kaspersky.com/9e50adb6107067ff0bab73307f5499b6/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______002f6ae0f77b2068&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">9e50adb6107067ff0bab73307f5499b6</a> WhatsAppOB.exe</p>
<h3 id="domains-ips">Domains/IPs</h3>
<p><a href="https://opentip.kaspersky.com/hxxps%3a%2f%2fstorycentral.net/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______546a9c2d940aced9&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxps://storycentral[.]net</a><br />
<a href="https://opentip.kaspersky.com/hxxp%3a%2f%2flistofexoticplaces.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______df61d5264bb34b52&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxp://listofexoticplaces[.]com</a><br />
<a href="https://opentip.kaspersky.com/hxxps%3a%2f%2fmonsoonconference.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______95a175e16a9f2f66&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxps://monsoonconference[.]com</a><br />
<a href="https://opentip.kaspersky.com/hxxp%3a%2f%2fmediumblog.online/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a1cb20769a3c44cb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxp://mediumblog[.]online:4443</a><br />
<a href="https://opentip.kaspersky.com/hxxp%3a%2f%2fcloud.givensolutions.online/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______31ac06df427819a4&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxp://cloud.givensolutions[.]online:4443</a><br />
<a href="https://opentip.kaspersky.com/hxxp%3a%2f%2fcloud.qunetcentre.org/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______97e683db289c2d2d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxp://cloud.qunetcentre[.]org:443</a><br />
<a href="https://opentip.kaspersky.com/solutions.fuzzy-network.tech/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______80e055d2bfaec218&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">solutions.fuzzy-network[.]tech</a><br />
<a href="https://opentip.kaspersky.com/pdfplugins.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______fa3c26ff03f790a8&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">pdfplugins[.]com</a><br />
<a href="https://opentip.kaspersky.com/file-share.officeweb.live/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1906cf37a247699a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">file-share.officeweb[.]live</a><br />
<a href="https://opentip.kaspersky.com/fileshare-avp.ddns.net/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______324cee9e263be2af&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">fileshare-avp.ddns[.]net</a><br />
<a href="https://opentip.kaspersky.com/91.132.95.148/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ab2914e9238c3621&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">91.132.95[.]148</a><br />
<a href="https://opentip.kaspersky.com/62.106.66.80/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______847c267eca71ef78&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">62.106.66[.]80</a><br />
<a href="https://opentip.kaspersky.com/158.255.215.45/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2d778fa9b216c661&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">158.255.215[.]45</a></p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Signal in the noise: what hashtags reveal about hacktivism in 2025</title>
<link>https://securelist.com/dfi-meta-hacktivist-report/117708/</link>
<comments>https://securelist.com/dfi-meta-hacktivist-report/117708/#respond</comments>
<dc:creator><![CDATA[Kaspersky Security Services]]></dc:creator>
<pubDate>Tue, 14 Oct 2025 10:00:09 +0000</pubDate>
<category><![CDATA[Research]]></category>
<category><![CDATA[SOC, TI and IR posts]]></category>
<category><![CDATA[Twitter]]></category>
<category><![CDATA[Darknet]]></category>
<category><![CDATA[Threat intelligence]]></category>
<category><![CDATA[hacktivists]]></category>
<category><![CDATA[Telegram]]></category>
<category><![CDATA[Cybersecurity]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117708</guid>
<description><![CDATA[Kaspersky researchers identified over 2000 unique hashtags across 11,000 hacktivist posts on the surface web and the dark web to find out how hacktivist campaigns function and whom they target.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>What do hacktivist campaigns look like in 2025? To answer this question, we analyzed more than 11,000 posts produced by over 120 hacktivist groups circulating across both the surface web and the dark web, with a particular focus on groups targeting MENA countries. The primary goal of our research is to highlight patterns in hacktivist operations, including attack methods, public warnings, and stated intent. The analysis is undertaken exclusively from a cybersecurity perspective and anchored in the principle of neutrality.</p>
<p>Hacktivists are politically motivated threat actors who typically value visibility over sophistication. Their tactics are designed for maximum visibility, reach, and ease of execution, rather than stealth or technical complexity. The term “hacktivist” may refer to either the administrator of a community who initiates the attack or an ordinary subscriber who simply participates in the campaign.</p>
<h2 id="key-findings">Key findings</h2>
<p>While it may be assumed that most operations unfold on hidden forums, in fact, most hacktivist planning and mobilization happens in the open. Telegram has become the command center for today’s hacktivist groups, hosting the highest density of attack planning and calls to action. The second place is occupied by X (ex-Twitter).</p>
<div id="attachment_117709" style="width: 790px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117709" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels.png" alt="Distribution of social media references in posts published in 2025" width="780" height="361" class="size-full wp-image-117709" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels.png 780w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-300x139.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-768x355.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-756x350.png 756w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-740x342.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-605x280.png 605w" sizes="auto, (max-width: 780px) 100vw, 780px" /></a><p id="caption-attachment-117709" class="wp-caption-text">Distribution of social media references in posts published in 2025</p></div>
<p>Although we focused on hacktivists operating in MENA, the targeting of the groups under review is global, extending well beyond the region. There are victims throughout Europe and Middle East, as well as Argentina, the United States, Indonesia, India, Vietnam, Thailand, Cambodia, Türkiye, and others.</p>
<h3 id="hashtags-as-the-connective-tissue-of-hacktivist-operations">Hashtags as the connective tissue of hacktivist operations</h3>
<p>One notable feature of hacktivist posts and messages on dark web sites is the frequent use of hashtags (#words). Used in their posts constantly, hashtags often serve as political slogans, amplifying messages, coordinating activity or claiming credit for attacks. The most common themes are political statements and hacktivist groups names, though hashtags sometimes reference geographical locations, such as specific countries or cities.</p>
<p>Hashtags also map alliances and momentum. We have identified 2063 unique tags in 2025: 1484 appearing for the first time, and many tied directly to specific groups or joint campaigns. Most tags are short-lived, lasting about two months, with “popular” ones persisting longer when amplified by alliances; channel bans contribute to attrition.</p>
<p>Operationally, reports of completed attacks dominate hashtagged content (58%), and within those, DDoS is the workhorse (61%). Spikes in threatening rhetoric do not by themselves predict more attacks, but timing matters: when threats are published, they typically refer to actions in the near term, i.e. the same week or month, making early warning from open-channel monitoring materially useful.</p>
<p>The full version of the report details the following findings:</p>
<ul>
<li>How long it typically takes for an attack to be reported after an initial threat post</li>
<li>How hashtags are used to coordinate attacks or claim credit</li>
<li>Patterns across campaigns and regions</li>
<li>The types of cyberattacks being promoted or celebrated</li>
</ul>
<h2 id="practical-takeaways-and-recommendations">Practical takeaways and recommendations</h2>
<p>For defenders and corporate leaders, we recommend the following:</p>
<ul>
<li>Prioritize scalable DDoS mitigation and proactive security measures.</li>
<li>Treat public threats as short-horizon indicators rather than long-range forecasts.</li>
<li>Invest in continuous monitoring across Telegram and related ecosystems to discover alliance announcements, threat posts, and cross-posted “proof” rapidly.</li>
</ul>
<p>Even organizations outside geopolitical conflict zones should assume exposure: hacktivist campaigns seek reach and spectacle, not narrow geography, and hashtags remain a practical lens for separating noise from signals that demand action.</p>
<p><strong>To download the full report, please fill in the form below.</strong></p>
<p><script data-b24-form="inline/1808/7dlezh" data-skip-moving="true">
(function (w, d, u) {
var s = d.createElement("script");
s.async = true;
s.src = u + "?" + ((Date.now() / 180000) | 0);
