FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 55, column 0: content:encoded should not contain decoding attribute (83 occurrences) [help]
```
										<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
```
line 55, column 0: content:encoded should not contain loading attribute (80 occurrences) [help]
```
										<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
```
line 71, column 0: content:encoded should not contain fetchpriority attribute [help]
```
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/4 ...
```
line 71, column 0: content:encoded should not contain sizes attribute (73 occurrences) [help]
```
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/4 ...
```
line 278, column 3: content:encoded should not contain relative URL references: #loader [help]
```
]]></content:encoded>
   ^
```
line 327, column 0: content:encoded should not contain aria-describedby attribute (46 occurrences) [help]
```
<div id="attachment_117597" style="width: 690px" class="wp-caption aligncent ...
```
line 383, column 0: content:encoded should not contain data-id attribute (7 occurrences) [help]
```
<div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="i ...
```
line 383, column 0: content:encoded should not contain data-type attribute (7 occurrences) [help]
```
<div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="i ...
```
line 383, column 0: content:encoded should not contain data-title attribute (7 occurrences) [help]
```
<div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="i ...
```
line 383, column 0: style attribute contains potentially dangerous content: min-height (14 occurrences) [help]
```
<div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="i ...
```
line 496, column 0: content:encoded should not contain script tag (3 occurrences) [help]
```
<p><script data-b24-form="inline/1808/7dlezh" data-skip-moving="true">
```

Source: http://securelist.com/feed/

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Securelist</title>
<atom:link href="https://securelist.com/feed/" rel="self" type="application/rss+xml" />
<link>https://securelist.com</link>
<description></description>
<lastBuildDate>Wed, 15 Oct 2025 13:03:12 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.8.3</generator>
<image>
<url>https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-32x32.png</url>
<title>Securelist</title>
<link>https://securelist.com</link>
<width>32</width>
<height>32</height>
</image>
<item>
<title>Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution</title>
<link>https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/</link>
<comments>https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/#respond</comments>
<dc:creator><![CDATA[GReAT]]></dc:creator>
<pubDate>Wed, 15 Oct 2025 13:00:43 +0000</pubDate>
<category><![CDATA[Malware descriptions]]></category>
<category><![CDATA[Malware Technologies]]></category>
<category><![CDATA[Microsoft Internet Explorer]]></category>
<category><![CDATA[Firefox]]></category>
<category><![CDATA[Google Chrome]]></category>
<category><![CDATA[Malware Descriptions]]></category>
<category><![CDATA[Malware]]></category>
<category><![CDATA[Trojan Banker]]></category>
<category><![CDATA[Trojan]]></category>
<category><![CDATA[Brazil]]></category>
<category><![CDATA[Microsoft Edge]]></category>
<category><![CDATA[Coyote]]></category>
<category><![CDATA[Maverick]]></category>
<category><![CDATA[Financial threats]]></category>
<category><![CDATA[Windows malware]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117715</guid>
<description><![CDATA[A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It delivered a new Maverick banker, which features code overlaps with Coyote malware.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It targets mainly Brazilians and uses Portuguese-named URLs. To evade detection, the command-and-control (C2) server verifies each download to ensure it originates from the malware itself.<br />
The whole infection chain is complex and fully fileless, and by the end, it will deliver a new banking Trojan named Maverick, which contains many code overlaps with <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/" target="_blank" rel="noopener">Coyote</a>. In this blog post, we detail the entire infection chain, encryption algorithm, and its targets, as well as discuss the similarities with known threats.</p>
<h2 id="key-findings">Key findings:</h2>
<ul>
<li>A massive campaign disseminated through WhatsApp distributed the new Brazilian banking Trojan named “Maverick” through ZIP files containing a malicious LNK file, which is not blocked on the messaging platform.</li>
<li>Once installed, the Trojan uses the open-source project WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp Web, taking advantage of the access to send the malicious message to contacts.</li>
<li>The new Trojan features code similarities with another Brazilian banking Trojan called <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/" target="_blank" rel="noopener">Coyote</a>; however, we consider Maverick to be a new threat.</li>
<li>The Maverick Trojan checks the time zone, language, region, and date and time format on infected machines to ensure the victim is in Brazil; otherwise, the malware will not be installed.</li>
<li>The banking Trojan can fully control the infected computer, taking screenshots, monitoring open browsers and websites, installing a keylogger, controlling the mouse, blocking the screen when accessing a banking website, terminating processes, and opening phishing pages in an overlay. It aims to capture banking credentials.</li>
<li>Once active, the new Trojan will monitor the victims’ access to 26 Brazilian bank websites, 6 cryptocurrency exchange websites, and 1 payment platform.</li>
<li>All infections are modular and performed in memory, with minimal disk activity, using PowerShell, .NET, and shellcode encrypted using Donut.</li>
<li>The new Trojan uses AI in the code-writing process, especially in certificate decryption and general code development.</li>
<li>Our solutions have blocked 62 thousand infection attempts using the malicious LNK file in the first 10 days of October, only in Brazil.</li>
</ul>
<h2 id="initial-infection-vector">Initial infection vector</h2>
<p>The infection chain works according to the diagram below:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01.png" class="magnificImage"><img fetchpriority="high" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01.png" alt="" width="2093" height="731" class="aligncenter size-full wp-image-117756" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01.png 2093w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-300x105.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-1024x358.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-768x268.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-1536x536.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-2048x715.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-1002x350.png 1002w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-740x258.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-802x280.png 802w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-800x279.png 800w" sizes="(max-width: 2093px) 100vw, 2093px" /></a></p>
<p>The infection begins when the victim receives a malicious .LNK file inside a ZIP archive via a WhatsApp message. The filename can be generic, or it can pretend to be from a bank:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd.jpg" class="magnificImage"><img decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd.jpg" alt="" width="1009" height="546" class="aligncenter size-full wp-image-117757" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd.jpg 1009w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-300x162.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-768x416.jpg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-647x350.jpg 647w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-740x400.jpg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-517x280.jpg 517w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-800x433.jpg 800w" sizes="(max-width: 1009px) 100vw, 1009px" /></a></p>
<p>The message said, <em>“Visualization allowed only in computers. In case you’re using the Chrome browser, choose “keep file” because it’s a zipped file”.</em></p>
<p>The LNK is encoded to execute cmd.exe with the following arguments:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5.png" class="magnificImage"><img decoding="async" class="aligncenter size-full wp-image-117718" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5.png" alt="" width="2048" height="111" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-300x16.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-1024x56.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-768x42.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-1536x83.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-740x40.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-1600x87.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-800x43.png 800w" sizes="(max-width: 2048px) 100vw, 2048px" /></a></p>
<p>The decoded commands point to the execution of a PowerShell script:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117720" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1.png" alt="" width="1633" height="39" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1.png 1633w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-300x7.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-1024x24.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-768x18.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-1536x37.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-740x18.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-1600x38.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-800x19.png 800w" sizes="auto, (max-width: 1633px) 100vw, 1633px" /></a></p>
<p>The command will contact the C2 to download another PowerShell script. It is important to note that the C2 also validates the “User-Agent” of the HTTP request to ensure that it is coming from the PowerShell command. This is why, without the correct “User-Agent”, the C2 returns an HTTP 401 code.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd.png" alt="" width="1615" height="883" class="aligncenter size-full wp-image-117758" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd.png 1615w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-300x164.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-1024x560.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-768x420.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-1536x840.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-640x350.png 640w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-740x405.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-512x280.png 512w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-800x437.png 800w" sizes="auto, (max-width: 1615px) 100vw, 1615px" /></a></p>
<p>The entry script is used to decode an embedded .NET file, and all of this occurs only in memory. The .NET file is decoded by dividing each byte by a specific value; in the script above, the value is “174”. The PE file is decoded and is then loaded as a .NET assembly within the PowerShell process, making the entire infection fileless, that is, without files on disk.<br />
<a name="loader"></a></p>
<h3 id="initial-net-loader">Initial .NET loader</h3>
<p>The initial .NET loader is heavily obfuscated using Control Flow Flattening and indirect function calls, storing them in a large vector of functions and calling them from there. In addition to obfuscation, it also uses random method and variable names to hinder analysis. Nevertheless, after our analysis, we were able to reconstruct (to a certain extent) its main flow, which consists of downloading and decrypting two payloads.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117722" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16.png" alt="" width="2048" height="840" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-300x123.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-1024x420.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-768x315.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-1536x630.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-853x350.png 853w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-740x304.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-683x280.png 683w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-800x328.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a></p>
<p>The obfuscation does not hide the method’s variable names, which means it is possible to reconstruct the function easily if the same function is reused elsewhere. Most of the functions used in this initial stage are the same ones used in the final stage of the banking Trojan, which is not obfuscated. The sole purpose of this stage is to download two encrypted shellcodes from the C2. To request them, an API exposed by the C2 on the “/api/v1/” routes will be used. The requested URL is as follows:</p>
<ul>
<li>hxxps://sorvetenopote.com/api/v1/3d045ada0df942c983635e</li>
</ul>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117723" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4.png" alt="" width="1788" height="315" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4.png 1788w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-300x53.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-1024x180.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-768x135.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-1536x271.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-740x130.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-1589x280.png 1589w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-800x141.png 800w" sizes="auto, (max-width: 1788px) 100vw, 1788px" /></a></p>
<p>To communicate with its API, it sends the API key in the “X-Request-Headers” field of the HTTP request header. The API key used is calculated locally using the following algorithm:</p>
<ul>
<li>“Base64(HMAC256(Key))”</li>
</ul>
<p>The HMAC is used to sign messages with a specific key; in this case, the threat actor uses it to generate the “API Key” using the HMAC key “MaverickZapBot2025SecretKey12345”. The signed data sent to the C2 is “3d045ada0df942c983635e|1759847631|MaverickBot”, where each segment is separated by “|”. The first segment refers to the specific resource requested (the first encrypted shellcode), the second is the infection’s timestamp, and the last, “MaverickBot”, indicates that this C2 protocol may be used in future campaigns with different variants of this threat. This ensures that tools like “wget” or HTTP downloaders cannot download this stage, only the malware.</p>
<p>Upon response, the encrypted shellcode is a loader using Donut. At this point, the initial loader will start and follow two different execution paths: another loader for its WhatsApp infector and the final payload, which we call “MaverickBanker”. Each Donut shellcode embeds a .NET executable. The shellcode is encrypted using a XOR implementation, where the key is stored in the last bytes of the binary returned by the C2. The algorithm to decrypt the shellcode is as follows:</p>
<ul>
<li>Extract the last 4 bytes (int32) from the binary file; this indicates the size of the encryption key.</li>
<li>Walk backwards until you reach the beginning of the encryption key (file size – 4 – key_size).</li>
<li>Get the XOR key.</li>
<li>Apply the XOR to the entire file using the obtained key.</li>
</ul>
<h2 id="whatsapp-infector-downloader">WhatsApp infector downloader</h2>
<p>After the second Donut shellcode is decrypted and started, it will load another downloader using the same obfuscation method as the previous one. It behaves similarly, but this time it will download a PE file instead of a Donut shellcode. This PE file is another .NET assembly that will be loaded into the process as a module.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117724" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9.png" alt="" width="2045" height="818" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9.png 2045w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-300x120.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-1024x410.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-768x307.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-1536x614.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-875x350.png 875w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-740x296.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-700x280.png 700w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-800x320.png 800w" sizes="auto, (max-width: 2045px) 100vw, 2045px" /></a></p>
<p>One of the namespaces used by this .NET executable is named “Maverick.StageOne,” which is considered by the attacker to be the first one to be loaded. This download stage is used exclusively to download the WhatsApp infector in the same way as the previous stage. The main difference is that this time, it is not an encrypted Donut shellcode, but another .NET executable—the WhatsApp infector—which will be used to hijack the victim’s account and use it to spam their contacts in order to spread itself.</p>
<p>This module, which is also obfuscated, is the WhatsApp infector and represents the final payload in the infection chain. It includes a script from <a href="https://github.com/wppconnect-team/wppconnect" target="_blank" rel="noopener">WPPConnect</a>, an open-source WhatsApp automation project, as well as the Selenium browser executable, used for web automation.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117725" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8.png" alt="" width="1841" height="745" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8.png 1841w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-300x121.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-1024x414.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-768x311.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-1536x622.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-990x400.png 990w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-865x350.png 865w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-740x299.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-692x280.png 692w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-800x324.png 800w" sizes="auto, (max-width: 1841px) 100vw, 1841px" /></a></p>
<p>The executable’s namespace name is “ZAP”, a very common word in Brazil to refer to WhatsApp. These files use almost the same obfuscation techniques as the previous examples, but the method’s variable names remain in the source code. The main behavior of this stage is to locate the WhatsApp window in the browser and use WPPConnect to instrument it, causing the infected victim to send messages to their contacts and thus spread again. The file sent depends on the “MaverickBot” executable, which will be discussed in the next section.</p>
<h2 id="maverick-the-banking-trojan">Maverick, the banking Trojan</h2>
<p>The Maverick Banker comes from a different execution branch than the WhatsApp infector; it is the result of the second Donut shellcode. There are no additional download steps to execute it. This is the main payload of this campaign and is embedded within another encrypted executable named “Maverick Agent,” which performs extended activities on the machine, such as contacting the C2 and keylogging. It is described in the next section.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117726" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10.png" alt="" width="1443" height="1124" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10.png 1443w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-300x234.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-1024x798.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-768x598.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-449x350.png 449w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-740x576.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-359x280.png 359w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-800x623.png 800w" sizes="auto, (max-width: 1443px) 100vw, 1443px" /></a></p>
<p>Upon the initial loading of Maverick Banker, it will attempt to register persistence using the startup folder. At this point, if persistence does not exist, by checking for the existence of a .bat file in the “Startup” directory, it will not only check for the file’s existence but also perform a pattern match to see if the string “for %%” is present, which is part of the initial loading process. If such a file does not exist, it will generate a new “GUID” and remove the first 6 characters. The persistence batch script will then be stored as:</p>
<ul>
<li>“C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\” + “HealthApp-” + GUID + “.bat”.</li>
</ul>
<p>Next, it will generate the bat command using the hardcoded URL, which in this case is:</p>
<ul>
<li>“hxxps://sorvetenopote.com” + “/api/itbi/startup/” + NEW_GUID.</li>
</ul>
<p>In the command generation function, it is possible to see the creation of an entirely new obfuscated PowerShell script.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd.png" alt="" width="1719" height="631" class="aligncenter size-full wp-image-117759" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd.png 1719w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-300x110.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-1024x376.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-768x282.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-1536x564.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-953x350.png 953w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-740x272.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-763x280.png 763w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-800x294.png 800w" sizes="auto, (max-width: 1719px) 100vw, 1719px" /></a></p>
<p>First, it will create a variable named “$URL” and assign it the content passed as a parameter, create a “Net.WebClient” object, and call the “DownloadString.Invoke($URL)” function. Immediately after creating these small commands, it will encode them in base64. In general, the script will create a full obfuscation using functions to automatically and randomly generate blocks in PowerShell. The persistence script reassembles the initial LNK file used to start the infection.</p>
<p>This persistence mechanism seems a bit strange at first glance, as it always depends on the C2 being online. However, it is in fact clever, since the malware would not work without the C2. Thus, saving only the bootstrap .bat file ensures that the entire infection remains in memory. If persistence is achieved, it will start its true function, which is mainly to monitor browsers to check if they open banking pages.</p>
<p>The browsers running on the machine are checked for possible domains accessed on the victim’s machine to verify the web page visited by the victim. The program will use the current foreground window (window in focus) and its PID; with the PID, it will extract the process name. Monitoring will only continue if the victim is using one of the following browsers:</p>
<p>* Chrome<br />
* Firefox<br />
* MS Edge<br />
* Brave<br />
* Internet Explorer<br />
* Specific bank web browser</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3.png" alt="" width="1814" height="636" class="aligncenter size-full wp-image-117760" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3.png 1814w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-300x105.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-1024x359.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-768x269.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-1536x539.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-998x350.png 998w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-740x259.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-799x280.png 799w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-800x280.png 800w" sizes="auto, (max-width: 1814px) 100vw, 1814px" /></a></p>
<p>If any browser from the list above is running, the malware will use UI Automation to extract the title of the currently open tab and use this information with a predefined list of target online banking sites to determine whether to perform any action on them. The list of target banks is compressed with gzip, encrypted using AES-256, and stored as a base64 string. The AES initialization vector (IV) is stored in the first 16 bytes of the decoded base64 data, and the key is stored in the next 32 bytes. The actual encrypted data begins at offset 48.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd.png" alt="" width="1689" height="1528" class="aligncenter size-full wp-image-117761" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd.png 1689w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-300x271.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-1024x926.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-768x695.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-1536x1390.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-387x350.png 387w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-740x669.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-310x280.png 310w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-800x724.png 800w" sizes="auto, (max-width: 1689px) 100vw, 1689px" /></a></p>
<p>This encryption mechanism is the same one used by <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/" target="_blank" rel="noopener">Coyote</a>, a banking Trojan also written in .NET and documented by us in early 2024.</p>
<p>If any of these banks are found, the program will decrypt another PE file using the same algorithm described in the <a href="#loader">.NET Loader</a> section of this report and will load it as an assembly, calling its entry point with the name of the open bank as an argument. This new PE is called “Maverick.Agent” and contains most of the banking logic for contacting the C2 and extracting data with it.</p>
<h3 id="maverick-agent">Maverick Agent</h3>