var h = d.getElementsByTagName("script")[0];
h.parentNode.insertBefore(s, h);
})(window, document, "https://cdn.bitrix24.eu/b30707545/crm/form/loader_1808.js");
</script><br />
<script src="https://storage.yandexcloud.net/kasperskyform/validator.js"></script><br />
<script>
initBxFormValidator({
formId: "inline/1808/7dlezh",
emailFieldName: "CONTACT_EMAIL",
redirectUrl: "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172551/Hacktivist_report-DFI-META.pdf",
naturalFieldNames: ["CONTACT_UF_CRM_NODES"],
lengthRestrictedFieldNames: {
CONTACT_EMAIL: 250,
CONTACT_POST: 128,
CONTACT_NAME: 50,
CONTACT_UF_CRM_COMPANY: 255,
CONTACT_UF_CRM_COMPANY_TAX_ID: 50,
CONTACT_UF_CRM_PRODUCT_INTEREST: 255,
CONTACT_UF_CRM_FORM_QUESTION_2: 255,
CONTACT_UF_CRM_FORM_QUESTION_3: 255,
CONTACT_UF_CRM_FORM_QUESTION_5: 255,
},
});
</script></p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/dfi-meta-hacktivist-report/117708/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200.jpg" width="1200" height="762"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200-1024x650.jpg" width="1024" height="650"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200-300x191.jpg" width="300" height="191"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>The king is dead, long live the king! Windows 10 EOL and Windows 11 forensic artifacts</title>
<link>https://securelist.com/forensic-artifacts-in-windows-11/117680/</link>
<comments>https://securelist.com/forensic-artifacts-in-windows-11/117680/#respond</comments>
<dc:creator><![CDATA[Kirill Magaskin]]></dc:creator>
<pubDate>Tue, 14 Oct 2025 08:00:57 +0000</pubDate>
<category><![CDATA[Research]]></category>
<category><![CDATA[Microsoft Windows]]></category>
<category><![CDATA[Digital forensics]]></category>
<category><![CDATA[Forensic journey]]></category>
<category><![CDATA[Cybersecurity]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117680</guid>
<description><![CDATA[With the end of Windows 10 support approaching, we discuss which forensic artifacts in Windows 11 may be of interest.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
<p>Windows 11 was released a few years ago, yet it has seen relatively weak enterprise adoption. According to statistics from our Global Emergency Response Team (GERT) investigations, as recently as early 2025, we found that Windows 7, which reached end of support in 2020, was encountered only slightly less often than the newest operating system. Most systems still run Windows 10.</p>
<div class="js-infogram-embed" data-id="_/wUFDDTvIb5MX90BS2iz7" data-type="interactive" data-title="01 EN-RU-ES-PT-BR Win 11 graph" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of Windows versions in organizations’ infrastructure. The statistics are based on the Global Emergency Response Team (GERT) data (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10100944/01-en-ru-es-pt-br-win-11-graph.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>The most widely used operating system was released more than a decade ago, and Microsoft discontinues its support on October 14, 2025. This means we are certainly going to see an increase in the number of Windows 11 systems in organizations where we provide incident response services. This is why we decided to offer a brief overview of changes to forensic artifacts in this operating system. The information should be helpful to our colleagues in the field. The artifacts described here are relevant for Windows 11 24H2, which is the latest OS version at the time of writing this.</p>
<h2 id="what-is-new-in-windows-11">What is new in Windows 11</h2>
<h3 id="recall">Recall</h3>
<p>The Recall feature was first introduced in May 2024. It allows the computer to remember everything a user has done on the device over the past few months. It works by taking screenshots of the entire display every few seconds. A local AI engine then analyzes these screenshots in the background, extracting all useful information, which is subsequently saved to a database. This database is then used for intelligent searching. Since May 2025, Recall has been broadly available on computers equipped with an NPU, a dedicated chip for AI computations, which is currently compatible only with ARM CPUs.</p>
<p>Microsoft Recall is certainly one of the most highly publicized and controversial features announced for Windows 11. Since its initial reveal, it <a href="https://www.kaspersky.com/blog/how-to-disable-copilot-recall-spyware/51522/" target="_blank" rel="noopener">has been the subject of criticism within the cybersecurity community</a> because of the potential threat it poses to data privacy. Microsoft refined Recall before its release, yet <a href="https://www.kaspersky.com/blog/recall-2025-risks-benefits/53407/" target="_blank" rel="noopener">certain concerns remain</a>. Because of its controversial nature, the option is disabled by default in corporate builds of Windows 11. However, examining the artifacts it creates is worthwhile, just in case an attacker or malicious software activates it. In theory, an organization’s IT department could enable Recall using Group Policies, but we consider that scenario unlikely.</p>
<p>As previously mentioned, Recall takes screenshots, which naturally requires temporary storage before analysis. The raw JPEG images can be found at <code>%AppData%\Local\CoreAIPlatform.00\UKP\{GUID}\ImageStore\*</code>. The filenames themselves are the screenshot identifiers (more on those later).</p>
<p>Along with the screenshots, their metadata is stored within the standard Exif.Photo.MakerNote (0x927c) tag. This tag holds a significant amount of interesting data, such as the boundaries of the foreground window, the capture timestamp, the window title, the window identifier, and the full path of the process that launched the window. Furthermore, if a browser is in use during the screenshot capture, the URI and domain may be preserved, among other details.</p>
<p>Recall is activated on a per-user basis. A key in the user’s registry hive, specifically <code>Software\Policies\Microsoft\Windows\WindowsAI\</code>, is responsible for enabling and disabling the saving of these screenshots. Microsoft has also introduced <a href="https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai" target="_blank" rel="noopener">several new registry keys</a> associated with Recall management in the latest Windows 11 builds.</p>
<p>It is important to note that the version of the feature refined following public controversy includes a specific filter intended to prevent the saving of screenshots and text when potentially sensitive information is on the screen. This includes, for example, an incognito browser window, a payment data input field, or a password manager. However, <a href="https://doublepulsar.com/microsoft-recall-on-copilot-pc-testing-the-security-and-privacy-implications-ddb296093b6c" target="_blank" rel="noopener">researchers</a> have indicated that this filter may not always engage reliably.</p>
<p>To enable fast searches across all data captured from screenshots, the system uses two DiskANN vector databases (<code>SemanticTextStore.sidb</code> and <code>SemanticImageStore.sidb</code>). However, the standard SQLite database is the most interesting one for investigation: <code>%AppData%\Local\CoreAIPlatform.00\UKP\{GUID}\ukg.db</code>, which consists of 20 tables. In the latest release, it is accessible without administrative privileges, yet it is encrypted. At the time of writing this post, there are no publicly known methods to decrypt the database directly. Therefore, we will examine the most relevant tables from the 2024 Windows 11 beta release with Recall.</p>
<ul>
<li>The <code>App</code> table holds data about the process that launched the application’s graphical user interface window.</li>
<li>The <code>AppDwellTime</code> table contains information such as the full path of the process that initiated the application GUI window (WindowsAppId column), the date and time it was launched (HourOfDay, DayOfWeek, HourStartTimestamp), and the duration the window’s display (DwellTime).</li>
<li>The <code>WindowCapture</code> table records the type of event (Name column):
<ul>
<li><strong>WindowCreatedEvent</strong> indicates the creation of the first instance of the application window. It can be correlated with the process that created the window.</li>
<li><strong>WindowChangedEvent</strong> tracks changes to the window instance. It allows monitoring movements or size changes of the window instance with the help of the WindowId column, which contains the window’s identifier.</li>
<li><strong>WindowCaptureEvent</strong> signifies the creation of a screen snapshot that includes the application window. Besides the window identifier, it contains an image identifier (ImageToken). The value of this token can later be used to retrieve the JPEG snapshot file from the aforementioned ImageStore directory, as the filename corresponds to the image identifier.</li>
<li><strong>WindowDestroyedEvent</strong> signals the closing of the application window.</li>
<li><strong>ForegroundChangedEvent</strong> does not contain useful data from a forensics perspective.</li>
</ul>
<p>The <code>WindowCapture</code> table also includes a flag indicating whether the application window was in the foreground (IsForeground column), the window boundaries as screen coordinates (WindowBounds), the window title (WindowTitle), a service field for properties (Properties), and the event timestamp (TimeStamp).