<p>The agent is the binary that will do most of the banker’s work; it will first check if it is running on a machine located in Brazil. To do this, it will check the following constraints:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117732" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3.png" alt="" width="693" height="406" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3.png 693w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3-300x176.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3-597x350.png 597w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3-478x280.png 478w" sizes="auto, (max-width: 693px) 100vw, 693px" /></a></p>
<p>What each of them does is:</p>
<ul>
<li><strong>IsValidBrazilianTimezone()</strong><br />
Checks if the current time zone is within the Brazilian time zone range. Brazil has time zones between UTC-5 (-300 min) and UTC-2 (-120 min). If the current time zone is within this range, it returns “true”.</li>
<li><strong>IsBrazilianLocale()</strong><br />
Checks if the current thread’s language or locale is set to Brazilian Portuguese. For example, “pt-BR”, “pt_br”, or any string containing “portuguese” and “brazil”. Returns “true” if the condition is met.</li>
<li><strong>IsBrazilianRegion()</strong><br />
Checks if the system’s configured region is Brazil. It compares region codes like “BR”, “BRA”, or checks if the region name contains “brazil”. Returns “true” if the region is set to Brazil.</li>
<li><strong>IsBrazilianDateFormat()</strong><br />
Checks if the short date format follows the Brazilian standard. The Brazilian format is dd/MM/yyyy. The function checks if the pattern starts with “dd/” and contains “/MM/” or “dd/MM”.</li>
</ul>
<p>Right after the check, it will enable appropriate DPI support for the operating system and monitor type, ensuring that images are sharp, fit the correct scale (screen zoom), and work well on multiple monitors with different resolutions. Then, it will check for any running persistence, previously created in “C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\”. If more than one file is found, it will delete the others based on “GetCreationTime” and keep only the most recently created one.</p>
<h2 id="c2-communication">C2 communication</h2>
<p>Communication uses the WatsonTCP library with SSL tunnels. It utilizes a local encrypted X509 certificate to protect the communication, which is another similarity to the Coyote malware. The connection is made to the host “casadecampoamazonas.com” on port 443. The certificate is exported as encrypted, and the password used to decrypt it is Maverick2025!. After the certificate is decrypted, the client will connect to the server.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117733" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15.png" alt="" width="2048" height="527" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-300x77.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-1024x264.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-768x198.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-1536x395.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-1360x350.png 1360w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-740x190.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-1088x280.png 1088w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-800x206.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a></p>
<p>For the C2 to work, a specific password must be sent during the first contact. The password used by the agent is “101593a51d9c40fc8ec162d67504e221”. Using this password during the first connection will successfully authenticate the agent with the C2, and it will be ready to receive commands from the operator. The important commands are:</p>
<table>
<tbody>
<tr>
<td><strong>Command</strong></td>
<td><strong>Description</strong></td>
</tr>
<tr>
<td>INFOCLIENT</td>
<td>Returns the information of the agent, which is used to identify it on the C2. The information used is described in the next section.</td>
</tr>
<tr>
<td>RECONNECT</td>
<td>Disconnect, sleep for a few seconds, and reconnect again to the C2.</td>
</tr>
<tr>
<td>REBOOT</td>
<td>Reboot the machine</td>
</tr>
<tr>
<td>KILLAPPLICATION</td>
<td>Exit the malware process</td>
</tr>
<tr>
<td>SCREENSHOT</td>
<td>Take a screenshot and send it to C2, compressed with gzip</td>
</tr>
<tr>
<td>KEYLOGGER</td>
<td>Enable the keylogger, capture all locally, and send only when the server specifically requests the logs</td>
</tr>
<tr>
<td>MOUSECLICK</td>
<td>Do a mouse click, used for the remote connection</td>
</tr>
<tr>
<td>KEYBOARDONECHAR</td>
<td>Press one char, used for the remote connection</td>
</tr>
<tr>
<td>KEYBOARDMULTIPLESCHARS</td>
<td>Send multiple characters used for the remote connection</td>
</tr>
<tr>
<td>TOOGLEDESKTOP</td>
<td>Enable remote connection and send multiple screenshots to the machine when they change (it computes a hash of each screenshot to ensure it is not the same image)</td>
</tr>
<tr>
<td>TOOGLEINTERN</td>
<td>Get a screenshot of a specific window</td>
</tr>
<tr>
<td>GENERATEWINDOWLOCKED</td>
<td>Lock the screen using one of the banks’ home pages.</td>
</tr>
<tr>
<td>LISTALLHANDLESOPENEDS</td>
<td>Send all open handles to the server</td>
</tr>
<tr>
<td>KILLPROCESS</td>
<td>Kill some process by using its handle</td>
</tr>
<tr>
<td>CLOSEHANDLE</td>
<td>Close a handle</td>
</tr>
<tr>
<td>MINIMIZEHANDLE</td>
<td>Minimize a window using its handle</td>
</tr>
<tr>
<td>MAXIMIZEHANDLE</td>
<td>Maximize a window using its handle</td>
</tr>
<tr>
<td>GENERATEWINDOWREQUEST</td>
<td>Generate a phishing window asking for the victim’s credentials used by banks</td>
</tr>
<tr>
<td>CANCELSCREENREQUEST</td>
<td>Disable the phishing window</td>
</tr>
</tbody>
</table>
<p><strong>Agent profile info</strong></p>
<p>In the “INFOCLIENT” command, the information sent to the C2 is as follows:</p>
<ul>
<li><strong>Agent ID:</strong> A SHA256 hash of all primary MAC addresses used by all interfaces</li>
<li>Username</li>
<li>Hostname</li>
<li>Operating system version</li>
<li>Client version (no value)</li>
<li>Number of monitors</li>
<li>Home page (home): “home” indicates which bank’s home screen should be used, sent before the Agent is decrypted by the banking application monitoring routine.</li>
<li>Screen resolution</li>
</ul>
<h2 id="conclusion">Conclusion</h2>
<p>According to our telemetry, all victims were in Brazil, but the Trojan has the potential to spread to other countries, as an infected victim can send it to another location. Even so, the malware is designed to target only Brazilians at the moment.<br />
It is evident that this threat is very sophisticated and complex; the entire execution chain is relatively new, but the final payload has many code overlaps and similarities with the Coyote banking Trojan, which we documented in 2024. However, some of the techniques are not exclusive to Coyote and have been observed in other low-profile banking Trojans written in .NET. The agent’s structure is also different from how Coyote operated; it did not use this architecture before.<br />
It is very likely that Maverick is a new banking Trojan using shared code from Coyote, which may indicate that the developers of Coyote have completely refactored and rewritten a large part of their components.<br />
This is one of the most complex infection chains we have ever detected, designed to load a banking Trojan. It has infected many people in Brazil, and its worm-like nature allows it to spread exponentially by exploiting a very popular instant messenger. The impact is enormous. Furthermore, it demonstrates the use of AI in the code-writing process, specifically in certificate decryption, which may also indicate the involvement of AI in the overall code development. Maverick works like any other banking Trojan, but the worrying aspects are its delivery method and its significant impact.<br />
We have detected the entire infection chain since day one, preventing victim infection from the initial LNK file. Kaspersky products detect this threat with the verdict <strong>HEUR:Trojan.Multi.Powenot.a</strong> and <strong>HEUR:Trojan-Banker.MSIL.Maverick.gen.</strong></p>
<h2 id="iocs">IoCs</h2>
<table>
<tbody>
<tr>
<td>Dominio</td>
<td>IP</td>
<td>ASN</td>
</tr>
<tr>
<td><a href="https://opentip.kaspersky.com/casadecampoamazonas.com/?icid=gl_sl_opentip_sm-team_9d1b9de83ae3bad6&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener"><strong>casadecampoamazonas[.]com</strong></a></td>
<td>181.41.201.184</td>
<td>212238</td>
</tr>
<tr>
<td><a href="https://opentip.kaspersky.com/sorvetenopote.com/?icid=gl_sl_opentip_sm-team_153c14d9b642446a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener"><strong>sorvetenopote[.]com</strong></a></td>
<td>77.111.101.169</td>
<td>396356</td>
</tr>
</tbody>
</table>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Mysterious Elephant: a growing threat</title>
<link>https://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/</link>
<comments>https://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/#respond</comments>
<dc:creator><![CDATA[Noushin Shabab, Ye Jin]]></dc:creator>
<pubDate>Wed, 15 Oct 2025 10:00:11 +0000</pubDate>
<category><![CDATA[APT reports]]></category>
<category><![CDATA[GReAT research]]></category>
<category><![CDATA[Malware Technologies]]></category>
<category><![CDATA[Targeted attacks]]></category>
<category><![CDATA[Google Chrome]]></category>
<category><![CDATA[Malware Descriptions]]></category>
<category><![CDATA[Spear phishing]]></category>
<category><![CDATA[Malware]]></category>
<category><![CDATA[APT]]></category>
<category><![CDATA[RAT Trojan]]></category>
<category><![CDATA[Backdoor]]></category>
<category><![CDATA[WhatsApp]]></category>
<category><![CDATA[Data theft]]></category>
<category><![CDATA[Defense evasion]]></category>
<category><![CDATA[TTPs]]></category>
<category><![CDATA[APAC]]></category>
<category><![CDATA[RC4]]></category>
<category><![CDATA[APT (Targeted attacks)]]></category>
<category><![CDATA[Windows malware]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117596</guid>
<description><![CDATA[Kaspersky GReAT experts describe the latest Mysterious Elephant APT activity. The threat actor exfiltrates data related to WhatsApp and employs tools such as BabShell and MemLoader HidenDesk.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
<p>Mysterious Elephant is a highly active advanced persistent threat (APT) group that we at Kaspersky GReAT discovered in 2023. It has been consistently evolving and adapting its tactics, techniques, and procedures (TTPs) to stay under the radar. With a primary focus on targeting government entities and foreign affairs sectors in the Asia-Pacific region, the group has been using a range of sophisticated tools and techniques to infiltrate and exfiltrate sensitive information. Notably, Mysterious Elephant has been exploiting WhatsApp communications to steal sensitive data, including documents, pictures, and archive files.</p>
<p>The group’s latest campaign, which began in early 2025, reveals a significant shift in their TTPs, with an increased emphasis on using new custom-made tools as well as customized open-source tools, such as BabShell and MemLoader modules, to achieve their objectives. In this report, we will delve into the history of Mysterious Elephant’s attacks, their latest tactics and techniques, and provide a comprehensive understanding of this threat.</p>
<h2 id="the-emergence-of-mysterious-elephant">The emergence of Mysterious Elephant</h2>
<p>Mysterious Elephant is a threat actor <a href="https://securelist.com/apt-trends-report-q2-2023/110231/#mysterious-elephant" target="_blank" rel="noopener">we’ve been tracking since 2023</a>. Initially, its intrusions resembled those of the Confucius threat actor. However, further analysis revealed a more complex picture. We found that Mysterious Elephant’s malware contained code from multiple APT groups, including Origami Elephant, Confucius, and SideWinder, which suggested deep collaboration and resource sharing between teams. Notably, our research indicates that the tools and code borrowed from the aforementioned APT groups were previously used by their original developers, but have since been abandoned or replaced by newer versions. However, Mysterious Elephant has not only adopted these tools, but also continued to maintain, develop, and improve them, incorporating the code into their own operations and creating new, advanced versions. The actor’s early attack chains featured distinctive elements, such as remote template injections and exploitation of <a href="https://www.cve.org/CVERecord?id=CVE-2017-11882" target="_blank" rel="noopener">CVE-2017-11882</a>, followed by the use of a downloader called “Vtyrei”, which was previously connected to Origami Elephant and later abandoned by this group. Over time, Mysterious Elephant has continued to upgrade its tools and expanded its operations, eventually earning its designation as a previously unidentified threat actor.</p>
<h2 id="latest-campaign">Latest campaign</h2>
<p>The group’s latest campaign, which was discovered in early 2025, reveals a significant shift in their TTPs. They are now using a combination of exploit kits, phishing emails, and malicious documents to gain initial access to their targets. Once inside, they deploy a range of custom-made and open-source tools to achieve their objectives. In the following sections, we’ll delve into the latest tactics and techniques used by Mysterious Elephant, including their new tools, infrastructure, and victimology.</p>
<h3 id="spear-phishing">Spear phishing</h3>
<p>Mysterious Elephant has started using spear phishing techniques to gain initial access. Phishing emails are tailored to each victim and are convincingly designed to mimic legitimate correspondence. The primary targets of this APT group are countries in the South Asia (SA) region, particularly Pakistan. Notably, this APT organization shows a strong interest and inclination towards diplomatic institutions, which is reflected in the themes covered by the threat actor’s spear phishing emails, as seen in bait attachments.</p>
<div id="attachment_117597" style="width: 690px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117597" class="size-full wp-image-117597" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1.png" alt="Spear phishing email used by Mysterious Elephant" width="680" height="617" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1.png 680w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1-300x272.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1-386x350.png 386w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1-309x280.png 309w" sizes="auto, (max-width: 680px) 100vw, 680px" /></a><p id="caption-attachment-117597" class="wp-caption-text">Spear phishing email used by Mysterious Elephant</p></div>
<p>For example, the decoy document above concerns Pakistan’s application for a non-permanent seat on the United Nations Security Council for the 2025–2026 term.</p>
<h3 id="malicious-tools">Malicious tools</h3>
<p>Mysterious Elephant’s toolkit is a noteworthy aspect of their operations. The group has switched to using a variety of custom-made and open-source tools instead of employing known malware to achieve their objectives.</p>
<h4 id="powershell-scripts">PowerShell scripts</h4>
<p>The threat actor uses PowerShell scripts to execute commands, deploy additional payloads, and establish persistence. These scripts are loaded from C2 servers and often use legitimate system administration tools, such as curl and certutil, to download and execute malicious files.</p>
<div id="attachment_117598" style="width: 696px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101409/mysterious-elephant2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117598" class="size-full wp-image-117598" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101409/mysterious-elephant2.png" alt="Malicious PowerShell script seen in Mysterious Elephant's 2025 attacks" width="686" height="138" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101409/mysterious-elephant2.png 686w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101409/mysterious-elephant2-300x60.png 300w" sizes="auto, (max-width: 686px) 100vw, 686px" /></a><p id="caption-attachment-117598" class="wp-caption-text">Malicious PowerShell script seen in Mysterious Elephant’s 2025 attacks</p></div>
<p>For example, the script above is used to download the next-stage payload and save it as <code>ping.exe</code>. It then schedules a task to execute the payload and send the results back to the C2 server. The task is set to run automatically in response to changes in the network profile, ensuring persistence on the compromised system. Specifically, it is triggered by network profile-related events (Microsoft-Windows-NetworkProfile/Operational), which can indicate a new network connection. A four-hour delay is configured after the event, likely to help evade detection.</p>
<h4 id="babshell">BabShell</h4>
<p>One of the most recent tools used by Mysterious Elephant is BabShell. This is a reverse shell tool written in C++ that enables attackers to connect to a compromised system. Upon execution, it gathers system information, including username, computer name, and MAC address, to identify the machine. The malware then enters an infinite loop of performing the following steps:</p>
<ol>
<li>It listens for and receives commands from the attacker-controlled C2 server.</li>
<li>For each received command, BabShell creates a separate thread to execute it, allowing for concurrent execution of multiple commands.</li>
<li>The output of each command is captured and saved to a file named <code>output_[timestamp].txt</code>, where [timestamp] is the current time. This allows the attacker to review the results of the commands.</li>
<li>The contents of the <code>output_[timestamp].txt</code> file are then transmitted back to the C2 server, providing the attacker with the outcome of the executed commands and enabling them to take further actions, for instance, deploy a next-stage payload or execute additional malicious instructions.</li>
</ol>
<p>BabShell uses the following commands to execute command-line instructions and additional payloads it receives from the server:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117599" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3.png" alt="" width="808" height="76" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3.png 808w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3-300x28.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3-768x72.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3-800x75.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3-740x70.png 740w" sizes="auto, (max-width: 808px) 100vw, 808px" /></a></p>
<h4 id="customized-open-source-tools">Customized open-source tools</h4>
<p>One of the latest modules used by Mysterious Elephant and loaded by BabShell is MemLoader HidenDesk.</p>
<p>MemLoader HidenDesk is a reflective PE loader that loads and executes malicious payloads in memory. It uses encryption and compression to evade detection.</p>
<p>MemLoader HidenDesk operates in the following manner:</p>
<ol>
<li>The malware checks the number of active processes and terminates itself if there are fewer than 40 processes running — a technique used to evade sandbox analysis.</li>
<li>It creates a shortcut to its executable and saves it in the autostart folder, ensuring it can restart itself after a system reboot.</li>
<li>The malware then creates a hidden desktop named “MalwareTech_Hidden” and switches to it, providing a covert environment for its activities. This technique is borrowed from an open-source project on GitHub.</li>
<li>Using an RC4-like algorithm with the key <code>D12Q4GXl1SmaZv3hKEzdAhvdBkpWpwcmSpcD</code>, the malware decrypts a block of data from its own binary and executes it in memory as a shellcode. The shellcode’s sole purpose is to load and execute a PE file, specifically a sample of the commercial RAT called “Remcos” (MD5: 037b2f6233ccc82f0c75bf56c47742bb).</li>
</ol>
<p>Another recent loader malware used in the latest campaign is MemLoader Edge.</p>
<p>MemLoader Edge is a malicious loader that embeds a sample of the VRat backdoor, utilizing encryption and evasion techniques.</p>
<p>It operates in the following manner:</p>
<ol>
<li>The malware performs a network connectivity test by attempting to connect to the legitimate website <code>bing.com:445</code>, which is likely to fail since the 445 port is not open on the server side. If the test were to succeed, suggesting that the loader is possibly in an emulation or sandbox environment, the malware would drop an embedded picture on the machine and display a popup window with three unresponsive mocked-up buttons, then enter an infinite loop. This is done to complicate detection and analysis.</li>
<li>If the connection attempt fails, the malware iterates through a 1016-byte array to find the correct XOR keys for decrypting the embedded PE file in two rounds. The process continues until the decrypted data matches the byte sequence of <code>MZ\x90</code>, indicating that the real XOR keys are found within the array.</li>
<li>If the malware is unable to find the correct XOR keys, it will display the same picture and popup window as before, followed by a message box containing an error message after the window is closed.</li>
<li>Once the PE file is successfully decrypted, it is loaded into memory using reflective loading techniques. The decrypted PE file is based on the open-source RAT vxRat, which is referred to as VRat due to the PDB string found in the sample:<br />
<pre class="urvanov-syntax-highlighter-plain-tag">C:\Users\admin\source\repos\vRat_Client\Release\vRat_Client.pdb</pre>
</li>
</ol>
<h4 id="whatsapp-specific-exfiltration-tools">WhatsApp-specific exfiltration tools</h4>
<p>Spying on WhatsApp communications is a key aspect of the exfiltration modules employed by Mysterious Elephant. They are designed to steal sensitive data from compromised systems. The attackers have implemented WhatsApp-specific features into their exfiltration tools, allowing them to target files shared through the WhatsApp application and exfiltrate valuable information, including documents, pictures, archive files, and more. These modules employ various techniques, such as recursive directory traversal, XOR decryption, and Base64 encoding, to evade detection and upload the stolen data to the attackers’ C2 servers.</p>
<ul>
<li><strong>Uplo Exfiltrator</strong></li>
</ul>
<p>The Uplo Exfiltrator is a data exfiltration tool that targets specific file types and uploads them to the attackers’ C2 servers. It uses a simple XOR decryption to deobfuscate C2 domain paths and employs a recursive <a href="https://en.wikipedia.org/wiki/Depth-first_search" target="_blank" rel="noopener">depth-first directory traversal algorithm</a> to identify valuable files. The malware specifically targets file types that are likely to contain potentially sensitive data, including documents, spreadsheets, presentations, archives, certificates, contacts, and images. The targeted file extensions include .TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .CSV, .PPT, .PPTX, .ZIP, .RAR, .7Z, .PFX, .VCF, .JPG, .JPEG, and .AXX.</p>
<ul>
<li><strong>Stom Exfiltrator</strong></li>
</ul>
<p>The Stom Exfiltrator is a commonly used exfiltration tool that recursively searches specific directories, including the “Desktop” and “Downloads” folders, as well as all drives except the C drive, to collect files with predefined extensions. Its latest variant is specifically designed to target files shared through the WhatsApp application. This version uses a hardcoded folder path to locate and exfiltrate such files:</p><pre class="urvanov-syntax-highlighter-plain-tag">%AppData%\\Packages\\xxxxx.WhatsAppDesktop_[WhatsApp ID]\\LocalState\\Shared\\transfers\\</pre><p>
<p>The targeted file extensions include .PDF, .DOCX, .TXT, .JPG, .PNG, .ZIP, .RAR, .PPTX, .DOC, .XLS, .XLSX, .PST, and .OST.</p>
<ul>
<li><strong>ChromeStealer Exfiltrator</strong></li>
</ul>
<p>The ChromeStealer Exfiltrator is another exfiltration tool used by Mysterious Elephant that targets Google Chrome browser data, including cookies, tokens, and other sensitive information. It searches specific directories within the Chrome user data of the most recently used Google Chrome profile, including the IndexedDB directory and the “Local Storage” directory. The malware uploads all files found in these directories to the attacker-controlled C2 server, potentially exposing sensitive data like chat logs, contacts, and authentication tokens. The response from the C2 server suggests that this tool was also after stealing files related to WhatsApp. The ChromeStealer Exfiltrator employs string obfuscation to evade detection.</p>
<h2 id="infrastructure">Infrastructure</h2>
<p>Mysterious Elephant’s infrastructure is a network of domains and IP addresses. The group has been using a range of techniques, including wildcard DNS records, to generate unique domain names for each request. This makes it challenging for security researchers to track and monitor their activities. The attackers have also been using virtual private servers (VPS) and cloud services to host their infrastructure. This allows them to easily scale and adapt their operations to evade detection. According to our data, this APT group has utilized the services of numerous VPS providers in their operations. Nevertheless, our analysis of the statistics has revealed that Mysterious Elephant appears to have a preference for certain VPS providers.</p>
<div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="interactive" data-title="01-EN-RU-Mysterious Elephant charts" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>VPS providers most commonly used by Mysterious Elephant (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30102127/mysterious-elephant4.png" target="_blank" rel="noopener">download</a>)</em></p>
<h2 id="victimology">Victimology</h2>
<p>Mysterious Elephant’s primary targets are government entities and foreign affairs sectors in the Asia-Pacific region. The group has been focusing on Pakistan, Bangladesh, and Sri Lanka, with a lower number of victims in other countries. The attackers have been using highly customized payloads tailored to specific individuals, highlighting their sophistication and focus on targeted attacks.</p>
<p>The group’s victimology is characterized by a high degree of specificity. Attackers often use personalized phishing emails and malicious documents to gain initial access. Once inside, they employ a range of tools and techniques to escalate privileges, move laterally, and exfiltrate sensitive information.</p>
<ul>
<li>Most targeted countries: Pakistan, Bangladesh, Afghanistan, Nepal and Sri Lanka</li>
</ul>
<div class="js-infogram-embed" data-id="_/R4Utu2bH5IoYCk7MIBoH" data-type="interactive" data-title="01 EN Mysterious Elephant charts 2" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Countries targeted most often by Mysterious Elephant (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14095041/02-en-mysterious-elephant-charts.png" target="_blank" rel="noopener">download</a>)</em></p>
<ul>
<li>Primary targets: government entities and foreign affairs sectors</li>
</ul>
<div class="js-infogram-embed" data-id="_/NNQDAbzeYeYkE3UXVrZ5" data-type="interactive" data-title="03 EN Mysterious Elephant charts" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Industries most targeted by Mysterious Elephant (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13125733/03-en-mysterious-elephant-charts.png" target="_blank" rel="noopener">download</a>)</em></p>
<h2 id="conclusion">Conclusion</h2>
<p>In conclusion, Mysterious Elephant is a highly sophisticated and active Advanced Persistent Threat group that poses a significant threat to government entities and foreign affairs sectors in the Asia-Pacific region. Through their continuous evolution and adaptation of tactics, techniques, and procedures, the group has demonstrated the ability to evade detection and infiltrate sensitive systems. The use of custom-made and open-source tools, such as BabShell and MemLoader, highlights their technical expertise and willingness to invest in developing advanced malware.</p>
<p>The group’s focus on targeting specific organizations, combined with their ability to tailor their attacks to specific victims, underscores the severity of the threat they pose. The exfiltration of sensitive information, including documents, pictures, and archive files, can have significant consequences for national security and global stability.</p>
<p>To counter the Mysterious Elephant threat, it is essential for organizations to implement <a href="https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___knext____b31b3f3de449f764" target="_blank" rel="noopener">robust security measures</a>, including regular software updates, <a href="https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kata____86b6b7fe75e32725" target="_blank" rel="noopener">network monitoring</a>, and <a href="https://asap.kaspersky.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kasap____b3c004b7eec21817" target="_blank" rel="noopener">employee training</a>. Additionally, international cooperation and information sharing among cybersecurity professionals, governments, and industries are crucial in tracking and disrupting the group’s activities.</p>
<p>Ultimately, staying ahead of Mysterious Elephant and other APT groups requires a proactive and collaborative approach to cybersecurity. By understanding their TTPs, sharing threat intelligence, and implementing effective countermeasures, we can reduce the risk of successful attacks and protect sensitive information from falling into the wrong hands.</p>
<h2 id="indicators-of-compromise">Indicators of compromise</h2>
<h3 id="file-hashes">File hashes</h3>
<p><strong>Malicious documents</strong><br />
<a href="https://opentip.kaspersky.com/c12ea05baf94ef6f0ea73470d70db3b2/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______09ab9e63c2fbae18&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">c12ea05baf94ef6f0ea73470d70db3b2</a> M6XA.rar<br />
<a href="https://opentip.kaspersky.com/8650fff81d597e1a3406baf3bb87297f/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a7b7bdc14f0ecf16&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">8650fff81d597e1a3406baf3bb87297f</a> 2025-013-PAK-MoD-Invitation_the_UN_Peacekeeping.rar</p>
<p><strong>MemLoader HidenDesk</strong><br />
<a href="https://opentip.kaspersky.com/658eed7fcb6794634bbdd7f272fcf9c6/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c1ee1e8efe731ce5&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">658eed7fcb6794634bbdd7f272fcf9c6</a> STI.dll<br />
<a href="https://opentip.kaspersky.com/4c32e12e73be9979ede3f8fce4f41a3a/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______39679c1e6198215a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">4c32e12e73be9979ede3f8fce4f41a3a</a> STI.dll</p>
<p><strong>MemLoader Edge</strong><br />
<a href="https://opentip.kaspersky.com/3caaf05b2e173663f359f27802f10139/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______517ed2c79ff6857a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">3caaf05b2e173663f359f27802f10139</a> Edge.exe, debugger.exe, runtime.exe<br />
<a href="https://opentip.kaspersky.com/bc0fc851268afdf0f63c97473825ff75/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4f3755f64aba0268&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">bc0fc851268afdf0f63c97473825ff75</a></p>
<p><strong>BabShell</strong><br />
<a href="https://opentip.kaspersky.com/85c7f209a8fa47285f08b09b3868c2a1/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5fd77beb36827bdb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">85c7f209a8fa47285f08b09b3868c2a1</a><br />
<a href="https://opentip.kaspersky.com/f947ff7fb94fa35a532f8a7d99181cf1/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cff906b0140720d0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">f947ff7fb94fa35a532f8a7d99181cf1</a></p>
<p><strong>Uplo Exfiltrator</strong><br />
<a href="https://opentip.kaspersky.com/cf1d14e59c38695d87d85af76db9a861/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ffa5f9bd347e41df&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cf1d14e59c38695d87d85af76db9a861</a> SXSHARED.dll</p>
<p><strong>Stom Exfiltrator</strong><br />
<a href="https://opentip.kaspersky.com/ff1417e8e208cadd55bf066f28821d94/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4bbcc5b773fb873b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">ff1417e8e208cadd55bf066f28821d94</a><br />
<a href="https://opentip.kaspersky.com/7ee45b465dcc1ac281378c973ae4c6a0/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______64062702f8c05486&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">7ee45b465dcc1ac281378c973ae4c6a0</a> ping.exe<br />
<a href="https://opentip.kaspersky.com/b63316223e952a3a51389a623eb283b6/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______34280e71815f9819&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">b63316223e952a3a51389a623eb283b6</a> ping.exe<br />
<a href="https://opentip.kaspersky.com/e525da087466ef77385a06d969f06c81/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______00c019d83beca9e0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">e525da087466ef77385a06d969f06c81</a><br />
<a href="https://opentip.kaspersky.com/78b59ea529a7bddb3d63fcbe0fe7af94/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______02431ea07e815c6c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">78b59ea529a7bddb3d63fcbe0fe7af94</a></p>
<p><strong>ChromeStealer Exfiltrator</strong><br />
<a href="https://opentip.kaspersky.com/9e50adb6107067ff0bab73307f5499b6/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______002f6ae0f77b2068&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">9e50adb6107067ff0bab73307f5499b6</a> WhatsAppOB.exe</p>
<h3 id="domains-ips">Domains/IPs</h3>
<p><a href="https://opentip.kaspersky.com/hxxps%3a%2f%2fstorycentral.net/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______546a9c2d940aced9&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxps://storycentral[.]net</a><br />
<a href="https://opentip.kaspersky.com/hxxp%3a%2f%2flistofexoticplaces.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______df61d5264bb34b52&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxp://listofexoticplaces[.]com</a><br />
<a href="https://opentip.kaspersky.com/hxxps%3a%2f%2fmonsoonconference.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______95a175e16a9f2f66&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxps://monsoonconference[.]com</a><br />
<a href="https://opentip.kaspersky.com/hxxp%3a%2f%2fmediumblog.online/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a1cb20769a3c44cb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxp://mediumblog[.]online:4443</a><br />
<a href="https://opentip.kaspersky.com/hxxp%3a%2f%2fcloud.givensolutions.online/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______31ac06df427819a4&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxp://cloud.givensolutions[.]online:4443</a><br />
<a href="https://opentip.kaspersky.com/hxxp%3a%2f%2fcloud.qunetcentre.org/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______97e683db289c2d2d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxp://cloud.qunetcentre[.]org:443</a><br />
<a href="https://opentip.kaspersky.com/solutions.fuzzy-network.tech/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______80e055d2bfaec218&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">solutions.fuzzy-network[.]tech</a><br />
<a href="https://opentip.kaspersky.com/pdfplugins.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______fa3c26ff03f790a8&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">pdfplugins[.]com</a><br />
<a href="https://opentip.kaspersky.com/file-share.officeweb.live/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1906cf37a247699a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">file-share.officeweb[.]live</a><br />
<a href="https://opentip.kaspersky.com/fileshare-avp.ddns.net/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______324cee9e263be2af&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">fileshare-avp.ddns[.]net</a><br />
<a href="https://opentip.kaspersky.com/91.132.95.148/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ab2914e9238c3621&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">91.132.95[.]148</a><br />
<a href="https://opentip.kaspersky.com/62.106.66.80/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______847c267eca71ef78&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">62.106.66[.]80</a><br />
<a href="https://opentip.kaspersky.com/158.255.215.45/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2d778fa9b216c661&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">158.255.215[.]45</a></p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Signal in the noise: what hashtags reveal about hacktivism in 2025</title>
<link>https://securelist.com/dfi-meta-hacktivist-report/117708/</link>
<comments>https://securelist.com/dfi-meta-hacktivist-report/117708/#respond</comments>
<dc:creator><![CDATA[Kaspersky Security Services]]></dc:creator>
<pubDate>Tue, 14 Oct 2025 10:00:09 +0000</pubDate>
<category><![CDATA[Research]]></category>
<category><![CDATA[SOC, TI and IR posts]]></category>
<category><![CDATA[Twitter]]></category>
<category><![CDATA[Darknet]]></category>
<category><![CDATA[Threat intelligence]]></category>
<category><![CDATA[hacktivists]]></category>
<category><![CDATA[Telegram]]></category>
<category><![CDATA[Cybersecurity]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117708</guid>
<description><![CDATA[Kaspersky researchers identified over 2000 unique hashtags across 11,000 hacktivist posts on the surface web and the dark web to find out how hacktivist campaigns function and whom they target.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>What do hacktivist campaigns look like in 2025? To answer this question, we analyzed more than 11,000 posts produced by over 120 hacktivist groups circulating across both the surface web and the dark web, with a particular focus on groups targeting MENA countries. The primary goal of our research is to highlight patterns in hacktivist operations, including attack methods, public warnings, and stated intent. The analysis is undertaken exclusively from a cybersecurity perspective and anchored in the principle of neutrality.</p>
<p>Hacktivists are politically motivated threat actors who typically value visibility over sophistication. Their tactics are designed for maximum visibility, reach, and ease of execution, rather than stealth or technical complexity. The term “hacktivist” may refer to either the administrator of a community who initiates the attack or an ordinary subscriber who simply participates in the campaign.</p>
<h2 id="key-findings">Key findings</h2>
<p>While it may be assumed that most operations unfold on hidden forums, in fact, most hacktivist planning and mobilization happens in the open. Telegram has become the command center for today’s hacktivist groups, hosting the highest density of attack planning and calls to action. The second place is occupied by X (ex-Twitter).</p>
<div id="attachment_117709" style="width: 790px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117709" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels.png" alt="Distribution of social media references in posts published in 2025" width="780" height="361" class="size-full wp-image-117709" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels.png 780w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-300x139.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-768x355.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-756x350.png 756w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-740x342.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-605x280.png 605w" sizes="auto, (max-width: 780px) 100vw, 780px" /></a><p id="caption-attachment-117709" class="wp-caption-text">Distribution of social media references in posts published in 2025</p></div>
<p>Although we focused on hacktivists operating in MENA, the targeting of the groups under review is global, extending well beyond the region. There are victims throughout Europe and Middle East, as well as Argentina, the United States, Indonesia, India, Vietnam, Thailand, Cambodia, Türkiye, and others.</p>
<h3 id="hashtags-as-the-connective-tissue-of-hacktivist-operations">Hashtags as the connective tissue of hacktivist operations</h3>
<p>One notable feature of hacktivist posts and messages on dark web sites is the frequent use of hashtags (#words). Used in their posts constantly, hashtags often serve as political slogans, amplifying messages, coordinating activity or claiming credit for attacks. The most common themes are political statements and hacktivist groups names, though hashtags sometimes reference geographical locations, such as specific countries or cities.</p>
<p>Hashtags also map alliances and momentum. We have identified 2063 unique tags in 2025: 1484 appearing for the first time, and many tied directly to specific groups or joint campaigns. Most tags are short-lived, lasting about two months, with “popular” ones persisting longer when amplified by alliances; channel bans contribute to attrition.</p>
<p>Operationally, reports of completed attacks dominate hashtagged content (58%), and within those, DDoS is the workhorse (61%). Spikes in threatening rhetoric do not by themselves predict more attacks, but timing matters: when threats are published, they typically refer to actions in the near term, i.e. the same week or month, making early warning from open-channel monitoring materially useful.</p>
<p>The full version of the report details the following findings:</p>
<ul>
<li>How long it typically takes for an attack to be reported after an initial threat post</li>
<li>How hashtags are used to coordinate attacks or claim credit</li>
<li>Patterns across campaigns and regions</li>
<li>The types of cyberattacks being promoted or celebrated</li>
</ul>
<h2 id="practical-takeaways-and-recommendations">Practical takeaways and recommendations</h2>
<p>For defenders and corporate leaders, we recommend the following:</p>
<ul>
<li>Prioritize scalable DDoS mitigation and proactive security measures.</li>
<li>Treat public threats as short-horizon indicators rather than long-range forecasts.</li>
<li>Invest in continuous monitoring across Telegram and related ecosystems to discover alliance announcements, threat posts, and cross-posted “proof” rapidly.</li>
</ul>
<p>Even organizations outside geopolitical conflict zones should assume exposure: hacktivist campaigns seek reach and spectacle, not narrow geography, and hashtags remain a practical lens for separating noise from signals that demand action.</p>
<p><strong>To download the full report, please fill in the form below.</strong></p>
<p><script data-b24-form="inline/1808/7dlezh" data-skip-moving="true">
(function (w, d, u) {
var s = d.createElement("script");
s.async = true;
s.src = u + "?" + ((Date.now() / 180000) | 0);
var h = d.getElementsByTagName("script")[0];
h.parentNode.insertBefore(s, h);
})(window, document, "https://cdn.bitrix24.eu/b30707545/crm/form/loader_1808.js");
</script><br />
<script src="https://storage.yandexcloud.net/kasperskyform/validator.js"></script><br />
<script>
initBxFormValidator({
formId: "inline/1808/7dlezh",
emailFieldName: "CONTACT_EMAIL",
redirectUrl: "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172551/Hacktivist_report-DFI-META.pdf",
naturalFieldNames: ["CONTACT_UF_CRM_NODES"],
lengthRestrictedFieldNames: {
CONTACT_EMAIL: 250,
CONTACT_POST: 128,
CONTACT_NAME: 50,
CONTACT_UF_CRM_COMPANY: 255,
CONTACT_UF_CRM_COMPANY_TAX_ID: 50,
CONTACT_UF_CRM_PRODUCT_INTEREST: 255,
CONTACT_UF_CRM_FORM_QUESTION_2: 255,
CONTACT_UF_CRM_FORM_QUESTION_3: 255,
CONTACT_UF_CRM_FORM_QUESTION_5: 255,
},
});
</script></p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/dfi-meta-hacktivist-report/117708/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200.jpg" width="1200" height="762"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200-1024x650.jpg" width="1024" height="650"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200-300x191.jpg" width="300" height="191"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>The king is dead, long live the king! Windows 10 EOL and Windows 11 forensic artifacts</title>
<link>https://securelist.com/forensic-artifacts-in-windows-11/117680/</link>
<comments>https://securelist.com/forensic-artifacts-in-windows-11/117680/#respond</comments>
<dc:creator><![CDATA[Kirill Magaskin]]></dc:creator>
<pubDate>Tue, 14 Oct 2025 08:00:57 +0000</pubDate>
<category><![CDATA[Research]]></category>
<category><![CDATA[Microsoft Windows]]></category>
<category><![CDATA[Digital forensics]]></category>
<category><![CDATA[Forensic journey]]></category>
<category><![CDATA[Cybersecurity]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117680</guid>
<description><![CDATA[With the end of Windows 10 support approaching, we discuss which forensic artifacts in Windows 11 may be of interest.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
<p>Windows 11 was released a few years ago, yet it has seen relatively weak enterprise adoption. According to statistics from our Global Emergency Response Team (GERT) investigations, as recently as early 2025, we found that Windows 7, which reached end of support in 2020, was encountered only slightly less often than the newest operating system. Most systems still run Windows 10.</p>
<div class="js-infogram-embed" data-id="_/wUFDDTvIb5MX90BS2iz7" data-type="interactive" data-title="01 EN-RU-ES-PT-BR Win 11 graph" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of Windows versions in organizations’ infrastructure. The statistics are based on the Global Emergency Response Team (GERT) data (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10100944/01-en-ru-es-pt-br-win-11-graph.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>The most widely used operating system was released more than a decade ago, and Microsoft discontinues its support on October 14, 2025. This means we are certainly going to see an increase in the number of Windows 11 systems in organizations where we provide incident response services. This is why we decided to offer a brief overview of changes to forensic artifacts in this operating system. The information should be helpful to our colleagues in the field. The artifacts described here are relevant for Windows 11 24H2, which is the latest OS version at the time of writing this.</p>
<h2 id="what-is-new-in-windows-11">What is new in Windows 11</h2>
<h3 id="recall">Recall</h3>
<p>The Recall feature was first introduced in May 2024. It allows the computer to remember everything a user has done on the device over the past few months. It works by taking screenshots of the entire display every few seconds. A local AI engine then analyzes these screenshots in the background, extracting all useful information, which is subsequently saved to a database. This database is then used for intelligent searching. Since May 2025, Recall has been broadly available on computers equipped with an NPU, a dedicated chip for AI computations, which is currently compatible only with ARM CPUs.</p>
<p>Microsoft Recall is certainly one of the most highly publicized and controversial features announced for Windows 11. Since its initial reveal, it <a href="https://www.kaspersky.com/blog/how-to-disable-copilot-recall-spyware/51522/" target="_blank" rel="noopener">has been the subject of criticism within the cybersecurity community</a> because of the potential threat it poses to data privacy. Microsoft refined Recall before its release, yet <a href="https://www.kaspersky.com/blog/recall-2025-risks-benefits/53407/" target="_blank" rel="noopener">certain concerns remain</a>. Because of its controversial nature, the option is disabled by default in corporate builds of Windows 11. However, examining the artifacts it creates is worthwhile, just in case an attacker or malicious software activates it. In theory, an organization’s IT department could enable Recall using Group Policies, but we consider that scenario unlikely.</p>
<p>As previously mentioned, Recall takes screenshots, which naturally requires temporary storage before analysis. The raw JPEG images can be found at <code>%AppData%\Local\CoreAIPlatform.00\UKP\{GUID}\ImageStore\*</code>. The filenames themselves are the screenshot identifiers (more on those later).</p>
<p>Along with the screenshots, their metadata is stored within the standard Exif.Photo.MakerNote (0x927c) tag. This tag holds a significant amount of interesting data, such as the boundaries of the foreground window, the capture timestamp, the window title, the window identifier, and the full path of the process that launched the window. Furthermore, if a browser is in use during the screenshot capture, the URI and domain may be preserved, among other details.</p>
<p>Recall is activated on a per-user basis. A key in the user’s registry hive, specifically <code>Software\Policies\Microsoft\Windows\WindowsAI\</code>, is responsible for enabling and disabling the saving of these screenshots. Microsoft has also introduced <a href="https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai" target="_blank" rel="noopener">several new registry keys</a> associated with Recall management in the latest Windows 11 builds.</p>
<p>It is important to note that the version of the feature refined following public controversy includes a specific filter intended to prevent the saving of screenshots and text when potentially sensitive information is on the screen. This includes, for example, an incognito browser window, a payment data input field, or a password manager. However, <a href="https://doublepulsar.com/microsoft-recall-on-copilot-pc-testing-the-security-and-privacy-implications-ddb296093b6c" target="_blank" rel="noopener">researchers</a> have indicated that this filter may not always engage reliably.</p>
<p>To enable fast searches across all data captured from screenshots, the system uses two DiskANN vector databases (<code>SemanticTextStore.sidb</code> and <code>SemanticImageStore.sidb</code>). However, the standard SQLite database is the most interesting one for investigation: <code>%AppData%\Local\CoreAIPlatform.00\UKP\{GUID}\ukg.db</code>, which consists of 20 tables. In the latest release, it is accessible without administrative privileges, yet it is encrypted. At the time of writing this post, there are no publicly known methods to decrypt the database directly. Therefore, we will examine the most relevant tables from the 2024 Windows 11 beta release with Recall.</p>
<ul>
<li>The <code>App</code> table holds data about the process that launched the application’s graphical user interface window.</li>
<li>The <code>AppDwellTime</code> table contains information such as the full path of the process that initiated the application GUI window (WindowsAppId column), the date and time it was launched (HourOfDay, DayOfWeek, HourStartTimestamp), and the duration the window’s display (DwellTime).</li>
<li>The <code>WindowCapture</code> table records the type of event (Name column):
<ul>
<li><strong>WindowCreatedEvent</strong> indicates the creation of the first instance of the application window. It can be correlated with the process that created the window.</li>
<li><strong>WindowChangedEvent</strong> tracks changes to the window instance. It allows monitoring movements or size changes of the window instance with the help of the WindowId column, which contains the window’s identifier.</li>
<li><strong>WindowCaptureEvent</strong> signifies the creation of a screen snapshot that includes the application window. Besides the window identifier, it contains an image identifier (ImageToken). The value of this token can later be used to retrieve the JPEG snapshot file from the aforementioned ImageStore directory, as the filename corresponds to the image identifier.</li>
<li><strong>WindowDestroyedEvent</strong> signals the closing of the application window.</li>
<li><strong>ForegroundChangedEvent</strong> does not contain useful data from a forensics perspective.</li>
</ul>
<p>The <code>WindowCapture</code> table also includes a flag indicating whether the application window was in the foreground (IsForeground column), the window boundaries as screen coordinates (WindowBounds), the window title (WindowTitle), a service field for properties (Properties), and the event timestamp (TimeStamp).