</li>
</ul>
<ul>
<li><code>WindowCaptureTextIndex_content</span></code> contains the text extracted with Optical Character Recognition (OCR) from the snapshot (c2 column), the window title (WindowTitle), the application path (App.Path), the snapshot timestamp (TimeStamp), and the name (Name). This table can be used in conjunction with the WindowCapture (the c0 and Id columns hold identical data, which can be used for joining the tables) and App tables (identical data resides in the AppId and Id columns).</li>
</ul>
<p>Recall artifacts (if the feature was enabled on the system prior to the incident) represent a “goldmine” for the incident responder. They allow for a detailed reconstruction of the attacker’s activity within the compromised system. Conversely, this same functionality can be weaponized: as mentioned previously, the private information filter in Recall does not work flawlessly. Consequently, attackers and malware can exploit it to locate credentials and other sensitive information.</p>
<h3 id="updated-standard-applications">Updated standard applications</h3>
<p>Standard applications in Windows 11 have also undergone updates, and for some, this involved changes to both the interface and functionality. Specifically, applications such as Notepad, File Explorer, and the Command Prompt in this version of the OS now support multi-tab mode. Notably, Notepad retains the state of these tabs even after the process terminates. Therefore, Windows 11 now has new artifacts associated with the usage of this application. Our colleague, AbdulRhman Alfaifi, researched these in detail; his work is available <a href="https://u0041.co/posts/articals/exploring-windows-artifacts-notepad-files/" target="_blank" rel="noopener">here</a>.</p>
<p>The main directory for Notepad artifacts in Windows 11 is located at <code>%LOCALAPPDATA%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\</code>.<br />
This directory contains two subdirectories:</p>
<ul>
<li><strong>TabState</strong> stores a {GUID}.bin state file for each Notepad tab. This file contains the tab’s contents if the user did not save it to a file. For saved tabs, the file contains the full path to the saved content, the SHA-256 hash of the content, the content itself, the last write time to the file, and other details.</li>
<li><strong>WindowsState</strong> stores information about the application window state. This includes the total number of tabs, their order, the currently active tab, and the size and position of the application window on the screen. The state file is named either *.0.bin or *.1.bin.</li>
</ul>
<p>The structure of {GUID}.bin for saved tabs is as follows:</p>
<table>
<tbody>
<tr>
<td><strong>Field</strong></td>
<td><strong>Type</strong></td>
<td><strong>Value and explanation</strong></td>
</tr>
<tr>
<td>signature</td>
<td>[u8;2]</td>
<td>NP</td>
</tr>
<tr>
<td>?</td>
<td>u8</td>
<td>00</td>
</tr>
<tr>
<td>file_saved_to_path</td>
<td>bool</td>
<td>00 = the file was not saved at the specified path<br />
01 = the file was saved</td>
</tr>
<tr>
<td>path_length</td>
<td>uLEB128</td>
<td>Length of the full path (in characters) to the file where the tab content was written</td>
</tr>
<tr>
<td>file_path</td>
<td>UTF-16LE</td>
<td>The full path to the file where the tab content was written</td>
</tr>
<tr>
<td>file_size</td>
<td>uLEB128</td>
<td>The size of the file on disk where the tab content was written</td>
</tr>
<tr>
<td>encoding</td>
<td>u8</td>
<td>File encoding:<br />
0x01 – ANSI<br />
0x02 – UTF-16LE<br />
0x03 – UTF-16BE<br />
0x04 – UTF-8BOM<br />
0x05 – UTF-8</td>
</tr>
<tr>
<td>cr_type</td>
<td>u8</td>
<td>Type of carriage return:<br />
0x01 — CRLF<br />
0x02 — CR<br />
0x03 — LF</td>
</tr>
<tr>
<td>last_write_time</td>
<td>uLEB128</td>
<td>The time of the last write (tab save) to the file, formatted as <a href="https://learn.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-filetime?redirectedfrom=MSDN" target="_blank" rel="noopener">FILETIME</a></td>
</tr>
<tr>
<td>sha256_hash</td>
<td>[u8;32]</td>
<td>The SHA-256 hash of the tab content</td>
</tr>
<tr>
<td>?</td>
<td>[u8;2]</td>
<td>00 01</td>
</tr>
<tr>
<td>selection_start</td>
<td>uLEB128</td>
<td>The offset of the section start from the beginning of the file</td>
</tr>
<tr>
<td>selection_end</td>
<td>uLEB128</td>
<td>The offset of the section end from the beginning of the file</td>
</tr>
<tr>
<td>config_block</td>
<td>ConfigBlock</td>
<td>ConfigBlock structure configuration</td>
</tr>
<tr>
<td>content_length</td>
<td>uLEB128</td>
<td>The length of the text in the file</td>
</tr>
<tr>
<td>content</td>
<td>UTF-16LE</td>
<td>The file content before it was modified by the new data. This field is absent if the tab was saved to disk with no subsequent modifications.</td>
</tr>
<tr>
<td>contain_unsaved_data</td>
<td>bool</td>
<td>00 = the tab content in the {GUID}.bin file matches the tab content in the file on disk<br />
01 = changes to the tab have not been saved to disk</td>
</tr>
<tr>
<td>checksum</td>
<td>[u8;4]</td>
<td>The CRC32 checksum of the {GUID}.bin file content, offset by 0x03 from the start of the file</td>
</tr>
<tr>
<td>unsaved_chunks</td>
<td>[UnsavedChunk]</td>
<td>A list of UnsavedChunk structures. This is absent if the tab was saved to disk with no subsequent modifications</td>
</tr>
</tbody>
</table>
<div id="attachment_117682" style="width: 903px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117682" class="size-full wp-image-117682" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2.jpeg" alt="Example content of the {GUID.bin} file for a Notepad tab that was saved to a file and then modified with new data which was not written to the file" width="893" height="622" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2.jpeg 893w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-300x209.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-768x535.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-502x350.jpeg 502w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-740x515.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-402x280.jpeg 402w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-800x557.jpeg 800w" sizes="auto, (max-width: 893px) 100vw, 893px" /></a><p id="caption-attachment-117682" class="wp-caption-text">Example content of the {GUID.bin} file for a Notepad tab that was saved to a file and then modified with new data which was not written to the file</p></div>
<p>For tabs that were never saved, the {GUID}.bin file structure in the TabState directory is shorter:</p>
<table>
<tbody>
<tr>
<td><strong>Field</strong></td>
<td><strong>Type</strong></td>
<td><strong>Value and explanation</strong></td>
</tr>
<tr>
<td>signature</td>
<td>[u8;2]</td>
<td>NP</td>
</tr>
<tr>
<td>?</td>
<td>u8</td>
<td>00</td>
</tr>
<tr>
<td>file_saved_to_path</td>
<td>bool</td>
<td>00 = the file was not saved at the specified path (always)</td>
</tr>
<tr>
<td>selection_start</td>
<td>uLEB128</td>
<td>The offset of the section start from the beginning of the file</td>
</tr>
<tr>
<td>selection_end</td>
<td>uLEB128</td>
<td>The offset of the section end from the beginning of the file</td>
</tr>
<tr>
<td>config_block</td>
<td>ConfigBlock</td>
<td>ConfigBlock structure configuration</td>
</tr>
<tr>
<td>content_length</td>
<td>uLEB128</td>
<td>The length of the text in the file</td>
</tr>
<tr>
<td>content</td>
<td>UTF-16LE</td>
<td>File content</td>
</tr>
<tr>
<td>contain_unsaved_data</td>
<td>bool</td>
<td>01 = changes to the tab have not been saved to disk (always)</td>
</tr>
<tr>
<td>checksum</td>
<td>[u8;4]</td>
<td>The CRC32 checksum of the {GUID}.bin file content, offset by 0x03 from the start of the file</td>
</tr>
<tr>
<td>unsaved_chunks</td>
<td>[UnsavedChunk]</td>
<td>List of UnsavedChunk structures</td>
</tr>
</tbody>
</table>
<div id="attachment_117683" style="width: 1190px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117683" class="size-full wp-image-117683" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3.jpeg" alt="Example content of the {GUID.bin} file for a Notepad tab that has not been saved to a file" width="1180" height="207" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3.jpeg 1180w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-300x53.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-1024x180.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-768x135.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-740x130.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-800x140.jpeg 800w" sizes="auto, (max-width: 1180px) 100vw, 1180px" /></a><p id="caption-attachment-117683" class="wp-caption-text">Example content of the {GUID.bin} file for a Notepad tab that has not been saved to a file</p></div>
<p>Note that the saving of tabs may be disabled in the Notepad settings. If this is the case, the TabState and WindowState artifacts will be unavailable for analysis.</p>
<p>If these artifacts are available, however, you can use <a href="https://github.com/AbdulRhmanAlfaifi/notepad_parser" target="_blank" rel="noopener">the notepad_parser tool</a>, developed by our colleague Abdulrhman Alfaifi, to automate working with them.</p>
<p>This particular artifact may assist in recovering the contents of malicious scripts and batch files. Furthermore, it may contain the results and logs from network scanners, credential extraction utilities, and other executables used by threat actors, assuming any unsaved modifications were inadvertently made to them.</p>
<h2 id="changes-to-familiar-artifacts-in-windows-11">Changes to familiar artifacts in Windows 11</h2>
<p>In addition to the new artifacts, Windows 11 introduced several noteworthy changes to existing ones that investigators should be aware of when analyzing incidents.</p>
<h3 id="changes-to-ntfs-attribute-behavior">Changes to NTFS attribute behavior</h3>
<p>The behavior of NTFS attributes was changed between Windows 10 and Windows 11 in two $MFT structures: $STANDARD_INFORMATION and $FILE_NAME.</p>
<p>The changes to the behavior of the $STANDARD_INFORMATION attributes are presented in the table below:</p>
<table>
<tbody>
<tr>
<td><strong>Event</strong></td>
<td>Access file</td>
<td>Rename file</td>
<td>Copy file to new folder</td>
<td>Move file within one volume</td>
<td>Move file between volumes</td>
</tr>
<tr>
<td><strong>Win 10<br />
1903</strong></td>
<td>The File Access timestamp is updated. However, it remains unchanged if the system volume is larger than 128 GB</td>
<td>The File Access timestamp remains unchanged</td>
<td>The copy metadata is updated</td>
<td>The File Access timestamp remains unchanged</td>
<td>The metadata is inherited from the original file</td>
</tr>
<tr>
<td><strong>Win 11 24H2</strong></td>
<td>The File Access timestamp is updated</td>
<td>The File Access timestamp is updated to match the modification time</td>
<td>The copy metadata is inherited from the original file</td>
<td>The File Access timestamp is updated to match the moving time</td>
<td>The metadata is updated</td>
</tr>
</tbody>