</li>
</ul>
<ul>
<li><code>WindowCaptureTextIndex_content</span></code> contains the text extracted with Optical Character Recognition (OCR) from the snapshot (c2 column), the window title (WindowTitle), the application path (App.Path), the snapshot timestamp (TimeStamp), and the name (Name). This table can be used in conjunction with the WindowCapture (the c0 and Id columns hold identical data, which can be used for joining the tables) and App tables (identical data resides in the AppId and Id columns).</li>
</ul>
<p>Recall artifacts (if the feature was enabled on the system prior to the incident) represent a “goldmine” for the incident responder. They allow for a detailed reconstruction of the attacker’s activity within the compromised system. Conversely, this same functionality can be weaponized: as mentioned previously, the private information filter in Recall does not work flawlessly. Consequently, attackers and malware can exploit it to locate credentials and other sensitive information.</p>
<h3 id="updated-standard-applications">Updated standard applications</h3>
<p>Standard applications in Windows 11 have also undergone updates, and for some, this involved changes to both the interface and functionality. Specifically, applications such as Notepad, File Explorer, and the Command Prompt in this version of the OS now support multi-tab mode. Notably, Notepad retains the state of these tabs even after the process terminates. Therefore, Windows 11 now has new artifacts associated with the usage of this application. Our colleague, AbdulRhman Alfaifi, researched these in detail; his work is available <a href="https://u0041.co/posts/articals/exploring-windows-artifacts-notepad-files/" target="_blank" rel="noopener">here</a>.</p>
<p>The main directory for Notepad artifacts in Windows 11 is located at <code>%LOCALAPPDATA%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\</code>.<br />
This directory contains two subdirectories:</p>
<ul>
<li><strong>TabState</strong> stores a {GUID}.bin state file for each Notepad tab. This file contains the tab’s contents if the user did not save it to a file. For saved tabs, the file contains the full path to the saved content, the SHA-256 hash of the content, the content itself, the last write time to the file, and other details.</li>
<li><strong>WindowsState</strong> stores information about the application window state. This includes the total number of tabs, their order, the currently active tab, and the size and position of the application window on the screen. The state file is named either *.0.bin or *.1.bin.</li>
</ul>
<p>The structure of {GUID}.bin for saved tabs is as follows:</p>
<table>
<tbody>
<tr>
<td><strong>Field</strong></td>
<td><strong>Type</strong></td>
<td><strong>Value and explanation</strong></td>
</tr>
<tr>
<td>signature</td>
<td>[u8;2]</td>
<td>NP</td>
</tr>
<tr>
<td>?</td>
<td>u8</td>
<td>00</td>
</tr>
<tr>
<td>file_saved_to_path</td>
<td>bool</td>
<td>00 = the file was not saved at the specified path<br />
01 = the file was saved</td>
</tr>
<tr>
<td>path_length</td>
<td>uLEB128</td>
<td>Length of the full path (in characters) to the file where the tab content was written</td>
</tr>
<tr>
<td>file_path</td>
<td>UTF-16LE</td>
<td>The full path to the file where the tab content was written</td>
</tr>
<tr>
<td>file_size</td>
<td>uLEB128</td>
<td>The size of the file on disk where the tab content was written</td>
</tr>
<tr>
<td>encoding</td>
<td>u8</td>
<td>File encoding:<br />
0x01 – ANSI<br />
0x02 – UTF-16LE<br />
0x03 – UTF-16BE<br />
0x04 – UTF-8BOM<br />
0x05 – UTF-8</td>
</tr>
<tr>
<td>cr_type</td>
<td>u8</td>
<td>Type of carriage return:<br />
0x01 — CRLF<br />
0x02 — CR<br />
0x03 — LF</td>
</tr>
<tr>
<td>last_write_time</td>
<td>uLEB128</td>
<td>The time of the last write (tab save) to the file, formatted as <a href="https://learn.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-filetime?redirectedfrom=MSDN" target="_blank" rel="noopener">FILETIME</a></td>
</tr>
<tr>
<td>sha256_hash</td>
<td>[u8;32]</td>
<td>The SHA-256 hash of the tab content</td>
</tr>
<tr>
<td>?</td>
<td>[u8;2]</td>
<td>00 01</td>
</tr>
<tr>
<td>selection_start</td>
<td>uLEB128</td>
<td>The offset of the section start from the beginning of the file</td>
</tr>
<tr>
<td>selection_end</td>
<td>uLEB128</td>
<td>The offset of the section end from the beginning of the file</td>
</tr>
<tr>
<td>config_block</td>
<td>ConfigBlock</td>
<td>ConfigBlock structure configuration</td>
</tr>
<tr>
<td>content_length</td>
<td>uLEB128</td>
<td>The length of the text in the file</td>
</tr>
<tr>
<td>content</td>
<td>UTF-16LE</td>
<td>The file content before it was modified by the new data. This field is absent if the tab was saved to disk with no subsequent modifications.</td>
</tr>
<tr>
<td>contain_unsaved_data</td>
<td>bool</td>
<td>00 = the tab content in the {GUID}.bin file matches the tab content in the file on disk<br />
01 = changes to the tab have not been saved to disk</td>
</tr>
<tr>
<td>checksum</td>
<td>[u8;4]</td>
<td>The CRC32 checksum of the {GUID}.bin file content, offset by 0x03 from the start of the file</td>
</tr>
<tr>
<td>unsaved_chunks</td>
<td>[UnsavedChunk]</td>
<td>A list of UnsavedChunk structures. This is absent if the tab was saved to disk with no subsequent modifications</td>
</tr>
</tbody>
</table>
<div id="attachment_117682" style="width: 903px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117682" class="size-full wp-image-117682" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2.jpeg" alt="Example content of the {GUID.bin} file for a Notepad tab that was saved to a file and then modified with new data which was not written to the file" width="893" height="622" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2.jpeg 893w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-300x209.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-768x535.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-502x350.jpeg 502w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-740x515.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-402x280.jpeg 402w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-800x557.jpeg 800w" sizes="auto, (max-width: 893px) 100vw, 893px" /></a><p id="caption-attachment-117682" class="wp-caption-text">Example content of the {GUID.bin} file for a Notepad tab that was saved to a file and then modified with new data which was not written to the file</p></div>
<p>For tabs that were never saved, the {GUID}.bin file structure in the TabState directory is shorter:</p>
<table>
<tbody>
<tr>
<td><strong>Field</strong></td>
<td><strong>Type</strong></td>
<td><strong>Value and explanation</strong></td>
</tr>
<tr>
<td>signature</td>
<td>[u8;2]</td>
<td>NP</td>
</tr>
<tr>
<td>?</td>
<td>u8</td>
<td>00</td>
</tr>
<tr>
<td>file_saved_to_path</td>
<td>bool</td>
<td>00 = the file was not saved at the specified path (always)</td>
</tr>
<tr>
<td>selection_start</td>
<td>uLEB128</td>
<td>The offset of the section start from the beginning of the file</td>
</tr>
<tr>
<td>selection_end</td>
<td>uLEB128</td>
<td>The offset of the section end from the beginning of the file</td>
</tr>
<tr>
<td>config_block</td>
<td>ConfigBlock</td>
<td>ConfigBlock structure configuration</td>
</tr>
<tr>
<td>content_length</td>
<td>uLEB128</td>
<td>The length of the text in the file</td>
</tr>
<tr>
<td>content</td>
<td>UTF-16LE</td>
<td>File content</td>
</tr>
<tr>
<td>contain_unsaved_data</td>
<td>bool</td>
<td>01 = changes to the tab have not been saved to disk (always)</td>
</tr>
<tr>
<td>checksum</td>
<td>[u8;4]</td>
<td>The CRC32 checksum of the {GUID}.bin file content, offset by 0x03 from the start of the file</td>
</tr>
<tr>
<td>unsaved_chunks</td>
<td>[UnsavedChunk]</td>
<td>List of UnsavedChunk structures</td>
</tr>
</tbody>
</table>
<div id="attachment_117683" style="width: 1190px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117683" class="size-full wp-image-117683" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3.jpeg" alt="Example content of the {GUID.bin} file for a Notepad tab that has not been saved to a file" width="1180" height="207" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3.jpeg 1180w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-300x53.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-1024x180.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-768x135.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-740x130.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-800x140.jpeg 800w" sizes="auto, (max-width: 1180px) 100vw, 1180px" /></a><p id="caption-attachment-117683" class="wp-caption-text">Example content of the {GUID.bin} file for a Notepad tab that has not been saved to a file</p></div>
<p>Note that the saving of tabs may be disabled in the Notepad settings. If this is the case, the TabState and WindowState artifacts will be unavailable for analysis.</p>
<p>If these artifacts are available, however, you can use <a href="https://github.com/AbdulRhmanAlfaifi/notepad_parser" target="_blank" rel="noopener">the notepad_parser tool</a>, developed by our colleague Abdulrhman Alfaifi, to automate working with them.</p>
<p>This particular artifact may assist in recovering the contents of malicious scripts and batch files. Furthermore, it may contain the results and logs from network scanners, credential extraction utilities, and other executables used by threat actors, assuming any unsaved modifications were inadvertently made to them.</p>
<h2 id="changes-to-familiar-artifacts-in-windows-11">Changes to familiar artifacts in Windows 11</h2>
<p>In addition to the new artifacts, Windows 11 introduced several noteworthy changes to existing ones that investigators should be aware of when analyzing incidents.</p>
<h3 id="changes-to-ntfs-attribute-behavior">Changes to NTFS attribute behavior</h3>
<p>The behavior of NTFS attributes was changed between Windows 10 and Windows 11 in two $MFT structures: $STANDARD_INFORMATION and $FILE_NAME.</p>
<p>The changes to the behavior of the $STANDARD_INFORMATION attributes are presented in the table below:</p>
<table>
<tbody>
<tr>
<td><strong>Event</strong></td>
<td>Access file</td>
<td>Rename file</td>
<td>Copy file to new folder</td>
<td>Move file within one volume</td>
<td>Move file between volumes</td>
</tr>
<tr>
<td><strong>Win 10<br />
1903</strong></td>
<td>The File Access timestamp is updated. However, it remains unchanged if the system volume is larger than 128 GB</td>
<td>The File Access timestamp remains unchanged</td>
<td>The copy metadata is updated</td>
<td>The File Access timestamp remains unchanged</td>
<td>The metadata is inherited from the original file</td>
</tr>
<tr>
<td><strong>Win 11 24H2</strong></td>
<td>The File Access timestamp is updated</td>
<td>The File Access timestamp is updated to match the modification time</td>
<td>The copy metadata is inherited from the original file</td>
<td>The File Access timestamp is updated to match the moving time</td>
<td>The metadata is updated</td>
</tr>
</tbody>
</table>
<p>Behavior of the $FILENAME attributes was changed as follows:</p>
<table>
<tbody>
<tr>
<td><strong>Event</strong></td>
<td>Rename file</td>
<td>Move file via Explorer within one volume</td>
<td>Move file to Recycle Bin</td>
</tr>
<tr>
<td><strong>Win 10<br />
1903</strong></td>
<td>The timestamps and metadata remain unchanged</td>
<td>The timestamps and metadata remain unchanged</td>
<td>The timestamps and metadata remain unchanged</td>
</tr>
<tr>
<td><strong>Win 11 24H2</strong></td>
<td>The File Access and File Modify timestamps along with the metadata are inherited from the previous version of $STANDARD_INFORMATION</td>
<td>The File Access and File Modify timestamps along with the metadata are inherited from the previous version of $STANDARD_INFORMATION</td>
<td>The File Access and File Modify timestamps along with the metadata are inherited from the previous version of $STANDARD_INFORMATION</td>
</tr>
</tbody>
</table>
<p>Analysts should consider these changes when examining the service files of the NTFS file system.</p>
<h3 id="program-compatibility-assistant">Program Compatibility Assistant</h3>
<p>Program Compatibility Assistant (PCA) first appeared way back in 2006 with the release of Windows Vista. Its purpose is to run applications designed for older operating system versions, thus being a relevant artifact for identifying evidence of program execution.</p>
<p>Windows 11 introduced new files associated with this feature that are relevant for forensic analysis of application executions. These files are located in the directory <code>C:\Windows\appcompat\pca\</code>:</p>
<ul>
<li><code>PcaAppLaunchDic.txt</code>: each line in this file contains data on the most recent launch of a specific executable file. This information includes the time of the last launch formatted as YYYY-MM-DD HH:MM:SS.f (UTC) and the full path to the file. A pipe character (|) separates the data elements. When the file is run again, the information in the corresponding line is updated. The file uses ANSI (CP-1252) encoding, so executing files with Unicode in their names “breaks” it: new entries (including the entry for running a file with Unicode) stop appearing, only old ones get updated.</li>
</ul>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117684" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4.png" alt="" width="1007" height="306" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4.png 1007w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-300x91.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-768x233.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-740x225.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-921x280.png 921w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-800x243.png 800w" sizes="auto, (max-width: 1007px) 100vw, 1007px" /></a></p>
<ul>
<li><code>PcaGeneralDb0.txt</code> and <code>PcaGeneralDb1.txt</code> alternate during data logging: new records are saved to the primary file until its size reaches two megabytes. Once that limit is reached, the secondary file is cleared and becomes the new primary file, and the full primary file is then designated as the secondary. This cycle repeats indefinitely. The data fields are delimited with a pipe (|). The file uses UTF-16LE encoding and contains the following fields:
<ul>
<li>Executable launch time (YYYY-MM-DD HH:MM:SS.f (UTC))</li>
<li>Record type (0–4):
<ul>
<li>0 = installation error</li>
<li>1 = driver blocked</li>
<li>2 = abnormal process exit</li>
<li>3 = PCA Resolve call (component responsible for fixing compatibility issues when running older programs)</li>
<li>4 = value not set</li>
</ul>
</li>
<li>Path to executable file. This path omits the volume letter and frequently uses environment variables (%USERPROFILE%, %systemroot%, %programfiles%, and others).</li>
<li>Product name (from the PE header, lowercase)</li>
<li>Company name (from the PE header, lowercase)</li>
<li>Product version (from the PE header)</li>
<li>Windows application ID (format matches that used in <a href="https://securelist.com/amcache-forensic-artifact/117622/" target="_blank" rel="noopener">AmCache</a>)</li>
<li>Message</li>
</ul>
</li>
</ul>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117685" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5.png" alt="" width="2390" height="341" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5.png 2390w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-300x43.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-1024x146.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-768x110.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-1536x219.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-2048x292.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-740x106.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-1600x228.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-800x114.png 800w" sizes="auto, (max-width: 2390px) 100vw, 2390px" /></a></p>
<p>Note that these text files only record data related to program launches executed through Windows File Explorer. They do not log launches of executable files initiated from the console.</p>
<h3 id="windows-search">Windows Search</h3>
<p>Windows Search is the built-in indexing and file search mechanism within Windows. Initially, it combed through files directly, resulting in sluggish and inefficient searches. Later, a separate application emerged that created a fast file index. It was not until 2006’s Windows Vista that a search feature was fully integrated into the operating system, with file indexing moved to a background process.</p>
<p>From Windows Vista up to and including Windows 10, the file index was stored in an Extensible Storage Engine (ESE) database:<br />
<code>%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows.edb</code>.</p>
<p>Windows 11 breaks this storage down into three SQLite databases:</p>
<ul>
<li><code>%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows-gather.db</code> contains general information about indexed files and folders. The most interesting element is the SystemIndex_Gthr table, which stores data such as the name of the indexed file or directory (FileName column), the last modification of the indexed file or directory (LastModified), an identifier used to link to the parent object (ScopeID), and a unique identifier for the file or directory itself (DocumentID). Using the ScopeID and the SystemIndex_GthrPth table, investigators can reconstruct the full path to a file on the system. The SystemIndex_GthrPth table contains the folder name (Name column), the directory identifier (Scope), and the parent directory identifier (Parent). By matching the file’s ScopeID with the directory’s Scope, one can determine the parent directory of the file.</li>
<li><code>%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows.db</code> stores information about the metadata of indexed files. The SystemIndex_1_PropertyStore table is of interest for analysis; it holds the unique identifier of the indexed object (WorkId column), the metadata type (ColumnId), and the metadata itself. Metadata types are described in the SystemIndex_1_PropertyStore_Metadata table (where the content of the Id column corresponds to the ColumnId content from SystemIndex_1_PropertyStore) and are specified in the UniqueKey column.</li>
<li><code>%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows-usn.db</code> does not contain useful information for forensic analysis.</li>
</ul>
<p>As depicted in the image below, analyzing the <code>Windows-gather.db</code> file using DB Browser for SQLite can provide us evidence of the presence of certain files (e.g., malware files, configuration files, files created and left by attackers, and others).<br />
<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6.png" alt="" width="1234" height="667" class="aligncenter size-full wp-image-117735" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6.png 1234w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-300x162.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-1024x553.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-768x415.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-648x350.png 648w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-740x400.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-518x280.png 518w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-800x432.png 800w" sizes="auto, (max-width: 1234px) 100vw, 1234px" /></a><br />
It is worth noting that the LastModified column is stored in the Windows FILETIME format, which holds an unsigned 64-bit date and time value, representing the number of 100-nanosecond units since the start of January 1, 1601. Using a utility such as DCode, we can see this value in UTC, as shown in the image below.<br />
<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7.png" alt="" width="1062" height="434" class="aligncenter size-full wp-image-117736" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7.png 1062w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-300x123.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-1024x418.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-768x314.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-856x350.png 856w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-740x302.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-685x280.png 685w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-800x327.png 800w" sizes="auto, (max-width: 1062px) 100vw, 1062px" /></a></p>
<h3 id="other-minor-changes-in-windows-11">Other minor changes in Windows 11</h3>
<p>It is also worth mentioning a few small but important changes in Windows 11 that do not require a detailed analysis:</p>
<ul>
<li>A complete discontinuation of NTLMv1 means that pass-the-hash attacks are gradually becoming a thing of the past.</li>
<li>Removal of the well-known Windows 10 Timeline activity artifact. Although it is no longer being actively maintained, its database remains for now in the files containing user activity information, located at: <code>%userprofile%\AppData\Local\ConnectedDevicesPlatform\ActivitiesCache.db</code>.</li>
<li>Similarly, Windows 11 removed Cortana and Internet Explorer, but the artifacts of these can still be found in the operating system. This may be useful for investigations conducted in machines that were updated from Windows 10 to the newer version.</li>
<li><a href="https://github.com/AndrewRathbun/Windows11Research/tree/main/EventLogs/4624" target="_blank">Previous research</a> also showed that Event ID 4624, which logs successful logon attempts in Windows, remained largely consistent across versions until a notable update appeared in Windows 11 Pro (22H2). This version introduces a new field, called Remote Credential Guard, marking a subtle but potentially important change in forensic analysis. While its real-world use and forensic significance remain to be observed, its presence suggests Microsoft’s ongoing efforts to enhance authentication-related telemetry.</li>
<li>Expanded support for the ReFS file system. The latest Windows 11 update preview made it possible to install the operating system directly onto a ReFS volume, and BitLocker support was also introduced. This file system has several key differences from the familiar NTFS:
<ul>
<li>ReFS does not have the $MFT (Master File Table) that forensics specialists rely on, which contains all current file records on the disk.</li>
<li>It does not generate short file names, as NTFS does for DOS compatibility.</li>
<li>It does not support hard links or extended object attributes.</li>
<li>It offers increased maximum volume and single-file sizes (35 PB compared to 256 TB in NTFS).</li>
</ul>
</li>
</ul>
<h2 id="conclusion">Conclusion</h2>
<p>This post provided a brief overview of key changes to Windows 11 artifacts that are relevant to forensic analysis – most notably, the changes of PCA and modifications to Windows Search mechanism. The ultimate utility of these artifacts in investigations remains to be seen. Nevertheless, we recommend you immediately incorporate the aforementioned files into the scope of your triage collection tool.</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/forensic-artifacts-in-windows-11/117680/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>How we trained an ML model to detect DLL hijacking</title>
<link>https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/</link>
<comments>https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/#respond</comments>
<dc:creator><![CDATA[Anna Pidzhakova]]></dc:creator>
<pubDate>Mon, 06 Oct 2025 08:00:21 +0000</pubDate>
<category><![CDATA[Research]]></category>
<category><![CDATA[Security technology]]></category>
<category><![CDATA[Machine learning]]></category>
<category><![CDATA[DLL hijacking]]></category>
<category><![CDATA[Threat hunting]]></category>
<category><![CDATA[Artificial intelligence]]></category>
<category><![CDATA[DLL]]></category>
<category><![CDATA[Cybersecurity]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117565</guid>
<description><![CDATA[An expert at the Kaspersky AI expertise center explains how the team developed a machine-learning model to identify DLL hijacking attacks.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>DLL hijacking is a common technique in which attackers replace a library called by a legitimate process with a malicious one. It is used by both creators of mass-impact malware, like stealers and banking Trojans, and by APT and cybercrime groups behind targeted attacks. In recent years, the number of DLL hijacking attacks has grown significantly.</p>
<div class="js-infogram-embed" data-id="_/re1cVhfDkiTvQdIHwndC" data-type="interactive" data-title="01(2)_EN_RU_ES_PT-BR_DLL Hijacking charts" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Trend in the number of DLL hijacking attacks. 2023 data is taken as 100% (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/02132719/012en_ru_es_pt-br_dll-hijacking-charts.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>We have observed this technique and its variations, like DLL sideloading, in targeted attacks on organizations in <a href="https://securelist.com/cobalt-strike-attacks-using-quora-github-social-media/117085/" target="_blank" rel="noopener">Russia</a>, <a href="https://securelist.com/apt41-in-africa/116986/" target="_blank" rel="noopener">Africa</a>, <a href="https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" target="_blank" rel="noopener">South Korea</a>, and other countries and regions. <a href="https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" target="_blank" rel="noopener">Lumma</a>, one of 2025’s most active stealers, uses this method for distribution. Threat actors trying to profit from popular applications, such as DeepSeek, also <a href="https://securelist.com/backdoors-and-stealers-prey-on-deepseek-and-grok/115801/#scheme-3-backdoors-and-attacks-on-chinese-users" target="_blank" rel="noopener">resort</a> to DLL hijacking.</p>
<p>Detecting a DLL substitution attack is not easy because the library executes within the trusted address space of a legitimate process. So, to a security solution, this activity may look like a trusted process. Directing excessive attention to trusted processes can compromise overall system performance, so you have to strike a delicate balance between a sufficient level of security and sufficient convenience.</p>
<h2 id="detecting-dll-hijacking-with-a-machine-learning-model">Detecting DLL hijacking with a machine-learning model</h2>
<p>Artificial intelligence can help where simple detection algorithms fall short. Kaspersky has been using machine learning for 20 years to identify malicious activity at various stages. The AI expertise center researches the capabilities of different models in threat detection, then trains and implements them. Our colleagues at the threat intelligence center approached us with a question of whether machine learning could be used to detect DLL hijacking, and more importantly, whether it would help improve detection accuracy.</p>
<h3 id="preparation">Preparation</h3>
<p>To determine if we could train a model to distinguish between malicious and legitimate library loads, we first needed to define a set of features highly indicative of DLL hijacking. We identified the following key features:</p>
<ul>
<li><strong>Wrong library location.</strong> Many standard libraries reside in standard directories, while a malicious DLL is often found in an unusual location, such as the same folder as the executable that calls it.</li>
<li><strong>Wrong executable location.</strong> Attackers often save executables in non-standard paths, like temporary directories or user folders, instead of %Program Files%.</li>
<li><strong>Renamed executable.</strong> To avoid detection, attackers frequently save legitimate applications under arbitrary names.</li>
<li><strong>Library size has changed, and it is no longer signed.</strong></li>
<li><strong>Modified library structure.</strong></li>
</ul>
<h3 id="training-sample-and-labeling">Training sample and labeling</h3>
<p>For the training sample, we used dynamic library load data provided by our internal automatic processing systems, which handle millions of files every day, and anonymized telemetry, such as that voluntarily provided by Kaspersky users through Kaspersky Security Network.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117583" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2.png" alt="" width="644" height="470" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2.png 644w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2-384x280.png 384w" sizes="auto, (max-width: 644px) 100vw, 644px" /></a></p>
<p>The training sample was labeled in three iterations. Initially, we could not automatically pull event labeling from our analysts that indicated whether an event was a DLL hijacking attack. So, we used data from our databases containing only file reputation, and labeled the rest of the data manually. We labeled as DLL hijacking those library-call events where the process was definitively legitimate but the DLL was definitively malicious. However, this labeling was not enough because some processes, like “svchost”, are designed mainly to load various libraries. As a result, the model we trained on this data had a high rate of false positives and was not practical for real-world use.</p>
<p>In the next iteration, we additionally filtered malicious libraries by family, keeping only those which were known to exhibit DLL-hijacking behavior. The model trained on this refined data showed significantly better accuracy and essentially confirmed our hypothesis that we could use machine learning to detect this type of attacks.</p>
<p>At this stage, our training dataset had tens of millions of objects. This included about 20 million clean files and around 50,000 definitively malicious ones.</p>
<table>
<tbody>
<tr>
<td><strong>Status</strong></td>
<td><strong>Total</strong></td>
<td><strong>Unique files</strong></td>
</tr>
<tr>
<td>Unknown</td>
<td>~ 18M</td>
<td>~ 6M</td>
</tr>
<tr>
<td>Malicious</td>
<td>~ 50K</td>
<td>~ 1,000</td>
</tr>
<tr>
<td>Clean</td>
<td>~ 20M</td>
<td>~ 250K</td>
</tr>
</tbody>
</table>
<p>We then trained subsequent models on the results of their predecessors, which had been verified and further labeled by analysts. This process significantly increased the efficiency of our training.</p>
<h2 id="loading-dlls-what-does-normal-look-like">Loading DLLs: what does normal look like?</h2>
<p>So, we had a labeled sample with a large number of library loading events from various processes. How can we describe a “clean” library? Using a process name + library name combination does not account for renamed processes. Besides, a legitimate user, not just an attacker, can rename a process. If we used the process hash instead of the name, we would solve the renaming problem, but then every version of the same library would be treated as a separate library. We ultimately settled on using a library name + process signature combination. While this approach considers all identically named libraries from a single vendor as one, it generally produces a more or less realistic picture.</p>
<p>To describe safe library loading events, we used a set of counters that included information about the processes (the frequency of a specific process name for a file with a given hash, the frequency of a specific file path for a file with that hash, and so on), information about the libraries (the frequency of a specific path for that library, the percentage of legitimate launches, and so on), and event properties (that is, whether the library is in the same directory as the file that calls it).</p>
<p>The result was a system with multiple aggregates (sets of counters and keys) that could describe an input event. These aggregates can contain a single key (e.g., a DLL’s hash sum) or multiple keys (e.g., a process’s hash sum + process signature). Based on these aggregates, we can derive a set of features that describe the library loading event. The diagram below provides examples of how these features are derived:</p>
<div id="attachment_117584" style="width: 1468px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117584" class="size-full wp-image-117584" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3.png" alt="Feature extraction from aggregates" width="1458" height="546" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3.png 1458w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-300x112.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-1024x383.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-768x288.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-935x350.png 935w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-740x277.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-748x280.png 748w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-800x300.png 800w" sizes="auto, (max-width: 1458px) 100vw, 1458px" /></a><p id="caption-attachment-117584" class="wp-caption-text">Feature extraction from aggregates</p></div>
<h2 id="loading-dlls-how-to-describe-hijacking">Loading DLLs: how to describe hijacking</h2>
<p>Certain feature combinations (dependencies) strongly indicate DLL hijacking. These can be simple dependencies. For some processes, the clean library they call always resides in a separate folder, while the malicious one is most often placed in the process folder.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117585" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4.png" alt="" width="1264" height="278" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4.png 1264w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-300x66.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-1024x225.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-768x169.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-740x163.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-800x176.png 800w" sizes="auto, (max-width: 1264px) 100vw, 1264px" /></a></p>
<p>Other dependencies can be more complex and require several conditions to be met. For example, a process renaming itself does not, on its own, indicate DLL hijacking. However, if the new name appears in the data stream for the first time, and the library is located on a non-standard path, it is highly likely to be malicious.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117586" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5.png" alt="" width="1264" height="452" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5.png 1264w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-300x107.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-1024x366.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-768x275.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-979x350.png 979w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-740x265.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-783x280.png 783w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-800x286.png 800w" sizes="auto, (max-width: 1264px) 100vw, 1264px" /></a></p>
<h2 id="model-evolution">Model evolution</h2>
<p>Within this project, we trained several generations of models. The primary goal of the first generation was to show that machine learning could at all be applied to detecting DLL hijacking. When training this model, we used the broadest possible interpretation of the term.</p>
<p>The model’s workflow was as simple as possible:</p>
<ol>
<li>We took a data stream and extracted a frequency description for selected sets of keys.</li>
<li>We took the same data stream from a different time period and obtained a set of features.</li>
<li>We used type 1 labeling, where events in which a legitimate process loaded a malicious library from a specified set of families were marked as DLL hijacking.</li>
<li>We trained the model on the resulting data.</li>
</ol>
<div id="attachment_117587" style="width: 654px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117587" class="size-full wp-image-117587" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6.png" alt="First-generation model diagram" width="644" height="470" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6.png 644w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6-384x280.png 384w" sizes="auto, (max-width: 644px) 100vw, 644px" /></a><p id="caption-attachment-117587" class="wp-caption-text">First-generation model diagram</p></div>
<p>The second-generation model was trained on data that had been processed by the first-generation model and verified by analysts (labeling type 2). Consequently, the labeling was more precise than during the training of the first model. Additionally, we added more features to describe the library structure and slightly complicated the workflow for describing library loads.</p>
<div id="attachment_117588" style="width: 654px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117588" class="size-full wp-image-117588" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7.png" alt="Second-generation model diagram" width="644" height="470" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7.png 644w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7-384x280.png 384w" sizes="auto, (max-width: 644px) 100vw, 644px" /></a><p id="caption-attachment-117588" class="wp-caption-text">Second-generation model diagram</p></div>
<p>Based on the results from this second-generation model, we were able to identify several common types of false positives. For example, the training sample included potentially unwanted applications. These can, in certain contexts, exhibit behavior similar to DLL hijacking, but they are not malicious and rarely belong to this attack type.</p>
<p>We fixed these errors in the third-generation model. First, with the help of analysts, we flagged the potentially unwanted applications in the training sample so the model would not detect them. Second, in this new version, we used an expanded labeling that included useful detections from both the first and second generations. Additionally, we expanded the feature description through one-hot encoding — a technique for converting categorical features into a binary format — for certain fields. Also, since the volume of events processed by the model increased over time, this version added normalization of all features based on the data flow size.</p>
<div id="attachment_117589" style="width: 654px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117589" class="size-full wp-image-117589" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8.png" alt="Third-generation model diagram" width="644" height="470" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8.png 644w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8-384x280.png 384w" sizes="auto, (max-width: 644px) 100vw, 644px" /></a><p id="caption-attachment-117589" class="wp-caption-text">Third-generation model diagram</p></div>
<h2 id="comparison-of-the-models">Comparison of the models</h2>
<p>To evaluate the evolution of our models, we applied them to a test data set none of them had worked with before. The graph below shows the ratio of true positive to false positive verdicts for each model.</p>
<div id="attachment_117590" style="width: 1639px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117590" class="size-full wp-image-117590" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9.png" alt="Trends in true positives and false positives from the first-, second-, and third-generation models" width="1629" height="664" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9.png 1629w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-300x122.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-1024x417.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-768x313.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-1536x626.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-859x350.png 859w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-740x302.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-687x280.png 687w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-800x326.png 800w" sizes="auto, (max-width: 1629px) 100vw, 1629px" /></a><p id="caption-attachment-117590" class="wp-caption-text">Trends in true positives and false positives from the first-, second-, and third-generation models</p></div>
<p>As the models evolved, the percentage of true positives grew. While the first-generation model achieved a relatively good result (0.6 or higher) only with a very high false positive rate (10<sup>⁻³</sup> or more), the second-generation model reached this at 10<sup>⁻⁵</sup>. The third-generation model, at the same low false positive rate, produced 0.8 true positives, which is considered a good result.</p>
<p>Evaluating the models on the data stream at a fixed score shows that the absolute number of new events labeled as DLL Hijacking increased from one generation to the next. That said, evaluating the models by their false verdict rate also helps track progress: the first model has a fairly high error rate, while the second and third generations have significantly lower ones.</p>
<div class="js-infogram-embed" data-id="_/OWgUgOWv4ByEQ85H3Kvx" data-type="interactive" data-title="03-EN-DLL Hijacking charts" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>False positives rate among model outputs, July 2024 – August 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/02095204/03-en-dll-hijacking-charts-1.png" target="_blank" rel="noopener">download</a>)</em></p>
<h2 id="practical-application-of-the-models">Practical application of the models</h2>
<p>All three model generations are used in our internal systems to detect likely cases of DLL hijacking within telemetry data streams. We receive 6.5 million security events daily, linked to 800,000 unique files. Aggregates are built from this sample at a specified interval, enriched, and then fed into the models. The output data is then ranked by model and by the probability of DLL hijacking assigned to the event, and then sent to our analysts. For instance, if the third-generation model flags an event as DLL hijacking with high confidence, it should be investigated first, whereas a less definitive verdict from the first-generation model can be checked last.</p>
<p>Simultaneously, the models are tested on a separate data stream they have not seen before. This is done to assess their effectiveness over time, as a model’s detection performance can degrade. The graph below shows that the percentage of correct detections varies slightly over time, but on average, the models detect 70–80% of DLL hijacking cases.</p>
<div class="js-infogram-embed" data-id="_/x8oClVXPCh0H7k2VhVBA" data-type="interactive" data-title="04-EN-DLL Hijacking charts" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>DLL hijacking detection trends for all three models, October 2024 – September 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/02095150/04-en-dll-hijacking-charts-1.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>Additionally, we recently deployed a DLL hijacking detection model into the <a href="https://www.kaspersky.com/enterprise-security/unified-monitoring-and-analysis-platform?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e9dd8a9973100725" target="_blank" rel="noopener">Kaspersky SIEM</a>, but first we tested the model in the <a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kmdr____8449ede27504ec48" target="_blank" rel="noopener">Kaspersky MDR</a> service. During the pilot phase, the model helped to detect and prevent a number of DLL hijacking incidents in our clients’ systems. We have written <a href="https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/" target="_blank" rel="noopener">a separate article</a> about how the machine learning model for detecting targeted attacks involving DLL hijacking works in Kaspersky SIEM and the incidents it has identified.</p>
<h2 id="conclusion">Conclusion</h2>
<p>Based on the training and application of the three generations of models, the experiment to detect DLL hijacking using machine learning was a success. We were able to develop a model that distinguishes events resembling DLL hijacking from other events, and refined it to a state suitable for practical use, not only in our internal systems but also in commercial products. Currently, the models operate in the cloud, scanning hundreds of thousands of unique files per month and detecting thousands of files used in DLL hijacking attacks each month. They regularly identify previously unknown variations of these attacks. The results from the models are sent to analysts who verify them and create new detection rules based on their findings.</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Detecting DLL hijacking with machine learning: real-world cases</title>
<link>https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/</link>
<comments>https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/#respond</comments>
<dc:creator><![CDATA[Gleb Ivanov, Andrey Gunkin]]></dc:creator>
<pubDate>Mon, 06 Oct 2025 08:00:08 +0000</pubDate>
<category><![CDATA[Security technologies]]></category>
<category><![CDATA[Security technology]]></category>
<category><![CDATA[Machine learning]]></category>
<category><![CDATA[DLL hijacking]]></category>
<category><![CDATA[Threat hunting]]></category>
<category><![CDATA[DLL sideloading]]></category>
<category><![CDATA[Cybersecurity]]></category>
<category><![CDATA[Artificial intelligence]]></category>
<category><![CDATA[DLL]]></category>
<category><![CDATA[SIEM]]></category>
<category><![CDATA[Cybersecurity]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117567</guid>
<description><![CDATA[We will tell you how we integrated a DLL Hijacking detection model into the Kaspersky SIEM platform and how it helped us uncover several incidents in their early stages.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
<p>Our colleagues from the AI expertise center recently developed a machine-learning model that detects DLL-hijacking attacks. We then integrated this model into the <a href="https://www.kaspersky.com/enterprise-security/unified-monitoring-and-analysis-platform?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e9dd8a9973100725" target="_blank" rel="noopener">Kaspersky Unified Monitoring and Analysis Platform</a> SIEM system. In <a href="https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/" target="_blank" rel="noopener">a separate article</a>, our colleagues shared how the model had been created and what success they had achieved in lab environments. Here, we focus on how it operates within Kaspersky SIEM, the preparation steps taken before its release, and some real-world incidents it has already helped us uncover.</p>
<h2 id="how-the-model-works-in-kaspersky-siem">How the model works in Kaspersky SIEM</h2>
<p>The model’s operation generally boils down to a step-by-step check of all DLL libraries loaded by processes in the system, followed by validation in the Kaspersky Security Network (KSN) cloud. This approach allows local attributes (path, process name, and file hashes) to be combined with a global knowledge base and behavioral indicators, which significantly improves detection quality and reduces the probability of false positives.</p>
<p>The model can run in one of two modes: on a correlator or on a collector. A correlator is a SIEM component that performs event analysis and correlation based on predefined rules or algorithms. If detection is configured on a correlator, the model checks events that have already triggered a rule. This reduces the volume of KSN queries and the model’s response time.</p>
<p>This is how it looks:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117570" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2.png" alt="" width="984" height="395" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2.png 984w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-300x120.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-768x308.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-872x350.png 872w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-740x297.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-698x280.png 698w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-800x321.png 800w" sizes="auto, (max-width: 984px) 100vw, 984px" /></a></p>
<p>A collector is a software or hardware component of a SIEM platform that collects and normalizes events from various sources, and then delivers these events to the platform’s core. If detection is configured on a collector, the model processes all events associated with various processes loading libraries, provided these events meet the following conditions:</p>
<ul>
<li>The path to the process file is known.</li>
<li>The path to the library is known.</li>
<li>The hashes of the file and the library are available.</li>
</ul>
<p>This method consumes more resources, and the model’s response takes longer than it does on a correlator. However, it can be useful for retrospective threat hunting because it allows you to check all events logged by Kaspersky SIEM. The model’s workflow on a collector looks like this:</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117572" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4.png" alt="" width="984" height="366" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4.png 984w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-300x112.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-768x286.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-941x350.png 941w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-740x275.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-753x280.png 753w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-800x298.png 800w" sizes="auto, (max-width: 984px) 100vw, 984px" /></a></p>
<p>It is important to note that the model is not limited to a binary “malicious/non-malicious” assessment; it ranks its responses by confidence level. This allows it to be used as a flexible tool in SOC practice. Examples of possible verdicts:</p>
<ul>
<li>0: data is being processed.</li>
<li>1: maliciousness not confirmed. This means the model currently does not consider the library malicious.</li>
<li>2: suspicious library.</li>
<li>3: maliciousness confirmed.</li>
</ul>
<p>A Kaspersky SIEM rule for detecting DLL hijacking would look like this:</p><pre class="urvanov-syntax-highlighter-plain-tag">N.KL_AI_DLLHijackingCheckResult > 1</pre><p>
Embedding the model into the Kaspersky SIEM correlator automates the process of finding DLL-hijacking attacks, making it possible to detect them at scale without having to manually analyze hundreds or thousands of loaded libraries. Furthermore, when combined with correlation rules and telemetry sources, the model can be used not just as a standalone module but as part of a comprehensive defense against infrastructure attacks.</p>
<h2 id="incidents-detected-during-the-pilot-testing-of-the-model-in-the-mdr-service">Incidents detected during the pilot testing of the model in the MDR service</h2>
<p>Before being released, the model (as part of the Kaspersky SIEM platform) was tested in the <a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kmdr____8449ede27504ec48" target="_blank" rel="noopener">MDR</a> service, where it was trained to identify attacks on large datasets supplied by our telemetry. This step was necessary to ensure that detection works not only in lab settings but also in real client infrastructures.</p>
<p>During the pilot testing, we verified the model’s resilience to false positives and its ability to correctly classify behavior even in non-typical DLL-loading scenarios. As a result, several real-world incidents were successfully detected where attackers used one type of DLL hijacking — the DLL Sideloading technique — to gain persistence and execute their code in the system.</p>
<p>Let us take a closer look at the three most interesting of these.</p>
<h3 id="incident-1-toddycat-trying-to-launch-cobalt-strike-disguised-as-a-system-library">Incident 1. ToddyCat trying to launch Cobalt Strike disguised as a system library</h3>
<p>In one incident, the attackers successfully leveraged the vulnerability <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27076" target="_blank" rel="noopener">CVE-2021-27076</a> to exploit a SharePoint service that used IIS as a web server. They ran the following command:</p><pre class="urvanov-syntax-highlighter-plain-tag">c:\windows\system32\inetsrv\w3wp.exe -ap "SharePoint - 80" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipmd32ded38-e45b-423f-804d-34471928538b -h "C:\inetpub\temp\apppools\SharePoint - 80\SharePoint - 80.config" -w "" -m 0</pre><p>
After the exploitation, the IIS process created files that were later used to run malicious code via the DLL sideloading technique (<a href="https://attack.mitre.org/techniques/T1574/001/" target="_blank" rel="noopener">T1574.001 Hijack Execution Flow:</a><a href="https://attack.mitre.org/techniques/T1574/001/" target="_blank" rel="noopener"> DLL</a>):</p><pre class="urvanov-syntax-highlighter-plain-tag">C:\ProgramData\SystemSettings.exe
C:\ProgramData\SystemSettings.dll</pre><p>
SystemSettings.dll is the name of a library associated with the Windows Settings application (SystemSettings.exe). The original library contains code and data that the Settings application uses to manage and configure various system parameters. However, the library created by the attackers has malicious functionality and is only pretending to be a system library.</p>
<p>Later, to establish persistence in the system and launch a DLL sideloading attack, a scheduled task was created, disguised as a Microsoft Edge browser update. It launches a SystemSettings.exe file, which is located in the same directory as the malicious library:</p><pre class="urvanov-syntax-highlighter-plain-tag">Schtasks /create /ru "SYSTEM" /tn "\Microsoft\Windows\Edge\Edgeupdates" /sc DAILY /tr "C:\ProgramData\SystemSettings.exe" /F</pre><p>
The task is set to run daily.</p>
<p>When the SystemSettings.exe process is launched, it loads the malicious DLL. As this happened, the process and library data were sent to our model for analysis and detection of a potential attack.</p>
<div id="attachment_117573" style="width: 693px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117573" class="size-full wp-image-117573" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3.png" alt="Example of a SystemSettings.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM" width="683" height="1082" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3.png 683w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-189x300.png 189w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-646x1024.png 646w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-221x350.png 221w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-631x1000.png 631w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-177x280.png 177w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-568x900.png 568w" sizes="auto, (max-width: 683px) 100vw, 683px" /></a><p id="caption-attachment-117573" class="wp-caption-text">Example of a SystemSettings.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM</p></div>
<p>The resulting data helped our analysts highlight a suspicious DLL and analyze it in detail. The library was found to be a <a href="https://tip.kaspersky.com/landscape/software/S0353" target="_blank" rel="noopener">Cobalt Strike</a> implant. After loading it, the SystemSettings.exe process attempted to connect to the attackers’ command-and-control server.</p><pre class="urvanov-syntax-highlighter-plain-tag">DNS query: connect-microsoft[.]com
DNS query type: AAAA
DNS response: ::ffff:8.219.1[.]155;
8.219.1[.]155:8443</pre><p>
After establishing a connection, the attackers began host reconnaissance to gather various data to develop their attack.</p><pre class="urvanov-syntax-highlighter-plain-tag">C:\ProgramData\SystemSettings.exe
whoami /priv
hostname
reg query HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid
powershell -c $psversiontable
dotnet --version
systeminfo
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Drivers"
cmdkey /list
REG query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
netsh wlan show profiles
netsh wlan show interfaces
set
net localgroup administrators
net user
net user administrator
ipconfig /all
net config workstation
net view
arp -a
route print
netstat -ano
tasklist
schtasks /query /fo LIST /v
net start
net share
net use
netsh firewall show config
netsh firewall show state
net view /domain
net time /domain
net group "domain admins" /domain
net localgroup administrators /domain
net group "domain controllers" /domain
net accounts /domain
nltest / domain_trusts
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce</pre><p>