</table>
<p>Behavior of the $FILENAME attributes was changed as follows:</p>
<table>
<tbody>
<tr>
<td><strong>Event</strong></td>
<td>Rename file</td>
<td>Move file via Explorer within one volume</td>
<td>Move file to Recycle Bin</td>
</tr>
<tr>
<td><strong>Win 10<br />
1903</strong></td>
<td>The timestamps and metadata remain unchanged</td>
<td>The timestamps and metadata remain unchanged</td>
<td>The timestamps and metadata remain unchanged</td>
</tr>
<tr>
<td><strong>Win 11 24H2</strong></td>
<td>The File Access and File Modify timestamps along with the metadata are inherited from the previous version of $STANDARD_INFORMATION</td>
<td>The File Access and File Modify timestamps along with the metadata are inherited from the previous version of $STANDARD_INFORMATION</td>
<td>The File Access and File Modify timestamps along with the metadata are inherited from the previous version of $STANDARD_INFORMATION</td>
</tr>
</tbody>
</table>
<p>Analysts should consider these changes when examining the service files of the NTFS file system.</p>
<h3 id="program-compatibility-assistant">Program Compatibility Assistant</h3>
<p>Program Compatibility Assistant (PCA) first appeared way back in 2006 with the release of Windows Vista. Its purpose is to run applications designed for older operating system versions, thus being a relevant artifact for identifying evidence of program execution.</p>
<p>Windows 11 introduced new files associated with this feature that are relevant for forensic analysis of application executions. These files are located in the directory <code>C:\Windows\appcompat\pca\</code>:</p>
<ul>
<li><code>PcaAppLaunchDic.txt</code>: each line in this file contains data on the most recent launch of a specific executable file. This information includes the time of the last launch formatted as YYYY-MM-DD HH:MM:SS.f (UTC) and the full path to the file. A pipe character (|) separates the data elements. When the file is run again, the information in the corresponding line is updated. The file uses ANSI (CP-1252) encoding, so executing files with Unicode in their names “breaks” it: new entries (including the entry for running a file with Unicode) stop appearing, only old ones get updated.</li>
</ul>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117684" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4.png" alt="" width="1007" height="306" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4.png 1007w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-300x91.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-768x233.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-740x225.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-921x280.png 921w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-800x243.png 800w" sizes="auto, (max-width: 1007px) 100vw, 1007px" /></a></p>
<ul>
<li><code>PcaGeneralDb0.txt</code> and <code>PcaGeneralDb1.txt</code> alternate during data logging: new records are saved to the primary file until its size reaches two megabytes. Once that limit is reached, the secondary file is cleared and becomes the new primary file, and the full primary file is then designated as the secondary. This cycle repeats indefinitely. The data fields are delimited with a pipe (|). The file uses UTF-16LE encoding and contains the following fields:
<ul>
<li>Executable launch time (YYYY-MM-DD HH:MM:SS.f (UTC))</li>
<li>Record type (0–4):
<ul>
<li>0 = installation error</li>
<li>1 = driver blocked</li>
<li>2 = abnormal process exit</li>
<li>3 = PCA Resolve call (component responsible for fixing compatibility issues when running older programs)</li>
<li>4 = value not set</li>
</ul>
</li>
<li>Path to executable file. This path omits the volume letter and frequently uses environment variables (%USERPROFILE%, %systemroot%, %programfiles%, and others).</li>
<li>Product name (from the PE header, lowercase)</li>
<li>Company name (from the PE header, lowercase)</li>
<li>Product version (from the PE header)</li>
<li>Windows application ID (format matches that used in <a href="https://securelist.com/amcache-forensic-artifact/117622/" target="_blank" rel="noopener">AmCache</a>)</li>
<li>Message</li>
</ul>
</li>
</ul>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117685" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5.png" alt="" width="2390" height="341" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5.png 2390w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-300x43.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-1024x146.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-768x110.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-1536x219.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-2048x292.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-740x106.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-1600x228.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-800x114.png 800w" sizes="auto, (max-width: 2390px) 100vw, 2390px" /></a></p>
<p>Note that these text files only record data related to program launches executed through Windows File Explorer. They do not log launches of executable files initiated from the console.</p>
<h3 id="windows-search">Windows Search</h3>
<p>Windows Search is the built-in indexing and file search mechanism within Windows. Initially, it combed through files directly, resulting in sluggish and inefficient searches. Later, a separate application emerged that created a fast file index. It was not until 2006’s Windows Vista that a search feature was fully integrated into the operating system, with file indexing moved to a background process.</p>
<p>From Windows Vista up to and including Windows 10, the file index was stored in an Extensible Storage Engine (ESE) database:<br />
<code>%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows.edb</code>.</p>
<p>Windows 11 breaks this storage down into three SQLite databases:</p>
<ul>
<li><code>%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows-gather.db</code> contains general information about indexed files and folders. The most interesting element is the SystemIndex_Gthr table, which stores data such as the name of the indexed file or directory (FileName column), the last modification of the indexed file or directory (LastModified), an identifier used to link to the parent object (ScopeID), and a unique identifier for the file or directory itself (DocumentID). Using the ScopeID and the SystemIndex_GthrPth table, investigators can reconstruct the full path to a file on the system. The SystemIndex_GthrPth table contains the folder name (Name column), the directory identifier (Scope), and the parent directory identifier (Parent). By matching the file’s ScopeID with the directory’s Scope, one can determine the parent directory of the file.</li>
<li><code>%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows.db</code> stores information about the metadata of indexed files. The SystemIndex_1_PropertyStore table is of interest for analysis; it holds the unique identifier of the indexed object (WorkId column), the metadata type (ColumnId), and the metadata itself. Metadata types are described in the SystemIndex_1_PropertyStore_Metadata table (where the content of the Id column corresponds to the ColumnId content from SystemIndex_1_PropertyStore) and are specified in the UniqueKey column.</li>
<li><code>%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows-usn.db</code> does not contain useful information for forensic analysis.</li>
</ul>
<p>As depicted in the image below, analyzing the <code>Windows-gather.db</code> file using DB Browser for SQLite can provide us evidence of the presence of certain files (e.g., malware files, configuration files, files created and left by attackers, and others).<br />
<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6.png" alt="" width="1234" height="667" class="aligncenter size-full wp-image-117735" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6.png 1234w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-300x162.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-1024x553.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-768x415.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-648x350.png 648w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-740x400.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-518x280.png 518w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-800x432.png 800w" sizes="auto, (max-width: 1234px) 100vw, 1234px" /></a><br />
It is worth noting that the LastModified column is stored in the Windows FILETIME format, which holds an unsigned 64-bit date and time value, representing the number of 100-nanosecond units since the start of January 1, 1601. Using a utility such as DCode, we can see this value in UTC, as shown in the image below.<br />
<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7.png" alt="" width="1062" height="434" class="aligncenter size-full wp-image-117736" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7.png 1062w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-300x123.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-1024x418.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-768x314.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-856x350.png 856w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-740x302.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-685x280.png 685w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-800x327.png 800w" sizes="auto, (max-width: 1062px) 100vw, 1062px" /></a></p>
<h3 id="other-minor-changes-in-windows-11">Other minor changes in Windows 11</h3>
<p>It is also worth mentioning a few small but important changes in Windows 11 that do not require a detailed analysis:</p>
<ul>
<li>A complete discontinuation of NTLMv1 means that pass-the-hash attacks are gradually becoming a thing of the past.</li>
<li>Removal of the well-known Windows 10 Timeline activity artifact. Although it is no longer being actively maintained, its database remains for now in the files containing user activity information, located at: <code>%userprofile%\AppData\Local\ConnectedDevicesPlatform\ActivitiesCache.db</code>.</li>
<li>Similarly, Windows 11 removed Cortana and Internet Explorer, but the artifacts of these can still be found in the operating system. This may be useful for investigations conducted in machines that were updated from Windows 10 to the newer version.</li>
<li><a href="https://github.com/AndrewRathbun/Windows11Research/tree/main/EventLogs/4624" target="_blank">Previous research</a> also showed that Event ID 4624, which logs successful logon attempts in Windows, remained largely consistent across versions until a notable update appeared in Windows 11 Pro (22H2). This version introduces a new field, called Remote Credential Guard, marking a subtle but potentially important change in forensic analysis. While its real-world use and forensic significance remain to be observed, its presence suggests Microsoft’s ongoing efforts to enhance authentication-related telemetry.</li>