Based on the attackers’ TTPs, such as <a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" rel="noopener">loading Cobalt Strike as a DLL</a>, using the DLL sideloading technique (<a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" rel="noopener">1</a>, <a href="https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/" target="_blank" rel="noopener">2</a>), and exploiting SharePoint, we can say with a high degree of confidence that the <a href="https://securelist.com/tag/toddycat/" target="_blank" rel="noopener">ToddyCat APT group</a> was behind the attack. Thanks to the prompt response of our model, we were able to respond in time and block this activity, preventing the attackers from causing damage to the organization.</p>
<h3 id="incident-2-infostealer-masquerading-as-a-policy-manager">Incident 2. Infostealer masquerading as a policy manager</h3>
<p>Another example was discovered by the model after a client was connected to MDR monitoring: a legitimate system file located in an application folder attempted to load a suspicious library that was stored next to it.</p><pre class="urvanov-syntax-highlighter-plain-tag">C:\Program Files\Chiniks\SettingSyncHost.exe
C:\Program Files\Chiniks\policymanager.dll E83F331BD1EC115524EBFF7043795BBE</pre><p>
The SettingSyncHost.exe file is a system host process for synchronizing settings between one user’s different devices. Its 32-bit and 64-bit versions are usually located in C:\Windows\System32\ and C:\Windows\SysWOW64\, respectively. In this incident, the file location differed from the normal one.</p>
<div id="attachment_117574" style="width: 877px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117574" class="size-full wp-image-117574" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4.png" alt="Example of a policymanager.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM" width="867" height="818" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4.png 867w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-300x283.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-768x725.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-371x350.png 371w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-740x698.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-297x280.png 297w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-800x755.png 800w" sizes="auto, (max-width: 867px) 100vw, 867px" /></a><p id="caption-attachment-117574" class="wp-caption-text">Example of a policymanager.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM</p></div>
<p>Analysis of the library file loaded by this process showed that it was malware designed to steal information from browsers.</p>
<div id="attachment_117575" style="width: 984px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117575" class="size-full wp-image-117575" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5.png" alt="Graph of policymanager.dll activity in a sandbox" width="974" height="503" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5.png 974w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-300x155.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-768x397.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-678x350.png 678w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-740x382.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-542x280.png 542w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-800x413.png 800w" sizes="auto, (max-width: 974px) 100vw, 974px" /></a><p id="caption-attachment-117575" class="wp-caption-text">Graph of policymanager.dll activity in a sandbox</p></div>
<p>The file directly accesses browser files that contain user data.</p><pre class="urvanov-syntax-highlighter-plain-tag">C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Local State</pre><p>
The library file is on the list of files used for DLL hijacking, as published in the HijackLibs project. The project contains a list of common processes and libraries employed in DLL-hijacking attacks, which can be used to detect these attacks.</p>
<h3 id="incident-3-malicious-loader-posing-as-a-security-solution">Incident 3. Malicious loader posing as a security solution</h3>
<p>Another incident discovered by our model occurred when a user connected a removable USB drive:</p>
<div id="attachment_117576" style="width: 984px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117576" class="size-full wp-image-117576" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6.png" alt="Example of a Kaspersky SIEM event where a wsc.dll library was loaded from a USB drive, with a DLL Hijacking module verdict" width="974" height="894" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6.png 974w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-300x275.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-768x705.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-381x350.png 381w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-740x679.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-305x280.png 305w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-800x734.png 800w" sizes="auto, (max-width: 974px) 100vw, 974px" /></a><p id="caption-attachment-117576" class="wp-caption-text">Example of a Kaspersky SIEM event where a wsc.dll library was loaded from a USB drive, with a DLL Hijacking module verdict</p></div>
<p>The connected drive’s directory contained hidden folders with an identically named shortcut for each of them. The shortcuts had icons typically used for folders. Since file extensions were not shown by default on the drive, the user might have mistaken the shortcut for a folder and launched it. In turn, the shortcut opened the corresponding hidden folder and ran an executable file using the following command:</p><pre class="urvanov-syntax-highlighter-plain-tag">"%comspec%" /q /c "RECYCLER.BIN\1\CEFHelper.exe [$DIGITS] [$DIGITS]"</pre><p>
CEFHelper.exe is a legitimate Avast Antivirus executable that, through DLL sideloading, loaded the wsc.dll library, which is a malicious loader.</p>
<div id="attachment_117577" style="width: 461px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117577" class="size-full wp-image-117577" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7.png" alt="Code snippet from the malicious file" width="451" height="485" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7.png 451w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7-279x300.png 279w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7-325x350.png 325w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7-260x280.png 260w" sizes="auto, (max-width: 451px) 100vw, 451px" /></a><p id="caption-attachment-117577" class="wp-caption-text">Code snippet from the malicious file</p></div>
<p>The loader opens a file named AvastAuth.dat, which contains an encrypted backdoor. The library reads the data from the file into memory, decrypts it, and executes it. After this, the backdoor attempts to connect to a remote command-and-control server.</p>
<p>The library file, which contains the malicious loader, is on the list of known libraries used for DLL sideloading, as presented on the HijackLibs project website.</p>
<h2 id="conclusion">Conclusion</h2>
<p>Integrating the model into the product provided the means of early and accurate detection of DLL-hijacking attempts which previously might have gone unnoticed. Even during the pilot testing, the model proved its effectiveness by identifying several incidents using this technique. Going forward, its accuracy will only increase as data accumulates and algorithms are updated in KSN, making this mechanism a reliable element of proactive protection for corporate systems.</p>
<h2 id="ioc">IoC</h2>
<p><strong>Legitimate files used for DLL hijacking<br />
</strong>E0E092D4EFC15F25FD9C0923C52C33D6 loads SystemSettings.dll<br />
09CD396C8F4B4989A83ED7A1F33F5503 loads policymanager.dll<br />
A72036F635CECF0DCB1E9C6F49A8FA5B loads wsc.dll</p>
<p><strong>Malicious files</strong><br />
<a href="https://opentip.kaspersky.com/ea2882b05f8c11a285426f90859f23c6/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______20de3dc00773942a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">EA2882B05F8C11A285426F90859F23C6</a> SystemSettings.dll<br />
<a href="https://opentip.kaspersky.com/e83f331bd1ec115524ebff7043795bbe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cbf93adf43b574f2&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">E83F331BD1EC115524EBFF7043795BBE</a> policymanager.dll<br />
<a href="https://opentip.kaspersky.com/831252e7fa9bd6fa174715647ebce516/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______01488fcf88e4ecaf&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">831252E7FA9BD6FA174715647EBCE516</a> wsc.dll</p>
<p><strong>Paths</strong><br />
C:\ProgramData\SystemSettings.exe<br />
C:\ProgramData\SystemSettings.dll<br />
C:\Program Files\Chiniks\SettingSyncHost.exe<br />
C:\Program Files\Chiniks\policymanager.dll<br />
D:\RECYCLER.BIN\1\CEFHelper.exe<br />
D:\RECYCLER.BIN\1\wsc.dll</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Forensic journey: hunting evil within AmCache</title>
<link>https://securelist.com/amcache-forensic-artifact/117622/</link>
<comments>https://securelist.com/amcache-forensic-artifact/117622/#respond</comments>
<dc:creator><![CDATA[Cristian Souza]]></dc:creator>
<pubDate>Wed, 01 Oct 2025 10:00:20 +0000</pubDate>
<category><![CDATA[SOC, TI and IR posts]]></category>
<category><![CDATA[Digital forensics]]></category>
<category><![CDATA[Threat hunting]]></category>
<category><![CDATA[Researchers tools]]></category>
<category><![CDATA[Incident response]]></category>
<category><![CDATA[Forensic journey]]></category>
<category><![CDATA[Cybersecurity]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117622</guid>
<description><![CDATA[Kaspersky experts share insights into how AmCache may prove useful during incident investigation, and provide a command line tool to extract data from this artifact.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/01111328/SL-AmCache-forensic-artifact-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
<p>When it comes to digital forensics, AmCache plays a vital role in identifying malicious activities in Windows systems. This artifact allows the identification of the execution of both benign and malicious software on a machine. It is managed by the operating system, and at the time of writing this article, there is no known way to modify or remove AmCache data. Thus, in an incident response scenario, it could be the key to identifying lost artifacts (e.g., ransomware that auto-deletes itself), allowing analysts to search for patterns left by the attacker, such as file names and paths. Furthermore, AmCache stores the SHA-1 hashes of executed files, which allows DFIR professionals to search public threat intelligence feeds — such as <a href="https://opentip.kaspersky.com/" target="_blank" rel="noopener">OpenTIP</a> and <a href="https://www.virustotal.com/gui/" target="_blank" rel="noopener">VirusTotal</a> — and generate rules for blocking this same file on other systems across the network.</p>
<p>This article presents a comprehensive analysis of the AmCache artifact, allowing readers to better understand its inner workings. In addition, we present a new tool named “<a href="https://github.com/cristianzsh/amcache-evilhunter" target="_blank" rel="noopener">AmCache-EvilHunter</a>“, which can be used by any professional to easily parse the <code>Amcache.hve</code> file and extract IOCs. The tool is also able to query the aforementioned intelligence feeds to check for malicious file detections, this level of built-in automation reduces manual effort and speeds up threat detection, which is of significant value for analysts and responders.</p>
<h2 id="the-importance-of-evidence-of-execution">The importance of evidence of execution</h2>
<p>Evidence of execution is fundamentally important in digital forensics and incident response, since it helps investigators reconstruct how the system was used during an intrusion. Artifacts such as Prefetch, ShimCache, and <a href="https://securelist.com/userassist-artifact-forensic-value-for-incident-response/116911/" target="_blank" rel="noopener">UserAssist</a> offer clues about what was executed. AmCache is also a robust artifact for evidencing execution, preserving metadata that indicates a file’s presence and execution, even if the file has been deleted or modified. An advantage of AmCache over other Windows artifacts is that unlike them, it stores the file hash, which is immensely useful for analysts, as it can be used to hunt malicious files across the network, increasing the likelihood of fully identifying, containing, and eradicating the threat.</p>
<h2 id="introduction-to-amcache">Introduction to AmCache</h2>
<p>Application Activity Cache (AmCache) was first introduced in Windows 7 and fully leveraged in Windows 8 and beyond. Its purpose is to replace the older <code>RecentFileCache.bcf</code> in newer systems. Unlike its predecessor, AmCache includes valuable forensic information about program execution, executed binaries and loaded drivers.</p>
<p>This artifact is stored as a registry hive file named <code>Amcache.hve</code> in the directory <code>C:\Windows\AppCompat\Programs</code>. The metadata stored in this file includes file paths, publisher data, compilation timestamps, file sizes, and SHA-1 hashes.</p>
<p>It is important to highlight that the AmCache format does not depend on the operating system version, but rather on the version of the libraries (DLLs) responsible for filling the cache. In this way, even Windows systems with different patch levels could have small differences in the structure of the AmCache files. The known libraries used for filling this cache are stored under <code>%WinDir%\System32</code> with the following names:</p>
<ul>
<li>aecache.dll</li>
<li>aeevts.dll</li>
<li>aeinv.dll</li>
<li>aelupsvc.dll</li>
<li>aepdu.dll</li>
<li>aepic.dll</li>
</ul>
<p>It is worth noting that this artifact has its peculiarities and limitations. The AmCache computes the SHA-1 hash over only the first 31,457,280 bytes (≈31 MB) of each executable, so comparing its stored hash online can fail for files exceeding this size. Furthermore, <code>Amcache.hve</code> is not a true execution log: it records files in directories scanned by the Microsoft Compatibility Appraiser, executables and drivers copied during program execution, and GUI applications that required compatibility shimming. Only the last category reliably indicates actual execution. Items in the first two groups simply confirm file presence on the system, with no data on whether or when they ran.</p>
<p>In the same directory, we can find additional LOG files used to ensure <code>Amcache.hve</code> consistency and recovery operations:</p>
<ul>
<li>C:\Windows\AppCompat\Programs\Amcache.hve.*LOG1</li>
<li>C:\Windows\AppCompat\Programs\Amcache.hve.*LOG2</li>
</ul>
<p>The <code>Amcache.hve</code> file can be collected from a system for forensic analysis using tools like <a href="https://github.com/abaghinyan/aralez" target="_blank" rel="noopener">Aralez</a>, <a href="https://docs.velociraptor.app/downloads/" target="_blank" rel="noopener">Velociraptor</a>, or <a href="https://www.sans.org/tools/kape" target="_blank" rel="noopener">Kape</a>.</p>
<h2 id="amcache-hve-structure">Amcache.hve structure</h2>
<p>The <code>Amcache.hve</code> file is a Windows Registry hive in REGF format; it contains multiple subkeys that store distinct classes of data. A simple Python parser can be implemented to iterate through <code>Amcache.hve</code> and present its keys:</p><pre class="urvanov-syntax-highlighter-plain-tag">#!/usr/bin/env python3
import sys
from Registry.Registry import Registry
hive = Registry(str(sys.argv[1]))
root = hive.open("Root")
for rec in root.subkeys():
print(rec.name())</pre><p>
The result of this parser when executed is:</p>
<div id="attachment_117624" style="width: 1667px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117624" class="size-full wp-image-117624" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1.png" alt="AmCache keys" width="1657" height="796" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1.png 1657w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-300x144.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-1024x492.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-768x369.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-1536x738.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-729x350.png 729w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-740x355.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-583x280.png 583w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-800x384.png 800w" sizes="auto, (max-width: 1657px) 100vw, 1657px" /></a><p id="caption-attachment-117624" class="wp-caption-text">AmCache keys</p></div>
<p>From a DFIR perspective, the keys that are of the most interest to us are <code>InventoryApplicationFile</code>, <code>InventoryApplication</code>, <code>InventoryDriverBinary</code>, and <code>InventoryApplicationShortcut</code>, which are described in detail in the following subsections.</p>
<h3 id="inventoryapplicationfile">InventoryApplicationFile</h3>
<p>The <code>InventoryApplicationFile</code> key is essential for tracking every executable discovered on the system. Under this key, each executable is represented by its own uniquely named subkey, which stores the following main metadata:</p>
<ul>
<li><strong>ProgramId:</strong> a unique hash generated from the binary name, version, publisher, and language, with some zeroes appended to the beginning of the hash</li>
<li><strong>FileID:</strong> the SHA-1 hash of the file, with four zeroes appended to the beginning of the hash</li>
<li><strong>LowerCaseLongPath:</strong> the full lowercase path to the executable</li>
<li><strong>Name:</strong> the file base name without the path information</li>
<li><strong>OriginalFileName:</strong> the original filename as specified in the PE header’s version resource, indicating the name assigned by the developer at build time</li>
<li><strong>Publisher:</strong> often used to verify if the source of the binary is legitimate. For malware, this subkey is usually empty</li>
<li><strong>Version:</strong> the specific build or release version of the executable</li>
<li><strong>BinaryType:</strong> indicates whether the executable is a 32-bit or 64-bit binary</li>
<li><strong>ProductName:</strong> the ProductName field from the version resource, describing the broader software product or suite to which the executable belongs</li>
<li><strong>LinkDate: </strong>the compilation timestamp extracted from the PE header</li>
<li><strong>Size:</strong> the file size in bytes</li>
<li><strong>IsOsComponent:</strong> a boolean flag that specifies whether the executable is a built-in OS component or a third-party application/library</li>
</ul>
<p>With some tweaks to our original Python parser, we can read the information stored within this key:</p><pre class="urvanov-syntax-highlighter-plain-tag">#!/usr/bin/env python3
import sys
from Registry.Registry import Registry
hive = Registry(sys.argv[1])
root = hive.open("Root")
subs = {k.name(): k for k in root.subkeys()}
parent = subs.get("InventoryApplicationFile")
for rec in parent.subkeys():
vals = {v.name(): v.value() for v in rec.values()}
print("{}\n{}\n\n-----------\n".format(rec, vals))</pre><p>
<div id="attachment_117625" style="width: 1345px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117625" class="size-full wp-image-117625" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2.jpeg" alt="InventoryApplicationFile subkeys" width="1335" height="560" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2.jpeg 1335w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-300x126.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-1024x430.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-768x322.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-834x350.jpeg 834w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-740x310.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-668x280.jpeg 668w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-800x336.jpeg 800w" sizes="auto, (max-width: 1335px) 100vw, 1335px" /></a><p id="caption-attachment-117625" class="wp-caption-text">InventoryApplicationFile subkeys</p></div>
<p>We can also use tools like Registry Explorer to see the same data in a graphical way:</p>
<div id="attachment_117626" style="width: 1295px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117626" class="size-full wp-image-117626" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3.png" alt="InventoryApplicationFile inspected through Registry Explorer" width="1285" height="546" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3.png 1285w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-300x127.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-1024x435.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-768x326.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-824x350.png 824w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-740x314.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-659x280.png 659w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-800x340.png 800w" sizes="auto, (max-width: 1285px) 100vw, 1285px" /></a><p id="caption-attachment-117626" class="wp-caption-text">InventoryApplicationFile inspected through Registry Explorer</p></div>
<p>As mentioned before, AmCache computes the SHA-1 hash over only the first 31,457,280 bytes (≈31 MB). To prove this, we did a small experiment, during which we got a binary smaller than 31 MB (Aralez) and one larger than this value (a custom version of Velociraptor). For the first case, the SHA-1 hash of the entire binary was stored in AmCache.</p>
<div id="attachment_117627" style="width: 1720px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117627" class="size-full wp-image-117627" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4.png" alt="First AmCache SHA-1 storage scenario" width="1710" height="561" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4.png 1710w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-300x98.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-1024x336.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-768x252.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-1536x504.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-1067x350.png 1067w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-740x243.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-853x280.png 853w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-800x262.png 800w" sizes="auto, (max-width: 1710px) 100vw, 1710px" /></a><p id="caption-attachment-117627" class="wp-caption-text">First AmCache SHA-1 storage scenario</p></div>
<p>For the second scenario, we used the dd utility to extract the first 31 MB of the Velociraptor binary:</p>
<div id="attachment_117628" style="width: 1566px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117628" class="size-full wp-image-117628" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5.png" alt="Stripped binary" width="1556" height="375" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5.png 1556w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-300x72.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-1024x247.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-768x185.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-1536x370.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-1452x350.png 1452w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-740x178.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-1162x280.png 1162w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-800x193.png 800w" sizes="auto, (max-width: 1556px) 100vw, 1556px" /></a><p id="caption-attachment-117628" class="wp-caption-text">Stripped binary</p></div>
<p>When checking the Velociraptor entry on AmCache, we found that it indeed stored the SHA-1 hash calculated only for the first 31,457,280 bytes of the binary. Interestingly enough, the Size value represented the actual size of the original file. Thus, relying only on the file hash stored on AmCache for querying threat intelligence portals may be not enough when dealing with large files. So, we need to check if the file size in the record is bigger than 31,457,280 bytes before searching threat intelligence portals.</p>
<div id="attachment_117629" style="width: 1720px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117629" class="size-full wp-image-117629" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6.png" alt="Second AmCache SHA-1 storage scenario" width="1710" height="552" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6.png 1710w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-300x97.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-1024x331.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-768x248.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-1536x496.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-1084x350.png 1084w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-740x239.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-867x280.png 867w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-800x258.png 800w" sizes="auto, (max-width: 1710px) 100vw, 1710px" /></a><p id="caption-attachment-117629" class="wp-caption-text">Second AmCache SHA-1 storage scenario</p></div>
<p>Additionally, attackers may take advantage of this characteristic to purposely generate large malicious binaries. In this way, even if investigators find that a malware was executed/present on a Windows system, the actual SHA-1 hash of the binary will still be unknown, making it difficult to track it across the network and gathering it from public databases like VirusTotal.</p>
<h4 id="inventoryapplicationfile-use-case-example-finding-a-deleted-tool-that-was-used">InventoryApplicationFile – use case example: finding a deleted tool that was used</h4>
<p>Let’s suppose you are searching for a possible insider threat. The user denies having run any suspicious programs, and any suspicious software was securely erased from disk. But in the InventoryApplicationFile, you find a record of winscp.exe being present in the user’s Downloads folder. Even though the file is gone, this tells you the tool was on the machine and it was likely used to transfer files before being deleted. In our incident response practice, we have seen similar cases, where this key proved useful.</p>
<h3 id="inventoryapplication">InventoryApplication</h3>
<p>The <code>InventoryApplication</code> key records details about applications that were previously installed on the system. Unlike <code>InventoryApplicationFile</code>, which logs every executable encountered, <code>InventoryApplication</code> focuses on those with installation records. Each entry is named by its unique ProgramId, allowing straightforward linkage back to the corresponding InventoryApplicationFile key. Additionally, <code>InventoryApplication</code> has the following subkeys of interest:</p>
<ul>
<li><strong>InstallDate:</strong> a date‑time string indicating when the OS first recorded or recognized the application</li>
<li><strong>MsiInstallDate:</strong> present only if installed via Windows Installer (MSI); shows the exact time the MSI package was applied, sourced directly from the MSI metadata</li>
<li><strong>UninstallString:</strong> the exact command line used to remove the application</li>
<li><strong>Language:</strong> numeric locale identifier set by the developer (LCID)</li>
<li><strong>Publisher:</strong> the name of the software publisher or vendor</li>
<li><strong>ManifestPath:</strong> the file path to the installation manifest used by UWP or AppX/MSIX apps</li>
</ul>
<p>With a simple change to our parser, we can check the data contained in this key:</p><pre class="urvanov-syntax-highlighter-plain-tag"><...>
parent = subs.get("InventoryApplication")
<...></pre><p>
<div id="attachment_117630" style="width: 1355px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117630" class="size-full wp-image-117630" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7.png" alt="InventoryApplication subkeys" width="1345" height="345" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7.png 1345w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7-300x77.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7-1024x263.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7-768x197.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7-740x190.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7-1092x280.png 1092w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7-800x205.png 800w" sizes="auto, (max-width: 1345px) 100vw, 1345px" /></a><p id="caption-attachment-117630" class="wp-caption-text">InventoryApplication subkeys</p></div>