<li>Expanded support for the ReFS file system. The latest Windows 11 update preview made it possible to install the operating system directly onto a ReFS volume, and BitLocker support was also introduced. This file system has several key differences from the familiar NTFS:
<ul>
<li>ReFS does not have the $MFT (Master File Table) that forensics specialists rely on, which contains all current file records on the disk.</li>
<li>It does not generate short file names, as NTFS does for DOS compatibility.</li>
<li>It does not support hard links or extended object attributes.</li>
<li>It offers increased maximum volume and single-file sizes (35 PB compared to 256 TB in NTFS).</li>
</ul>
</li>
</ul>
<h2 id="conclusion">Conclusion</h2>
<p>This post provided a brief overview of key changes to Windows 11 artifacts that are relevant to forensic analysis – most notably, the changes of PCA and modifications to Windows Search mechanism. The ultimate utility of these artifacts in investigations remains to be seen. Nevertheless, we recommend you immediately incorporate the aforementioned files into the scope of your triage collection tool.</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/forensic-artifacts-in-windows-11/117680/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>How we trained an ML model to detect DLL hijacking</title>
<link>https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/</link>
<comments>https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/#respond</comments>
<dc:creator><![CDATA[Anna Pidzhakova]]></dc:creator>
<pubDate>Mon, 06 Oct 2025 08:00:21 +0000</pubDate>
<category><![CDATA[Research]]></category>
<category><![CDATA[Security technology]]></category>
<category><![CDATA[Machine learning]]></category>
<category><![CDATA[DLL hijacking]]></category>
<category><![CDATA[Threat hunting]]></category>
<category><![CDATA[Artificial intelligence]]></category>
<category><![CDATA[DLL]]></category>
<category><![CDATA[Cybersecurity]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117565</guid>
<description><![CDATA[An expert at the Kaspersky AI expertise center explains how the team developed a machine-learning model to identify DLL hijacking attacks.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>DLL hijacking is a common technique in which attackers replace a library called by a legitimate process with a malicious one. It is used by both creators of mass-impact malware, like stealers and banking Trojans, and by APT and cybercrime groups behind targeted attacks. In recent years, the number of DLL hijacking attacks has grown significantly.</p>
<div class="js-infogram-embed" data-id="_/re1cVhfDkiTvQdIHwndC" data-type="interactive" data-title="01(2)_EN_RU_ES_PT-BR_DLL Hijacking charts" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Trend in the number of DLL hijacking attacks. 2023 data is taken as 100% (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/02132719/012en_ru_es_pt-br_dll-hijacking-charts.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>We have observed this technique and its variations, like DLL sideloading, in targeted attacks on organizations in <a href="https://securelist.com/cobalt-strike-attacks-using-quora-github-social-media/117085/" target="_blank" rel="noopener">Russia</a>, <a href="https://securelist.com/apt41-in-africa/116986/" target="_blank" rel="noopener">Africa</a>, <a href="https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" target="_blank" rel="noopener">South Korea</a>, and other countries and regions. <a href="https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" target="_blank" rel="noopener">Lumma</a>, one of 2025’s most active stealers, uses this method for distribution. Threat actors trying to profit from popular applications, such as DeepSeek, also <a href="https://securelist.com/backdoors-and-stealers-prey-on-deepseek-and-grok/115801/#scheme-3-backdoors-and-attacks-on-chinese-users" target="_blank" rel="noopener">resort</a> to DLL hijacking.</p>
<p>Detecting a DLL substitution attack is not easy because the library executes within the trusted address space of a legitimate process. So, to a security solution, this activity may look like a trusted process. Directing excessive attention to trusted processes can compromise overall system performance, so you have to strike a delicate balance between a sufficient level of security and sufficient convenience.</p>
<h2 id="detecting-dll-hijacking-with-a-machine-learning-model">Detecting DLL hijacking with a machine-learning model</h2>
<p>Artificial intelligence can help where simple detection algorithms fall short. Kaspersky has been using machine learning for 20 years to identify malicious activity at various stages. The AI expertise center researches the capabilities of different models in threat detection, then trains and implements them. Our colleagues at the threat intelligence center approached us with a question of whether machine learning could be used to detect DLL hijacking, and more importantly, whether it would help improve detection accuracy.</p>
<h3 id="preparation">Preparation</h3>
<p>To determine if we could train a model to distinguish between malicious and legitimate library loads, we first needed to define a set of features highly indicative of DLL hijacking. We identified the following key features:</p>
<ul>
<li><strong>Wrong library location.</strong> Many standard libraries reside in standard directories, while a malicious DLL is often found in an unusual location, such as the same folder as the executable that calls it.</li>
<li><strong>Wrong executable location.</strong> Attackers often save executables in non-standard paths, like temporary directories or user folders, instead of %Program Files%.</li>
<li><strong>Renamed executable.</strong> To avoid detection, attackers frequently save legitimate applications under arbitrary names.</li>
<li><strong>Library size has changed, and it is no longer signed.</strong></li>
<li><strong>Modified library structure.</strong></li>
</ul>
<h3 id="training-sample-and-labeling">Training sample and labeling</h3>
<p>For the training sample, we used dynamic library load data provided by our internal automatic processing systems, which handle millions of files every day, and anonymized telemetry, such as that voluntarily provided by Kaspersky users through Kaspersky Security Network.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117583" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2.png" alt="" width="644" height="470" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2.png 644w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2-384x280.png 384w" sizes="auto, (max-width: 644px) 100vw, 644px" /></a></p>
<p>The training sample was labeled in three iterations. Initially, we could not automatically pull event labeling from our analysts that indicated whether an event was a DLL hijacking attack. So, we used data from our databases containing only file reputation, and labeled the rest of the data manually. We labeled as DLL hijacking those library-call events where the process was definitively legitimate but the DLL was definitively malicious. However, this labeling was not enough because some processes, like “svchost”, are designed mainly to load various libraries. As a result, the model we trained on this data had a high rate of false positives and was not practical for real-world use.</p>
<p>In the next iteration, we additionally filtered malicious libraries by family, keeping only those which were known to exhibit DLL-hijacking behavior. The model trained on this refined data showed significantly better accuracy and essentially confirmed our hypothesis that we could use machine learning to detect this type of attacks.</p>
<p>At this stage, our training dataset had tens of millions of objects. This included about 20 million clean files and around 50,000 definitively malicious ones.</p>
<table>
<tbody>
<tr>
<td><strong>Status</strong></td>
<td><strong>Total</strong></td>
<td><strong>Unique files</strong></td>
</tr>
<tr>
<td>Unknown</td>
<td>~ 18M</td>
<td>~ 6M</td>
</tr>
<tr>
<td>Malicious</td>
<td>~ 50K</td>
<td>~ 1,000</td>
</tr>
<tr>
<td>Clean</td>
<td>~ 20M</td>
<td>~ 250K</td>
</tr>
</tbody>
</table>
<p>We then trained subsequent models on the results of their predecessors, which had been verified and further labeled by analysts. This process significantly increased the efficiency of our training.</p>
<h2 id="loading-dlls-what-does-normal-look-like">Loading DLLs: what does normal look like?</h2>
<p>So, we had a labeled sample with a large number of library loading events from various processes. How can we describe a “clean” library? Using a process name + library name combination does not account for renamed processes. Besides, a legitimate user, not just an attacker, can rename a process. If we used the process hash instead of the name, we would solve the renaming problem, but then every version of the same library would be treated as a separate library. We ultimately settled on using a library name + process signature combination. While this approach considers all identically named libraries from a single vendor as one, it generally produces a more or less realistic picture.</p>
<p>To describe safe library loading events, we used a set of counters that included information about the processes (the frequency of a specific process name for a file with a given hash, the frequency of a specific file path for a file with that hash, and so on), information about the libraries (the frequency of a specific path for that library, the percentage of legitimate launches, and so on), and event properties (that is, whether the library is in the same directory as the file that calls it).</p>
<p>The result was a system with multiple aggregates (sets of counters and keys) that could describe an input event. These aggregates can contain a single key (e.g., a DLL’s hash sum) or multiple keys (e.g., a process’s hash sum + process signature). Based on these aggregates, we can derive a set of features that describe the library loading event. The diagram below provides examples of how these features are derived:</p>
<div id="attachment_117584" style="width: 1468px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117584" class="size-full wp-image-117584" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3.png" alt="Feature extraction from aggregates" width="1458" height="546" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3.png 1458w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-300x112.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-1024x383.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-768x288.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-935x350.png 935w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-740x277.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-748x280.png 748w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-800x300.png 800w" sizes="auto, (max-width: 1458px) 100vw, 1458px" /></a><p id="caption-attachment-117584" class="wp-caption-text">Feature extraction from aggregates</p></div>