<p>When a <code>ProgramId</code> appears both here and under <code>InventoryApplicationFile</code>, it confirms that the executable is not merely present or executed, but was formally installed. This distinction helps us separate ad-hoc copies or transient executions from installed software. The following figure shows the <code>ProgramId</code> of the WinRAR software under <code>InventoryApplicationFile</code>.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117631" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8.png" alt="" width="1434" height="480" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8.png 1434w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-300x100.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-1024x343.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-768x257.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-1046x350.png 1046w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-740x248.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-837x280.png 837w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-800x268.png 800w" sizes="auto, (max-width: 1434px) 100vw, 1434px" /></a></p>
<p>When searching for the <code>ProgramId</code>, we find an exact match under <code>InventoryApplication</code>. This confirms that WinRAR was indeed installed on the system.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117632" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9.png" alt="" width="1435" height="421" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9.png 1435w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-300x88.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-1024x300.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-768x225.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-1193x350.png 1193w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-740x217.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-954x280.png 954w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-800x235.png 800w" sizes="auto, (max-width: 1435px) 100vw, 1435px" /></a></p>
<p>Another interesting detail about <code>InventoryApplication</code> is that it contains a subkey named <code>LastScanTime</code>, which is stored separately from <code>ProgramIds</code> and holds a value representing the last time the Microsoft Compatibility Appraiser ran. This is a scheduled task that launches the <code>compattelrunner.exe</code> binary, and the information in this key should only be updated when that task executes. As a result, software installed since the last run of the Appraiser may not appear here. The <code>LastScanTime</code> value is stored in <strong>Windows FileTime</strong> format.</p>
<div id="attachment_117633" style="width: 888px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117633" class="size-full wp-image-117633" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10.png" alt="InventoryApplication LastScanTime information" width="878" height="118" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10.png 878w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10-300x40.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10-768x103.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10-740x99.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10-800x108.png 800w" sizes="auto, (max-width: 878px) 100vw, 878px" /></a><p id="caption-attachment-117633" class="wp-caption-text">InventoryApplication LastScanTime information</p></div>
<h4 id="inventoryapplication-use-case-example-spotting-remote-access-software">InventoryApplication – use case example: spotting remote access software</h4>
<p>Suppose that during an incident response engagement, you find an entry for AnyDesk in the InventoryApplication key (although the application is not installed anymore). This means that the attacker likely used it for remote access and then removed it to cover their tracks. Even if wiped from disk, this key proves it was present. We have seen this scenario in real-world cases more than once.</p>
<h3 id="inventorydriverbinary">InventoryDriverBinary</h3>
<p>The <code>InventoryDriverBinary</code> key records every kernel-mode driver that the system has loaded, providing the essential metadata needed to spot suspicious or malicious drivers. Under this key, each driver is captured in its own uniquely named subkey and includes:</p>
<ul>
<li><strong>FileID</strong>: the SHA-1 hash of the driver binary, with four zeroes appended to the beginning of the hash</li>
<li><strong>LowerCaseLongPath</strong>: the full lowercase file path to the driver on disk</li>
<li><strong>DigitalSignature</strong>: the code-signing certificate details. A valid, trusted signature helps confirm the driver’s authenticity</li>
<li><strong>LastModified</strong>: the file’s last modification timestamp from the filesystem metadata, revealing when the driver binary was most recently altered on disk</li>
</ul>
<p>Because Windows drivers run at the highest privilege level, they are frequently exploited by malware. For example, a previous study conducted by Kaspersky shows that attackers are <a href="https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/" target="_blank" rel="noopener">exploiting vulnerable drivers for killing EDR processes</a>. When dealing with a cybersecurity incident, investigators correlate each driver’s cryptographic hash, file path, signature status, and modification timestamp. That can help in verifying if the binary matches a known, signed version, detecting any tampering by spotting unexpected modification dates, and flagging unsigned or anomalously named drivers for deeper analysis. Projects like <a href="https://www.loldrivers.io/" target="_blank" rel="noopener">LOLDrivers</a> help identify vulnerable drivers in use by attackers in the wild.</p>
<div id="attachment_117634" style="width: 1460px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117634" class="size-full wp-image-117634" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11.png" alt="InventoryDriverBinary inspection" width="1450" height="533" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11.png 1450w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-300x110.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-1024x376.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-768x282.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-952x350.png 952w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-740x272.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-762x280.png 762w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-800x294.png 800w" sizes="auto, (max-width: 1450px) 100vw, 1450px" /></a><p id="caption-attachment-117634" class="wp-caption-text">InventoryDriverBinary inspection</p></div>
<p>In addition to the <code>InventoryDriverBinary</code>, AmCache also provides the <code>InventoryApplicationDriver</code> key, which keeps track of all drivers that have been installed by specific applications. It includes two entries:</p>
<ul>
<li><strong>DriverServiceName</strong>, which identifies the name of the service linked to the installed driver; and</li>
<li><strong>ProgramIds</strong>, which lists the program identifiers (corresponding to the key names under <code>InventoryApplication</code>) that were responsible for installing the driver.</li>
</ul>
<p>As shown in the figure below, the <code>ProgramIds</code> key can be used to track the associated program that uses this driver:</p>
<div id="attachment_117635" style="width: 1565px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117635" class="size-full wp-image-117635" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12.png" alt="Checking program information by ProgramIds" width="1555" height="894" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12.png 1555w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-300x172.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-1024x589.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-768x442.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-1536x883.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-609x350.png 609w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-740x425.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-487x280.png 487w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-800x460.png 800w" sizes="auto, (max-width: 1555px) 100vw, 1555px" /></a><p id="caption-attachment-117635" class="wp-caption-text">Checking program information by ProgramIds</p></div>
<h4 id="inventorydriverbinary-use-case-example-catching-a-bad-driver">InventoryDriverBinary – use case example: catching a bad driver</h4>
<p>If the system was compromised through the abuse of a known vulnerable or malicious driver, you can use the <code>InventoryDriverBinary</code> registry key to confirm its presence. Even if the driver has been removed or hidden, remnants in this key can reveal that it was once loaded, which helps identify kernel-level compromises and supporting timeline reconstruction during the investigation. This is exactly how the <a href="https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/" target="_blank" rel="noopener">AV Killer malware</a> was discovered.</p>
<h3 id="inventoryapplicationshortcut">InventoryApplicationShortcut</h3>
<p>This key contains entries for <code>.lnk</code> (shortcut) files that were present in folders like each user’s Start Menu or Desktop. Within each shortcut key, the ShortcutPath provides the absolute path to the LNK file at the moment of discovery. The <code>ShortcutTargetPath</code> shows where the shortcut pointed. We can also search for the <code>ProgramId</code> entry within the <code>InventoryApplication</code> key using the <code>ShortcutProgramId</code> (similar to what we did for drivers).</p>
<div id="attachment_117636" style="width: 1596px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117636" class="size-full wp-image-117636" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13.png" alt="InventoryApplicationShortcut key" width="1586" height="306" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13.png 1586w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-300x58.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-1024x198.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-768x148.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-1536x296.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-740x143.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-1451x280.png 1451w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-800x154.png 800w" sizes="auto, (max-width: 1586px) 100vw, 1586px" /></a><p id="caption-attachment-117636" class="wp-caption-text">InventoryApplicationShortcut key</p></div>
<h4 id="inventoryapplicationshortcut-use-case-example-confirming-use-of-a-removed-app">InventoryApplicationShortcut – use case example: confirming use of a removed app</h4>
<p>You find that a suspicious program was deleted from the computer, but the user claims they never ran it. The <code>InventoryApplicationShortcut</code> key shows a shortcut to that program was on their desktop and was accessed recently. With supplementary evidence, such as that from Prefetch analysis, you can confirm the execution of the software.</p>
<h2 id="amcache-key-comparison">AmCache key comparison</h2>
<p>The table below summarizes the information presented in the previous subsections, highlighting the main information about each AmCache key.</p>
<table>
<tbody>
<tr>
<td><strong>Key</strong></td>
<td><strong>Contains</strong></td>
<td><strong>Indicates execution?</strong></td>
</tr>
<tr>
<td>InventoryApplicationFile</td>
<td>Metadata for all executables seen on the system.</td>
<td>Possibly (presence = likely executed)</td>
</tr>
<tr>
<td>InventoryApplication</td>
<td>Metadata about formally installed software.</td>
<td>No (indicates installation, not necessarily execution)</td>
</tr>
<tr>
<td>InventoryDriverBinary</td>
<td>Metadata about loaded kernel-mode drivers.</td>
<td>Yes (driver was loaded into memory)</td>
</tr>
<tr>
<td>InventoryApplicationShortcut</td>
<td>Information about .lnk files.</td>
<td>Possibly (combine with other data for confirmation)</td>
</tr>
</tbody>
</table>
<h2 id="amcache-evilhunter">AmCache-EvilHunter</h2>
<p>Undoubtedly <code>Amcache.hve</code> is a very important forensic artifact. However, we could not find any tool that effectively parses its contents while providing threat intelligence for the analyst. With this in mind, we developed <a href="https://github.com/cristianzsh/amcache-evilhunter" target="_blank" rel="noopener">AmCache-EvilHunter</a> a command-line tool to parse and analyze Windows <code>Amcache.hve</code> registry hives, identify evidence of execution, suspicious executables, and integrate Kaspersky OpenTIP and VirusTotal lookups for enhanced threat intelligence.</p>
<p>AmCache-EvilHunter is capable of processing the <code>Amcache.hve</code> file and filter records by date range (with the options <code>--start</code> and <code>--end</code>). It is also possible to search records using keywords (<code>--search</code>), which is useful for searching for known naming conventions adopted by attackers. The results can be saved in CSV (<code>--csv</code>) or JSON (<code>--json</code>) formats.</p>
<p>The image below shows an example of execution of AmCache-EvilHunter with these basic options, by using the following command:</p><pre class="urvanov-syntax-highlighter-plain-tag">amcache-evilhunter -i Amcache.hve --start 2025-06-19 --end 2025-06-19 --csv output.csv</pre><p>
The output contains all applications that were present on the machine on June 19, 2025. The last column contains information whether the file is an operating system component, or not.</p>
<div id="attachment_117638" style="width: 1352px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117638" class="size-full wp-image-117638" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14.png" alt="Basic usage of AmCache-EvilHunter" width="1342" height="370" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14.png 1342w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-300x83.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-1024x282.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-768x212.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-1269x350.png 1269w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-740x204.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-1016x280.png 1016w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-800x221.png 800w" sizes="auto, (max-width: 1342px) 100vw, 1342px" /></a><p id="caption-attachment-117638" class="wp-caption-text">Basic usage of AmCache-EvilHunter</p></div>
<div id="attachment_117639" style="width: 1350px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117639" class="size-full wp-image-117639" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15.png" alt="CSV result" width="1340" height="268" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15.png 1340w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15-300x60.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15-1024x205.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15-768x154.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15-740x148.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15-800x160.png 800w" sizes="auto, (max-width: 1340px) 100vw, 1340px" /></a><p id="caption-attachment-117639" class="wp-caption-text">CSV result</p></div>
<p>Analysts are often faced with a large volume of executables and artifacts. To narrow down the scope and reduce noise, the tool is able to search for known suspicious binaries with the <code>--find-suspicious option</code>. The patterns used by the tool include common malware names, Windows processes containing small typos (e.g., <code>scvhost.exe</code>), legitimate executables usually found in use during incidents, one-letter/one-digit file names (such as <code>1.exe</code>, <code>a.exe</code>), or random hex strings. The figure below shows the results obtained by using this option; as highlighted, one <code>svchost.exe</code> file is part of the operating system and the other is not, making it a good candidate for collection and analysis if not deleted.</p>
<div id="attachment_117640" style="width: 1351px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117640" class="size-full wp-image-117640" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16.png" alt="Suspicious files identification" width="1341" height="235" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16.png 1341w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16-300x53.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16-1024x179.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16-768x135.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16-740x130.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16-800x140.png 800w" sizes="auto, (max-width: 1341px) 100vw, 1341px" /></a><p id="caption-attachment-117640" class="wp-caption-text">Suspicious files identification</p></div>
<p>Malicious files usually do not include any publisher information and are definitely not part of the default operating system. For this reason, AmCache-EvilHunter also ships with the <code>--missing-publisher</code> and <code>--exclude-os options</code>. These parameters allow for easy filtering of suspicious binaries and also allow fast threat intelligence gathering, which is crucial during an incident.</p>
<p>Another important feature that distinguishes our tool from other proposed approaches is that AmCache-EvilHunter can query Kaspersky OpenTIP (<code>--opentip</code> ) and VirusTotal (<code>--vt</code>) for hashes it identifies. In this way, analysts can rapidly gain insights into samples to decide whether they are going to proceed with a full analysis of the artifact or not.</p>
<div id="attachment_117641" style="width: 1349px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117641" class="size-full wp-image-117641" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17.jpeg" alt="Threat intel lookup" width="1339" height="182" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17.jpeg 1339w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17-300x41.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17-1024x139.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17-768x104.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17-740x101.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17-800x109.jpeg 800w" sizes="auto, (max-width: 1339px) 100vw, 1339px" /></a><p id="caption-attachment-117641" class="wp-caption-text">Threat intel lookup</p></div>
<p>Binaries of the tool are available on <a href="https://github.com/cristianzsh/amcache-evilhunter/releases/" target="_blank" rel="noopener">our GitHub page</a> for both Linux and Windows systems.</p>
<h2 id="conclusion">Conclusion</h2>
<p><code>Amcache.hve</code> is a cornerstone of Windows forensics, capturing rich metadata, such as full paths, SHA-1 hashes, compilation timestamps, publisher and version details, for every executable that appears on a system. While it does not serve as a definitive execution log, its strength lies in documenting file presence and paths, making it invaluable for spotting anomalous binaries, verifying trustworthiness via hash lookups against threat‐intelligence feeds, and correlating <code>LinkDate</code> values with known attack campaigns.</p>
<p>To extract its full investigative potential, analysts should merge AmCache data with other artifacts (e.g., Prefetch, ShimCache, and Windows event logs) to confirm actual execution and build accurate timelines. Comparing <code>InventoryApplicationFile</code> entries against <code>InventoryApplication</code> reveals whether a file was merely dropped or formally installed, and identifying unexpected driver records can expose stealthy rootkits and persistence mechanisms. Leveraging parsers like AmCache-EvilHunter and cross-referencing against VirusTotal or proprietary threat databases allows IOC generation and robust incident response, making AmCache analysis a fundamental DFIR skill.</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/amcache-forensic-artifact/117622/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/01111328/SL-AmCache-forensic-artifact-featured.jpg" width="2000" height="955"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/01111328/SL-AmCache-forensic-artifact-featured-1024x489.jpg" width="1024" height="489"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/01111328/SL-AmCache-forensic-artifact-featured-300x143.jpg" width="300" height="143"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/01111328/SL-AmCache-forensic-artifact-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Massive npm infection: the Shai-Hulud worm and patient zero</title>
<link>https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/</link>
<comments>https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/#respond</comments>
<dc:creator><![CDATA[Vladimir Gursky, Dmitry Vinogradov]]></dc:creator>
<pubDate>Thu, 25 Sep 2025 10:00:12 +0000</pubDate>
<category><![CDATA[Incidents]]></category>
<category><![CDATA[Malware descriptions]]></category>
<category><![CDATA[Malware Technologies]]></category>
<category><![CDATA[Linux]]></category>
<category><![CDATA[Microsoft Windows]]></category>
<category><![CDATA[JavaScript]]></category>
<category><![CDATA[Apple MacOS]]></category>
<category><![CDATA[Malware Descriptions]]></category>
<category><![CDATA[Malware]]></category>
<category><![CDATA[Worm]]></category>
<category><![CDATA[Supply-chain attack]]></category>
<category><![CDATA[Data theft]]></category>
<category><![CDATA[Open source]]></category>
<category><![CDATA[GitHub]]></category>
<category><![CDATA[npm]]></category>
<category><![CDATA[Windows malware]]></category>
<category><![CDATA[Unix and macOS malware]]></category>
<category><![CDATA[Web threats]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117547</guid>
<description><![CDATA[We dissect a recent incident where npm packages with millions of downloads were infected by the Shai-Hulud worm. Kaspersky experts describe the starting point for the source of the infection.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/25072805/shai-hulud-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
<p>The modern development world is almost entirely dependent on third-party modules. While this certainly speeds up development, it also creates a massive attack surface for end users, since anyone can create these components. It is no surprise that malicious modules are becoming more common. When a single maintainer account for popular modules or a single popular dependency is compromised, it can quickly turn into a <a href="https://securelist.com/ksb-story-of-the-year-2024/114883/" target="_blank" rel="noopener">supply chain attack</a>. Such compromises are now a frequent attack vector trending among threat actors. In the last month alone, there have been two major incidents that confirm this interest in creating malicious modules, dependencies, and packages. We have already discussed the <a href="https://www.kaspersky.com/blog/npm-packages-trojanized/54280/" target="_blank" rel="noopener">recent compromise</a> of popular npm packages. September 16, 2025 saw <a href="https://www.kaspersky.com/blog/tinycolor-shai-hulud-supply-chain-attack/54315/" target="_blank" rel="noopener">reports</a> of a new wave of npm package infections, caused by the self-propagating malware known as Shai-Hulud.</p>
<p>Shai-Hulud is designed to steal sensitive data, expose private repositories of organizations, and hijack victim credentials to infect other packages and spread on. Over 500 packages were infected in this incident, including one with more than two million weekly downloads. As a result, developers who integrated these malicious packages into their projects risk losing sensitive data, and their own libraries could become infected with Shai-Hulud. This self-propagating malware takes over accounts and steals secrets to create new infected modules, spreading the threat along the dependency chain.</p>
<h2 id="technical-details">Technical details</h2>
<p>The worm’s malicious code executes when an infected package is installed. It then publishes infected releases to all packages the victim has update permissions for.</p>
<p>Once the infected package is installed from the npm registry on the victim’s system, a special command is automatically executed. This command launches a malicious script over 3 MB in size named <code>bundle.js</code>, which contains several legitimate, open-source work modules.</p>
<p>Key modules within <code>bundle.js</code> include:</p>
<ul>
<li>Library for interacting with AWS cloud services</li>
<li>GCP module that retrieves metadata from the Google Cloud Platform environment</li>
<li>Functions for <a href="https://github.com/trufflesecurity/trufflehog" target="_blank" rel="noopener">TruffleHog</a>, a tool for scanning various data sources to find sensitive information, specifically secrets</li>
<li>Tool for interacting with the GitHub API</li>
</ul>
<p>The JavaScript file also contains network utilities for data transfer and the main operational module, Shai-Hulud.</p>
<p>The worm begins its malicious activity by collecting information about the victim’s operating system and checking for an npm token and authenticated GitHub user token in the environment. If a valid GitHub token is not present, <code>bundle.js</code> will terminate. A distinctive feature of Shai-Hulud is that most of its functionality is geared toward Linux and macOS systems: almost all malicious actions are performed exclusively on these systems, with the exception of using TruffleHog to find secrets.</p>
<h3 id="exfiltrating-secrets">Exfiltrating secrets</h3>
<p>After passing the checks, the malware uses the token mentioned earlier to get information about the current GitHub user. It then runs the <code>extraction</code> function, which creates a temporary executable bash script at <code>/tmp/processor.sh</code> and runs it as a separate process, passing the token as an argument. Below is the <code>extraction</code> function, with strings and variable names modified for readability since the original source code was illegible.</p>
<div id="attachment_117553" style="width: 560px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155009/shai-hulud1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117553" class="size-full wp-image-117553" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155009/shai-hulud1.png" alt="The extraction function, formatted for readability" width="550" height="533" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155009/shai-hulud1.png 550w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155009/shai-hulud1-300x291.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155009/shai-hulud1-361x350.png 361w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155009/shai-hulud1-289x280.png 289w" sizes="auto, (max-width: 550px) 100vw, 550px" /></a><p id="caption-attachment-117553" class="wp-caption-text">The extraction function, formatted for readability</p></div>
<p>The bash script is designed to communicate with the GitHub API and collect secrets from the victim’s repository in an unconventional way. First, the script checks if the token has the necessary permissions to create branches and work with GitHub Actions. If it does, the script gets a list of all the repositories the user can access from 2025. In each of these, it creates a new branch named <code>shai-hulud</code> and uploads a <code>shai-hulud-workflow.yml</code> <a href="https://docs.github.com/en/actions/concepts/workflows-and-actions/workflows" target="_blank" rel="noopener">workflow</a>, which is a configuration file for describing GitHub Actions workflows. These files are automation scripts that are triggered in GitHub Actions whenever changes are made to a repository. The Shai-Hulud workflow activates on every push.</p>
<div id="attachment_117554" style="width: 694px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155101/shai-hulud2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117554" class="size-full wp-image-117554" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155101/shai-hulud2.png" alt="The malicious workflow configuration" width="684" height="233" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155101/shai-hulud2.png 684w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155101/shai-hulud2-300x102.png 300w" sizes="auto, (max-width: 684px) 100vw, 684px" /></a><p id="caption-attachment-117554" class="wp-caption-text">The malicious workflow configuration</p></div>