<h2 id="loading-dlls-how-to-describe-hijacking">Loading DLLs: how to describe hijacking</h2>
<p>Certain feature combinations (dependencies) strongly indicate DLL hijacking. These can be simple dependencies. For some processes, the clean library they call always resides in a separate folder, while the malicious one is most often placed in the process folder.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117585" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4.png" alt="" width="1264" height="278" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4.png 1264w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-300x66.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-1024x225.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-768x169.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-740x163.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-800x176.png 800w" sizes="auto, (max-width: 1264px) 100vw, 1264px" /></a></p>
<p>Other dependencies can be more complex and require several conditions to be met. For example, a process renaming itself does not, on its own, indicate DLL hijacking. However, if the new name appears in the data stream for the first time, and the library is located on a non-standard path, it is highly likely to be malicious.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117586" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5.png" alt="" width="1264" height="452" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5.png 1264w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-300x107.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-1024x366.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-768x275.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-979x350.png 979w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-740x265.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-783x280.png 783w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-800x286.png 800w" sizes="auto, (max-width: 1264px) 100vw, 1264px" /></a></p>
<h2 id="model-evolution">Model evolution</h2>
<p>Within this project, we trained several generations of models. The primary goal of the first generation was to show that machine learning could at all be applied to detecting DLL hijacking. When training this model, we used the broadest possible interpretation of the term.</p>
<p>The model’s workflow was as simple as possible:</p>
<ol>
<li>We took a data stream and extracted a frequency description for selected sets of keys.</li>
<li>We took the same data stream from a different time period and obtained a set of features.</li>
<li>We used type 1 labeling, where events in which a legitimate process loaded a malicious library from a specified set of families were marked as DLL hijacking.</li>
<li>We trained the model on the resulting data.</li>
</ol>
<div id="attachment_117587" style="width: 654px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117587" class="size-full wp-image-117587" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6.png" alt="First-generation model diagram" width="644" height="470" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6.png 644w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6-384x280.png 384w" sizes="auto, (max-width: 644px) 100vw, 644px" /></a><p id="caption-attachment-117587" class="wp-caption-text">First-generation model diagram</p></div>
<p>The second-generation model was trained on data that had been processed by the first-generation model and verified by analysts (labeling type 2). Consequently, the labeling was more precise than during the training of the first model. Additionally, we added more features to describe the library structure and slightly complicated the workflow for describing library loads.</p>
<div id="attachment_117588" style="width: 654px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117588" class="size-full wp-image-117588" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7.png" alt="Second-generation model diagram" width="644" height="470" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7.png 644w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7-384x280.png 384w" sizes="auto, (max-width: 644px) 100vw, 644px" /></a><p id="caption-attachment-117588" class="wp-caption-text">Second-generation model diagram</p></div>
<p>Based on the results from this second-generation model, we were able to identify several common types of false positives. For example, the training sample included potentially unwanted applications. These can, in certain contexts, exhibit behavior similar to DLL hijacking, but they are not malicious and rarely belong to this attack type.</p>
<p>We fixed these errors in the third-generation model. First, with the help of analysts, we flagged the potentially unwanted applications in the training sample so the model would not detect them. Second, in this new version, we used an expanded labeling that included useful detections from both the first and second generations. Additionally, we expanded the feature description through one-hot encoding — a technique for converting categorical features into a binary format — for certain fields. Also, since the volume of events processed by the model increased over time, this version added normalization of all features based on the data flow size.</p>
<div id="attachment_117589" style="width: 654px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117589" class="size-full wp-image-117589" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8.png" alt="Third-generation model diagram" width="644" height="470" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8.png 644w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8-384x280.png 384w" sizes="auto, (max-width: 644px) 100vw, 644px" /></a><p id="caption-attachment-117589" class="wp-caption-text">Third-generation model diagram</p></div>
<h2 id="comparison-of-the-models">Comparison of the models</h2>
<p>To evaluate the evolution of our models, we applied them to a test data set none of them had worked with before. The graph below shows the ratio of true positive to false positive verdicts for each model.</p>
<div id="attachment_117590" style="width: 1639px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117590" class="size-full wp-image-117590" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9.png" alt="Trends in true positives and false positives from the first-, second-, and third-generation models" width="1629" height="664" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9.png 1629w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-300x122.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-1024x417.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-768x313.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-1536x626.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-859x350.png 859w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-740x302.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-687x280.png 687w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-800x326.png 800w" sizes="auto, (max-width: 1629px) 100vw, 1629px" /></a><p id="caption-attachment-117590" class="wp-caption-text">Trends in true positives and false positives from the first-, second-, and third-generation models</p></div>
<p>As the models evolved, the percentage of true positives grew. While the first-generation model achieved a relatively good result (0.6 or higher) only with a very high false positive rate (10<sup>⁻³</sup> or more), the second-generation model reached this at 10<sup>⁻⁵</sup>. The third-generation model, at the same low false positive rate, produced 0.8 true positives, which is considered a good result.</p>
<p>Evaluating the models on the data stream at a fixed score shows that the absolute number of new events labeled as DLL Hijacking increased from one generation to the next. That said, evaluating the models by their false verdict rate also helps track progress: the first model has a fairly high error rate, while the second and third generations have significantly lower ones.</p>
<div class="js-infogram-embed" data-id="_/OWgUgOWv4ByEQ85H3Kvx" data-type="interactive" data-title="03-EN-DLL Hijacking charts" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>False positives rate among model outputs, July 2024 – August 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/02095204/03-en-dll-hijacking-charts-1.png" target="_blank" rel="noopener">download</a>)</em></p>
<h2 id="practical-application-of-the-models">Practical application of the models</h2>
<p>All three model generations are used in our internal systems to detect likely cases of DLL hijacking within telemetry data streams. We receive 6.5 million security events daily, linked to 800,000 unique files. Aggregates are built from this sample at a specified interval, enriched, and then fed into the models. The output data is then ranked by model and by the probability of DLL hijacking assigned to the event, and then sent to our analysts. For instance, if the third-generation model flags an event as DLL hijacking with high confidence, it should be investigated first, whereas a less definitive verdict from the first-generation model can be checked last.</p>
<p>Simultaneously, the models are tested on a separate data stream they have not seen before. This is done to assess their effectiveness over time, as a model’s detection performance can degrade. The graph below shows that the percentage of correct detections varies slightly over time, but on average, the models detect 70–80% of DLL hijacking cases.</p>
<div class="js-infogram-embed" data-id="_/x8oClVXPCh0H7k2VhVBA" data-type="interactive" data-title="04-EN-DLL Hijacking charts" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>DLL hijacking detection trends for all three models, October 2024 – September 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/02095150/04-en-dll-hijacking-charts-1.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>Additionally, we recently deployed a DLL hijacking detection model into the <a href="https://www.kaspersky.com/enterprise-security/unified-monitoring-and-analysis-platform?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e9dd8a9973100725" target="_blank" rel="noopener">Kaspersky SIEM</a>, but first we tested the model in the <a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kmdr____8449ede27504ec48" target="_blank" rel="noopener">Kaspersky MDR</a> service. During the pilot phase, the model helped to detect and prevent a number of DLL hijacking incidents in our clients’ systems. We have written <a href="https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/" target="_blank" rel="noopener">a separate article</a> about how the machine learning model for detecting targeted attacks involving DLL hijacking works in Kaspersky SIEM and the incidents it has identified.</p>
<h2 id="conclusion">Conclusion</h2>
<p>Based on the training and application of the three generations of models, the experiment to detect DLL hijacking using machine learning was a success. We were able to develop a model that distinguishes events resembling DLL hijacking from other events, and refined it to a state suitable for practical use, not only in our internal systems but also in commercial products. Currently, the models operate in the cloud, scanning hundreds of thousands of unique files per month and detecting thousands of files used in DLL hijacking attacks each month. They regularly identify previously unknown variations of these attacks. The results from the models are sent to analysts who verify them and create new detection rules based on their findings.</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Detecting DLL hijacking with machine learning: real-world cases</title>
<link>https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/</link>
<comments>https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/#respond</comments>
<dc:creator><![CDATA[Gleb Ivanov, Andrey Gunkin]]></dc:creator>
<pubDate>Mon, 06 Oct 2025 08:00:08 +0000</pubDate>
<category><![CDATA[Security technologies]]></category>
<category><![CDATA[Security technology]]></category>
<category><![CDATA[Machine learning]]></category>
<category><![CDATA[DLL hijacking]]></category>
<category><![CDATA[Threat hunting]]></category>
<category><![CDATA[DLL sideloading]]></category>
<category><![CDATA[Cybersecurity]]></category>
<category><![CDATA[Artificial intelligence]]></category>
<category><![CDATA[DLL]]></category>
<category><![CDATA[SIEM]]></category>
<category><![CDATA[Cybersecurity]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117567</guid>
<description><![CDATA[We will tell you how we integrated a DLL Hijacking detection model into the Kaspersky SIEM platform and how it helped us uncover several incidents in their early stages.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
<p>Our colleagues from the AI expertise center recently developed a machine-learning model that detects DLL-hijacking attacks. We then integrated this model into the <a href="https://www.kaspersky.com/enterprise-security/unified-monitoring-and-analysis-platform?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e9dd8a9973100725" target="_blank" rel="noopener">Kaspersky Unified Monitoring and Analysis Platform</a> SIEM system. In <a href="https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/" target="_blank" rel="noopener">a separate article</a>, our colleagues shared how the model had been created and what success they had achieved in lab environments. Here, we focus on how it operates within Kaspersky SIEM, the preparation steps taken before its release, and some real-world incidents it has already helped us uncover.</p>
<h2 id="how-the-model-works-in-kaspersky-siem">How the model works in Kaspersky SIEM</h2>
<p>The model’s operation generally boils down to a step-by-step check of all DLL libraries loaded by processes in the system, followed by validation in the Kaspersky Security Network (KSN) cloud. This approach allows local attributes (path, process name, and file hashes) to be combined with a global knowledge base and behavioral indicators, which significantly improves detection quality and reduces the probability of false positives.</p>
<p>The model can run in one of two modes: on a correlator or on a collector. A correlator is a SIEM component that performs event analysis and correlation based on predefined rules or algorithms. If detection is configured on a correlator, the model checks events that have already triggered a rule. This reduces the volume of KSN queries and the model’s response time.</p>
<p>This is how it looks:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117570" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2.png" alt="" width="984" height="395" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2.png 984w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-300x120.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-768x308.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-872x350.png 872w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-740x297.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-698x280.png 698w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-800x321.png 800w" sizes="auto, (max-width: 984px) 100vw, 984px" /></a></p>
<p>A collector is a software or hardware component of a SIEM platform that collects and normalizes events from various sources, and then delivers these events to the platform’s core. If detection is configured on a collector, the model processes all events associated with various processes loading libraries, provided these events meet the following conditions:</p>
<ul>
<li>The path to the process file is known.</li>
<li>The path to the library is known.</li>
<li>The hashes of the file and the library are available.</li>
</ul>
<p>This method consumes more resources, and the model’s response takes longer than it does on a correlator. However, it can be useful for retrospective threat hunting because it allows you to check all events logged by Kaspersky SIEM. The model’s workflow on a collector looks like this:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117572" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4.png" alt="" width="984" height="366" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4.png 984w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-300x112.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-768x286.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-941x350.png 941w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-740x275.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-753x280.png 753w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-800x298.png 800w" sizes="auto, (max-width: 984px) 100vw, 984px" /></a></p>
<p>It is important to note that the model is not limited to a binary “malicious/non-malicious” assessment; it ranks its responses by confidence level. This allows it to be used as a flexible tool in SOC practice. Examples of possible verdicts:</p>
<ul>
<li>0: data is being processed.</li>
<li>1: maliciousness not confirmed. This means the model currently does not consider the library malicious.</li>
<li>2: suspicious library.</li>
<li>3: maliciousness confirmed.</li>
</ul>
<p>A Kaspersky SIEM rule for detecting DLL hijacking would look like this:</p><pre class="urvanov-syntax-highlighter-plain-tag">N.KL_AI_DLLHijackingCheckResult > 1</pre><p>
Embedding the model into the Kaspersky SIEM correlator automates the process of finding DLL-hijacking attacks, making it possible to detect them at scale without having to manually analyze hundreds or thousands of loaded libraries. Furthermore, when combined with correlation rules and telemetry sources, the model can be used not just as a standalone module but as part of a comprehensive defense against infrastructure attacks.</p>
<h2 id="incidents-detected-during-the-pilot-testing-of-the-model-in-the-mdr-service">Incidents detected during the pilot testing of the model in the MDR service</h2>
<p>Before being released, the model (as part of the Kaspersky SIEM platform) was tested in the <a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kmdr____8449ede27504ec48" target="_blank" rel="noopener">MDR</a> service, where it was trained to identify attacks on large datasets supplied by our telemetry. This step was necessary to ensure that detection works not only in lab settings but also in real client infrastructures.</p>
<p>During the pilot testing, we verified the model’s resilience to false positives and its ability to correctly classify behavior even in non-typical DLL-loading scenarios. As a result, several real-world incidents were successfully detected where attackers used one type of DLL hijacking — the DLL Sideloading technique — to gain persistence and execute their code in the system.</p>
<p>Let us take a closer look at the three most interesting of these.</p>
<h3 id="incident-1-toddycat-trying-to-launch-cobalt-strike-disguised-as-a-system-library">Incident 1. ToddyCat trying to launch Cobalt Strike disguised as a system library</h3>
<p>In one incident, the attackers successfully leveraged the vulnerability <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27076" target="_blank" rel="noopener">CVE-2021-27076</a> to exploit a SharePoint service that used IIS as a web server. They ran the following command:</p><pre class="urvanov-syntax-highlighter-plain-tag">c:\windows\system32\inetsrv\w3wp.exe -ap "SharePoint - 80" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipmd32ded38-e45b-423f-804d-34471928538b -h "C:\inetpub\temp\apppools\SharePoint - 80\SharePoint - 80.config" -w "" -m 0</pre><p>
After the exploitation, the IIS process created files that were later used to run malicious code via the DLL sideloading technique (<a href="https://attack.mitre.org/techniques/T1574/001/" target="_blank" rel="noopener">T1574.001 Hijack Execution Flow:</a><a href="https://attack.mitre.org/techniques/T1574/001/" target="_blank" rel="noopener"> DLL</a>):</p><pre class="urvanov-syntax-highlighter-plain-tag">C:\ProgramData\SystemSettings.exe
C:\ProgramData\SystemSettings.dll</pre><p>
SystemSettings.dll is the name of a library associated with the Windows Settings application (SystemSettings.exe). The original library contains code and data that the Settings application uses to manage and configure various system parameters. However, the library created by the attackers has malicious functionality and is only pretending to be a system library.</p>
<p>Later, to establish persistence in the system and launch a DLL sideloading attack, a scheduled task was created, disguised as a Microsoft Edge browser update. It launches a SystemSettings.exe file, which is located in the same directory as the malicious library:</p><pre class="urvanov-syntax-highlighter-plain-tag">Schtasks /create /ru "SYSTEM" /tn "\Microsoft\Windows\Edge\Edgeupdates" /sc DAILY /tr "C:\ProgramData\SystemSettings.exe" /F</pre><p>
The task is set to run daily.</p>
<p>When the SystemSettings.exe process is launched, it loads the malicious DLL. As this happened, the process and library data were sent to our model for analysis and detection of a potential attack.</p>
<div id="attachment_117573" style="width: 693px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117573" class="size-full wp-image-117573" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3.png" alt="Example of a SystemSettings.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM" width="683" height="1082" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3.png 683w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-189x300.png 189w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-646x1024.png 646w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-221x350.png 221w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-631x1000.png 631w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-177x280.png 177w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-568x900.png 568w" sizes="auto, (max-width: 683px) 100vw, 683px" /></a><p id="caption-attachment-117573" class="wp-caption-text">Example of a SystemSettings.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM</p></div>
<p>The resulting data helped our analysts highlight a suspicious DLL and analyze it in detail. The library was found to be a <a href="https://tip.kaspersky.com/landscape/software/S0353" target="_blank" rel="noopener">Cobalt Strike</a> implant. After loading it, the SystemSettings.exe process attempted to connect to the attackers’ command-and-control server.</p><pre class="urvanov-syntax-highlighter-plain-tag">DNS query: connect-microsoft[.]com
DNS query type: AAAA
DNS response: ::ffff:8.219.1[.]155;
8.219.1[.]155:8443</pre><p>
After establishing a connection, the attackers began host reconnaissance to gather various data to develop their attack.</p><pre class="urvanov-syntax-highlighter-plain-tag">C:\ProgramData\SystemSettings.exe
whoami /priv
hostname
reg query HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid
powershell -c $psversiontable
dotnet --version
systeminfo
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Drivers"
cmdkey /list
REG query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
netsh wlan show profiles
netsh wlan show interfaces
set
net localgroup administrators
net user
net user administrator
ipconfig /all
net config workstation
net view
arp -a
route print
netstat -ano
tasklist
schtasks /query /fo LIST /v
net start
net share
net use
netsh firewall show config
netsh firewall show state
net view /domain
net time /domain
net group "domain admins" /domain
net localgroup administrators /domain
net group "domain controllers" /domain
net accounts /domain
nltest / domain_trusts
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce</pre><p>
Based on the attackers’ TTPs, such as <a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" rel="noopener">loading Cobalt Strike as a DLL</a>, using the DLL sideloading technique (<a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" rel="noopener">1</a>, <a href="https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/" target="_blank" rel="noopener">2</a>), and exploiting SharePoint, we can say with a high degree of confidence that the <a href="https://securelist.com/tag/toddycat/" target="_blank" rel="noopener">ToddyCat APT group</a> was behind the attack. Thanks to the prompt response of our model, we were able to respond in time and block this activity, preventing the attackers from causing damage to the organization.</p>
<h3 id="incident-2-infostealer-masquerading-as-a-policy-manager">Incident 2. Infostealer masquerading as a policy manager</h3>
<p>Another example was discovered by the model after a client was connected to MDR monitoring: a legitimate system file located in an application folder attempted to load a suspicious library that was stored next to it.</p><pre class="urvanov-syntax-highlighter-plain-tag">C:\Program Files\Chiniks\SettingSyncHost.exe
C:\Program Files\Chiniks\policymanager.dll E83F331BD1EC115524EBFF7043795BBE</pre><p>
The SettingSyncHost.exe file is a system host process for synchronizing settings between one user’s different devices. Its 32-bit and 64-bit versions are usually located in C:\Windows\System32\ and C:\Windows\SysWOW64\, respectively. In this incident, the file location differed from the normal one.</p>
<div id="attachment_117574" style="width: 877px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117574" class="size-full wp-image-117574" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4.png" alt="Example of a policymanager.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM" width="867" height="818" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4.png 867w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-300x283.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-768x725.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-371x350.png 371w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-740x698.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-297x280.png 297w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-800x755.png 800w" sizes="auto, (max-width: 867px) 100vw, 867px" /></a><p id="caption-attachment-117574" class="wp-caption-text">Example of a policymanager.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM</p></div>
<p>Analysis of the library file loaded by this process showed that it was malware designed to steal information from browsers.</p>
<div id="attachment_117575" style="width: 984px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117575" class="size-full wp-image-117575" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5.png" alt="Graph of policymanager.dll activity in a sandbox" width="974" height="503" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5.png 974w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-300x155.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-768x397.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-678x350.png 678w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-740x382.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-542x280.png 542w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-800x413.png 800w" sizes="auto, (max-width: 974px) 100vw, 974px" /></a><p id="caption-attachment-117575" class="wp-caption-text">Graph of policymanager.dll activity in a sandbox</p></div>
<p>The file directly accesses browser files that contain user data.</p><pre class="urvanov-syntax-highlighter-plain-tag">C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Local State</pre><p>
The library file is on the list of files used for DLL hijacking, as published in the HijackLibs project. The project contains a list of common processes and libraries employed in DLL-hijacking attacks, which can be used to detect these attacks.</p>
<h3 id="incident-3-malicious-loader-posing-as-a-security-solution">Incident 3. Malicious loader posing as a security solution</h3>
<p>Another incident discovered by our model occurred when a user connected a removable USB drive:</p>
<div id="attachment_117576" style="width: 984px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117576" class="size-full wp-image-117576" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6.png" alt="Example of a Kaspersky SIEM event where a wsc.dll library was loaded from a USB drive, with a DLL Hijacking module verdict" width="974" height="894" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6.png 974w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-300x275.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-768x705.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-381x350.png 381w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-740x679.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-305x280.png 305w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-800x734.png 800w" sizes="auto, (max-width: 974px) 100vw, 974px" /></a><p id="caption-attachment-117576" class="wp-caption-text">Example of a Kaspersky SIEM event where a wsc.dll library was loaded from a USB drive, with a DLL Hijacking module verdict</p></div>
<p>The connected drive’s directory contained hidden folders with an identically named shortcut for each of them. The shortcuts had icons typically used for folders. Since file extensions were not shown by default on the drive, the user might have mistaken the shortcut for a folder and launched it. In turn, the shortcut opened the corresponding hidden folder and ran an executable file using the following command:</p><pre class="urvanov-syntax-highlighter-plain-tag">"%comspec%" /q /c "RECYCLER.BIN\1\CEFHelper.exe [$DIGITS] [$DIGITS]"</pre><p>
CEFHelper.exe is a legitimate Avast Antivirus executable that, through DLL sideloading, loaded the wsc.dll library, which is a malicious loader.</p>
<div id="attachment_117577" style="width: 461px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117577" class="size-full wp-image-117577" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7.png" alt="Code snippet from the malicious file" width="451" height="485" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7.png 451w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7-279x300.png 279w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7-325x350.png 325w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7-260x280.png 260w" sizes="auto, (max-width: 451px) 100vw, 451px" /></a><p id="caption-attachment-117577" class="wp-caption-text">Code snippet from the malicious file</p></div>
<p>The loader opens a file named AvastAuth.dat, which contains an encrypted backdoor. The library reads the data from the file into memory, decrypts it, and executes it. After this, the backdoor attempts to connect to a remote command-and-control server.</p>
<p>The library file, which contains the malicious loader, is on the list of known libraries used for DLL sideloading, as presented on the HijackLibs project website.</p>
<h2 id="conclusion">Conclusion</h2>
<p>Integrating the model into the product provided the means of early and accurate detection of DLL-hijacking attempts which previously might have gone unnoticed. Even during the pilot testing, the model proved its effectiveness by identifying several incidents using this technique. Going forward, its accuracy will only increase as data accumulates and algorithms are updated in KSN, making this mechanism a reliable element of proactive protection for corporate systems.</p>
<h2 id="ioc">IoC</h2>
<p><strong>Legitimate files used for DLL hijacking<br />
</strong>E0E092D4EFC15F25FD9C0923C52C33D6 loads SystemSettings.dll<br />
09CD396C8F4B4989A83ED7A1F33F5503 loads policymanager.dll<br />
A72036F635CECF0DCB1E9C6F49A8FA5B loads wsc.dll</p>
<p><strong>Malicious files</strong><br />
<a href="https://opentip.kaspersky.com/ea2882b05f8c11a285426f90859f23c6/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______20de3dc00773942a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">EA2882B05F8C11A285426F90859F23C6</a> SystemSettings.dll<br />
<a href="https://opentip.kaspersky.com/e83f331bd1ec115524ebff7043795bbe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cbf93adf43b574f2&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">E83F331BD1EC115524EBFF7043795BBE</a> policymanager.dll<br />
<a href="https://opentip.kaspersky.com/831252e7fa9bd6fa174715647ebce516/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______01488fcf88e4ecaf&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">831252E7FA9BD6FA174715647EBCE516</a> wsc.dll</p>
<p><strong>Paths</strong><br />
C:\ProgramData\SystemSettings.exe<br />
C:\ProgramData\SystemSettings.dll<br />
C:\Program Files\Chiniks\SettingSyncHost.exe<br />
C:\Program Files\Chiniks\policymanager.dll<br />
D:\RECYCLER.BIN\1\CEFHelper.exe<br />
D:\RECYCLER.BIN\1\wsc.dll</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=https%3A//securelist.com/feed/"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//securelist.com/feed/

Home · About · News · Docs · Terms