<p>This file collects secrets from the victim’s repositories and forwards them to the attackers’ server. Before being sent, the confidential data is encoded twice with Base64.</p>
<p>This unusual method for data collection is designed for a one-time extraction of secrets from a user’s repositories. However, it poses a threat not only to Shai-Hulud victims but also to ordinary researchers. If you search for “shai-hulud” on GitHub, you will find numerous repositories that have been compromised by the worm.</p>
<div id="attachment_117555" style="width: 1160px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117555" class="size-full wp-image-117555" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3.png" alt="Open GitHub repositories compromised by Shai-Hulud" width="1150" height="756" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3.png 1150w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-300x197.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-1024x673.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-768x505.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-532x350.png 532w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-740x486.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-426x280.png 426w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-800x526.png 800w" sizes="auto, (max-width: 1150px) 100vw, 1150px" /></a><p id="caption-attachment-117555" class="wp-caption-text">Open GitHub repositories compromised by Shai-Hulud</p></div>
<p>The main <code>bundle.js</code> script then requests a list of all organizations associated with the victim and runs the migration function for each one. This function also runs a bash script, but in this case, it saves it to <code>/tmp/migrate-repos.sh</code>, passing the organization name, username, and token as parameters for further malicious activity.</p>
<p>The bash script automates the migration of all private and internal repositories from the specified GitHub organization to the user’s account, making them public. The script also uses the GitHub API to copy the contents of the private repositories as <a href="https://docs.github.com/en/repositories/creating-and-managing-repositories/duplicating-a-repository" target="_blank" rel="noopener">mirrors</a>.</p>
<p>We believe these actions are intended for the automated theft of source code from the private repositories of popular communities and organizations. For example, the well-known company CrowdStrike was caught in this wave of infections.</p>
<h3 id="the-worms-self-replication">The worm’s self-replication</h3>
<p>After running operations on the victim’s GitHub, the main <code>bundle.js</code> script moves on to its next crucial stage: self-replication. First, the script gets a list of the victim’s 20 most downloaded packages. To do this, it performs a search query with the username from the previously obtained npm token:</p><pre class="urvanov-syntax-highlighter-plain-tag">https://registry.npmjs.org/-/v1/search?text=maintainer:{%user_details%}&size=20</pre><p> </p>
<p>Next, for each of the packages it finds, it calls the <code>updatePackage</code> function. This function first attempts to download the tarball version of the package (a <code>.TAR</code> archive). If it exists, a temporary directory named <code>npm-update-{target_package_name}</code> is created. The tarball version of the package is saved there as <code>package.tgz</code>, then unpacked and modified as follows:</p>
<ul>
<li>The malicious <code>bundle.js</code> is added to the original package.</li>
<li>A postinstall command is added to the <code>package.json</code> file (which is used in Node.js projects to manage dependencies and project metadata). This command is configured to execute the malicious script via <code>node bundle.js</code>.</li>
<li>The package version number is incremented by 1.</li>
</ul>
<p>The modified package is then re-packed and published to npm as a new version with the <code>npm publish</code> command. After this, the temporary directory for the package is cleared.</p>
<div id="attachment_117556" style="width: 687px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155303/shai-hulud4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117556" class="size-full wp-image-117556" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155303/shai-hulud4.png" alt="The updatePackage function, formatted for readability" width="677" height="771" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155303/shai-hulud4.png 677w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155303/shai-hulud4-263x300.png 263w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155303/shai-hulud4-307x350.png 307w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155303/shai-hulud4-246x280.png 246w" sizes="auto, (max-width: 677px) 100vw, 677px" /></a><p id="caption-attachment-117556" class="wp-caption-text">The updatePackage function, formatted for readability</p></div>
<h3 id="uploading-secrets-to-github">Uploading secrets to GitHub</h3>
<p>Next, the worm uses the previously mentioned TruffleHog utility to harvest secrets from the target system. It downloads the latest version of the utility from the original repository for the specific operating system type using the following link:</p><pre class="urvanov-syntax-highlighter-plain-tag">https://github.com/trufflesecurity/trufflehog/releases/download/{utility version}/{OS-specific file}</pre><p> </p>
<p>The worm also uses modules for AWS and Google Cloud Platform (GCP) to scan for secrets. The script then aggregates the collected data into a single object and creates a repository named “Shai-Hulud” in the victim’s profile. It then uploads the collected information to this repository as a <code>data.json</code> file.</p>
<p>Below is a list of data formats collected from the victim’s system and uploaded to GitHub:</p><pre class="urvanov-syntax-highlighter-plain-tag">{
"application": {
"name": "",
"version": "",
"description": ""
},
"system": {
"platform": "",
"architecture": "",
"platformDetailed": "",
"architectureDetailed": ""
},
"runtime": {
"nodeVersion": "",
"platform": "",
"architecture": "",
"timestamp": ""
},
"environment": {
},
"modules": {
"github": {
"authenticated": false,
"token": "",
"username": {}
},
"aws": {
"secrets": []
},
"gcp": {
"secrets": []
},
"truffleHog": {
"available": false,
"installed": false,
"version": "",
"platform": "",
"results": [
{}
]
},
"npm": {
"token": "",
"authenticated": true,
"username": ""
}
}
}</pre><p>
<h3 id="infection-characteristics">Infection characteristics</h3>
<p>A distinctive characteristic of the modified packages is that they contain an archive named <code>package.tar</code>. This is worth noting because packages usually contain an archive with a name that matches the package itself.</p>
<p>Through our research, we were able to identify the first package from which Shai-Hulud began to spread, thanks to a key difference. As we mentioned earlier, after infection, a postinstall command to execute the malicious script, <code>node bundle.js</code>, is written to the <code>package.json</code> file. This command typically runs immediately after installation. However, we discovered that one of the infected packages listed the same command as a preinstall command, meaning it ran before the installation. This package was <strong>ngx-bootstrap version 18.1.4</strong>. We believe this was the starting point for the spread of this infection. This hypothesis is further supported by the fact that the archive name in the first infected version of this package differed from the name characteristic of later infected packages (<code>package.tar</code>).</p>
<p>While investigating different packages, we noticed that in some cases, a single package contained multiple versions with malicious code. This was likely possible because the infection spread to all maintainers and contributors of packages, and the malicious code was then introduced from each of their accounts.</p>
<h2 id="infected-libraries-and-crowdstrike">Infected libraries and CrowdStrike</h2>
<p>The rapidly spreading Shai-Hulud worm has infected many popular libraries that organizations and developers use daily. Shai-Hulud has infected over 500 popular packages in recent days, including libraries from the well-known company CrowdStrike.<br />
Among the infected libraries were the following:</p>
<ul>
<li>@crowdstrike/commitlint versions 8.1.1, 8.1.2</li>
<li>@crowdstrike/falcon-shoelace versions 0.4.1, 0.4.2</li>
<li>@crowdstrike/foundry-js versions 0.19.1, 0.19.2</li>
<li>@crowdstrike/glide-core versions 0.34.2, 0.34.3</li>
<li>@crowdstrike/logscale-dashboard versions 1.205.1, 1.205.2</li>
<li>@crowdstrike/logscale-file-editor versions 1.205.1, 1.205.2</li>
<li>@crowdstrike/logscale-parser-edit versions 1.205.1, 1.205.2</li>
<li>@crowdstrike/logscale-search versions 1.205.1, 1.205.2</li>
<li>@crowdstrike/tailwind-toucan-base versions 5.0.1, 5.0.2</li>
</ul>
<p>But the event that has drawn significant attention to this spreading threat was the infection of the @ctrl/tinycolor library, which is downloaded by over two million users every week.</p>
<p>As mentioned above, the malicious script exposes an organization’s private repositories, posing a serious threat to their owners, as this creates a risk of exposing the source code of their libraries and products, among other things, and leading to an even greater loss of data.</p>
<h2 id="prevention-and-protection">Prevention and protection</h2>
<p>To protect against this type of infection, we recommend using a specialized solution for monitoring open-source components. Kaspersky maintains a <a href="https://www.kaspersky.com/open-source-feed?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9cfe10194bda62de" target="_blank" rel="noopener">continuous feed of compromised packages and libraries</a>, which can be used to secure your supply chain and protect development from similar threats.</p>
<p>For personal devices, we recommend <a href="https://www.kaspersky.com/premium?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kprem____311534b86c615e6e" target="_blank" rel="noopener">Kaspersky Premium</a>, which provides multi-layered protection to prevent and neutralize infection threats. Our solution can also restore the device’s functionality if it’s infected with malware.</p>
<p>For corporate devices, we advise implementing a comprehensive solution like <a href="https://www.kaspersky.com/enterprise-security/xdr?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___xdr____33801aaaec3e63b3" target="_blank" rel="noopener">Kaspersky Next</a>, which allows you to build a flexible and effective security system. This product line provides threat visibility and real-time protection, as well as EDR and XDR capabilities for investigation and response. It is suitable for organizations of any scale or industry.</p>
<p>Kaspersky products detect the Shai-Hulud threat as <code>HEUR:Worm.Script.Shulud.gen</code>.</p>
<p>In the event of a Shai-Hulud infection, and as a proactive response to the spreading threat, we recommend taking the following measures across your systems and infrastructure:</p>
<ul>
<li>Use a reliable security solution to conduct a full system scan.</li>
<li>Audit your GitHub repositories:</li>
<ul>
<li>Check for repositories named <code>shai-hulud</code>.</li>
<li>Look for non-trivial or unknown branches, pull requests, and files.</li>
<li>Audit GitHub Actions logs for strings containing <code>shai-hulud</code>.</li>
</ul>
<li>Reissue npm and GitHub tokens, cloud keys (specifically for AWS and Google Cloud Platform), and rotate other secrets.</li>
<li>Clear the cache and inventory your npm modules: check for malicious ones and roll back versions to clean ones.</li>
<li>Check for indicators of compromise, such as files in the system or network artifacts.</li>
</ul>
<h2 id="indicators-of-compromise">Indicators of compromise</h2>
<p><strong>Files:</strong><br />
bundle.js<br />
shai-hulud-workflow.yml</p>
<p><strong>Strings:</strong><br />
shai-hulud</p>
<p><strong>Hashes:</strong><br />
<a href="https://opentip.kaspersky.com/c96fbbe010dd4c5bfb801780856ec228/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b82fb35982be9fef&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">C96FBBE010DD4C5BFB801780856EC228</a><br />
<a href="https://opentip.kaspersky.com/78e701f42b76ccde3f2678e548886860/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2bd661a09cbb2bbb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">78E701F42B76CCDE3F2678E548886860</a></p>
<p><strong>Network artifacts:</strong><br />
<a href="https://opentip.kaspersky.com/https%3a%2f%2fwebhook.site%2fbb8ca5f6-4175-45d2-b042-fc9ebb8170b7/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9bd279cc4ffc602e&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7</a></p>
<p><strong>Compromised packages:</strong><br />
@ahmedhfarag/ngx-perfect-scrollbar<br />
@ahmedhfarag/ngx-virtual-scroller<br />
@art-ws/common<br />
@art-ws/config-eslint<br />
@art-ws/config-ts<br />
@art-ws/db-context<br />
@art-ws/di<br />
@art-ws/di-node<br />
@art-ws/eslint<br />
@art-ws/fastify-http-server<br />
@art-ws/http-server<br />
@art-ws/openapi<br />
@art-ws/package-base<br />
@art-ws/prettier<br />
@art-ws/slf<br />
@art-ws/ssl-info<br />
@art-ws/web-app<br />
@basic-ui-components-stc/basic-ui-components<br />
@crowdstrike/commitlint<br />
@crowdstrike/falcon-shoelace<br />
@crowdstrike/foundry-js<br />
@crowdstrike/glide-core<br />
@crowdstrike/logscale-dashboard<br />
@crowdstrike/logscale-file-editor<br />
@crowdstrike/logscale-parser-edit<br />
@crowdstrike/logscale-search<br />
@crowdstrike/tailwind-toucan-base<br />
@ctrl/deluge<br />
@ctrl/golang-template<br />
@ctrl/magnet-link<br />
@ctrl/ngx-codemirror<br />
@ctrl/ngx-csv<br />
@ctrl/ngx-emoji-mart<br />
@ctrl/ngx-rightclick<br />
@ctrl/qbittorrent<br />
@ctrl/react-adsense<br />
@ctrl/shared-torrent<br />
@ctrl/tinycolor<br />
@ctrl/torrent-file<br />
@ctrl/transmission<br />
@ctrl/ts-base32<br />
@nativescript-community/arraybuffers<br />
@nativescript-community/gesturehandler<br />
@nativescript-community/perms<br />
@nativescript-community/sentry<br />
@nativescript-community/sqlite<br />
@nativescript-community/text<br />
@nativescript-community/typeorm<br />
@nativescript-community/ui-collectionview<br />
@nativescript-community/ui-document-picker<br />
@nativescript-community/ui-drawer<br />
@nativescript-community/ui-image<br />
@nativescript-community/ui-label<br />
@nativescript-community/ui-material-bottom-navigation<br />
@nativescript-community/ui-material-bottomsheet<br />
@nativescript-community/ui-material-core<br />
@nativescript-community/ui-material-core-tabs<br />
@nativescript-community/ui-material-ripple<br />
@nativescript-community/ui-material-tabs<br />
@nativescript-community/ui-pager<br />
@nativescript-community/ui-pulltorefresh<br />
@nstudio/angular<br />
@nstudio/focus<br />
@nstudio/nativescript-checkbox<br />
@nstudio/nativescript-loading-indicator<br />
@nstudio/ui-collectionview<br />
@nstudio/web<br />
@nstudio/web-angular<br />
@nstudio/xplat<br />
@nstudio/xplat-utils<br />
@operato/board<br />
@operato/data-grist<br />
@operato/graphql<br />
@operato/headroom<br />
@operato/help<br />
@operato/i18n<br />
@operato/input<br />
@operato/layout<br />
@operato/popup<br />
@operato/pull-to-refresh<br />
@operato/shell<br />
@operato/styles<br />
@operato/utils<br />
@teselagen/bio-parsers<br />
@teselagen/bounce-loader<br />
@teselagen/file-utils<br />
@teselagen/liquibase-tools<br />
@teselagen/ove<br />
@teselagen/range-utils<br />
@teselagen/react-list<br />
@teselagen/react-table<br />
@teselagen/sequence-utils<br />
@teselagen/ui<br />
@thangved/callback-window<br />
@things-factory/attachment-base<br />
@things-factory/auth-base<br />
@things-factory/email-base<br />
@things-factory/env<br />
@things-factory/integration-base<br />
@things-factory/integration-marketplace<br />
@things-factory/shell<br />
@tnf-dev/api<br />
@tnf-dev/core<br />
@tnf-dev/js<br />
@tnf-dev/mui<br />
@tnf-dev/react<br />
@ui-ux-gang/devextreme-angular-rpk<br />
@ui-ux-gang/devextreme-rpk<br />
@yoobic/design-system<br />
@yoobic/jpeg-camera-es6<br />
@yoobic/yobi<br />
ace-colorpicker-rpk<br />
airchief<br />
airpilot<br />
angulartics2<br />
another-shai<br />
browser-webdriver-downloader<br />
capacitor-notificationhandler<br />
capacitor-plugin-healthapp<br />
capacitor-plugin-ihealth<br />
capacitor-plugin-vonage<br />
capacitorandroidpermissions<br />
config-cordova<br />
cordova-plugin-voxeet2<br />
cordova-voxeet<br />
create-hest-app<br />
db-evo<br />
devextreme-angular-rpk<br />
devextreme-rpk<br />
ember-browser-services<br />
ember-headless-form<br />
ember-headless-form-yup<br />
ember-headless-table<br />
ember-url-hash-polyfill<br />
ember-velcro<br />
encounter-playground<br />
eslint-config-crowdstrike<br />
eslint-config-crowdstrike-node<br />
eslint-config-teselagen<br />
globalize-rpk<br />
graphql-sequelize-teselagen<br />
json-rules-engine-simplified<br />
jumpgate<br />
koa2-swagger-ui<br />
mcfly-semantic-release<br />
mcp-knowledge-base<br />
mcp-knowledge-graph<br />
mobioffice-cli<br />
monorepo-next<br />
mstate-angular<br />
mstate-cli<br />
mstate-dev-react<br />
mstate-react<br />
ng-imports-checker<br />
ng2-file-upload<br />
ngx-bootstrap<br />
ngx-color<br />
ngx-toastr<br />
ngx-trend<br />
ngx-ws<br />
oradm-to-gql<br />
oradm-to-sqlz<br />
ove-auto-annotate<br />
pm2-gelf-json<br />
printjs-rpk<br />
react-complaint-image<br />
react-jsonschema-form-conditionals<br />
react-jsonschema-form-extras<br />
react-jsonschema-rxnt-extras<br />
remark-preset-lint-crowdstrike<br />
rxnt-authentication<br />
rxnt-healthchecks-nestjs<br />
rxnt-kue<br />
swc-plugin-component-annotate<br />
tbssnch<br />
teselagen-interval-tree<br />
tg-client-query-builder<br />
tg-redbird<br />
tg-seq-gen<br />
thangved-react-grid<br />
ts-gaussian<br />
ts-imports<br />
tvi-cli<br />
ve-bamreader<br />
ve-editor<br />
verror-extra<br />
voip-callkit<br />
wdio-web-reporter<br />
yargs-help-output<br />
yoo-styles</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/25072805/shai-hulud-featured-image.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/25072805/shai-hulud-featured-image-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/25072805/shai-hulud-featured-image-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/25072805/shai-hulud-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Threat landscape for industrial automation systems in Q2 2025</title>
<link>https://securelist.com/industrial-threat-report-q2-2025/117532/</link>
<comments>https://securelist.com/industrial-threat-report-q2-2025/117532/#respond</comments>
<dc:creator><![CDATA[Kaspersky ICS CERT]]></dc:creator>
<pubDate>Fri, 19 Sep 2025 10:00:56 +0000</pubDate>
<category><![CDATA[Industrial threats]]></category>
<category><![CDATA[Malware Statistics]]></category>
<category><![CDATA[Industrial control systems]]></category>
<category><![CDATA[Ransomware]]></category>
<category><![CDATA[Spyware]]></category>
<category><![CDATA[Malware]]></category>
<category><![CDATA[Worm]]></category>
<category><![CDATA[Miner]]></category>
<category><![CDATA[Virus]]></category>
<category><![CDATA[Industrial threats]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117532</guid>
<description><![CDATA[Kaspersky industrial threat report contains statistics on various malicious objects detected and blocked on ICS computers by Kaspersky solutions in Q2 2025.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/19094238/SL-ICS-CERT-Q2-2025-report-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="statistics-across-all-threats">Statistics across all threats</h2>
<p>In Q2 2025, the percentage of ICS computers on which malicious objects were blocked decreased by 1.4 pp from the previous quarter to 20.5%.</p>
<div id="attachment_117533" style="width: 897px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18122930/report-q2-20251.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117533" class="size-full wp-image-117533" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18122930/report-q2-20251.png" alt="Percentage of ICS computers on which malicious objects were blocked, Q2 2022–Q2 2025" width="887" height="331" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18122930/report-q2-20251.png 887w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18122930/report-q2-20251-300x112.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18122930/report-q2-20251-768x287.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18122930/report-q2-20251-740x276.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18122930/report-q2-20251-750x280.png 750w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18122930/report-q2-20251-800x299.png 800w" sizes="auto, (max-width: 887px) 100vw, 887px" /></a><p id="caption-attachment-117533" class="wp-caption-text">Percentage of ICS computers on which malicious objects were blocked, Q2 2022–Q2 2025</p></div>
<p>Compared to Q2 2024, the rate decreased by 3.0 pp.</p>
<p>Regionally, the percentage of ICS computers on which malicious objects were blocked ranged from 11.2% in Northern Europe to 27.8% in Africa.</p>
<div id="attachment_117534" style="width: 882px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123104/report-q2-20252.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117534" class="size-full wp-image-117534" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123104/report-q2-20252.png" alt="Regions ranked by percentage of ICS computers on which malicious objects were blocked" width="872" height="1076" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123104/report-q2-20252.png 872w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123104/report-q2-20252-243x300.png 243w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123104/report-q2-20252-830x1024.png 830w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123104/report-q2-20252-768x948.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123104/report-q2-20252-284x350.png 284w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123104/report-q2-20252-740x913.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123104/report-q2-20252-227x280.png 227w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123104/report-q2-20252-729x900.png 729w" sizes="auto, (max-width: 872px) 100vw, 872px" /></a><p id="caption-attachment-117534" class="wp-caption-text">Regions ranked by percentage of ICS computers on which malicious objects were blocked</p></div>
<p>In most of the regions surveyed in this report, the figures decreased from the previous quarter. They increased only in Australia and New Zealand, as well as Northern Europe.</p>
<div id="attachment_117535" style="width: 886px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123404/report-q2-20253.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117535" class="size-full wp-image-117535" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123404/report-q2-20253.png" alt="Changes in percentage of ICS computers on which malicious objects were blocked, Q2 2025" width="876" height="568" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123404/report-q2-20253.png 876w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123404/report-q2-20253-300x195.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123404/report-q2-20253-768x498.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123404/report-q2-20253-540x350.png 540w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123404/report-q2-20253-740x480.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123404/report-q2-20253-432x280.png 432w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123404/report-q2-20253-800x519.png 800w" sizes="auto, (max-width: 876px) 100vw, 876px" /></a><p id="caption-attachment-117535" class="wp-caption-text">Changes in percentage of ICS computers on which malicious objects were blocked, Q2 2025</p></div>
<h2 id="selected-industries">Selected industries</h2>
<p>The biometrics sector led the ranking of the industries and OT infrastructures surveyed in this report in terms of the percentage of ICS computers on which malicious objects were blocked.</p>
<div id="attachment_117536" style="width: 892px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123539/report-q2-20254.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117536" class="size-full wp-image-117536" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123539/report-q2-20254.png" alt="Ranking of industries and OT infrastructures by percentage of ICS computers on which malicious objects were blocked" width="882" height="733" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123539/report-q2-20254.png 882w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123539/report-q2-20254-300x249.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123539/report-q2-20254-768x638.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123539/report-q2-20254-421x350.png 421w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123539/report-q2-20254-740x615.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123539/report-q2-20254-337x280.png 337w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123539/report-q2-20254-800x665.png 800w" sizes="auto, (max-width: 882px) 100vw, 882px" /></a><p id="caption-attachment-117536" class="wp-caption-text">Ranking of industries and OT infrastructures by percentage of ICS computers on which malicious objects were blocked</p></div>
<p>In Q2 2025, the percentage of ICS computers on which malicious objects were blocked decreased across all industries.</p>
<div id="attachment_117537" style="width: 1057px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123627/report-q2-20255.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117537" class="size-full wp-image-117537" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123627/report-q2-20255.png" alt="Percentage of ICS computers on which malicious objects were blocked in selected industries" width="1047" height="481" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123627/report-q2-20255.png 1047w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123627/report-q2-20255-300x138.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123627/report-q2-20255-1024x470.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123627/report-q2-20255-768x353.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123627/report-q2-20255-762x350.png 762w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123627/report-q2-20255-740x340.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123627/report-q2-20255-609x280.png 609w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123627/report-q2-20255-800x368.png 800w" sizes="auto, (max-width: 1047px) 100vw, 1047px" /></a><p id="caption-attachment-117537" class="wp-caption-text">Percentage of ICS computers on which malicious objects were blocked in selected industries</p></div>
<h2 id="diversity-of-detected-malicious-objects">Diversity of detected malicious objects</h2>
<p>In Q2 2025, Kaspersky security solutions blocked malware from 10,408 different malware families from various categories on industrial automation systems.</p>
<div id="attachment_117538" style="width: 1063px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123820/report-q2-20256.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117538" class="size-full wp-image-117538" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123820/report-q2-20256.png" alt="Percentage of ICS computers on which the activity of malicious objects from various categories was blocked" width="1053" height="841" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123820/report-q2-20256.png 1053w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123820/report-q2-20256-300x240.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123820/report-q2-20256-1024x818.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123820/report-q2-20256-768x613.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123820/report-q2-20256-500x400.png 500w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123820/report-q2-20256-438x350.png 438w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123820/report-q2-20256-740x591.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123820/report-q2-20256-351x280.png 351w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123820/report-q2-20256-800x639.png 800w" sizes="auto, (max-width: 1053px) 100vw, 1053px" /></a><p id="caption-attachment-117538" class="wp-caption-text">Percentage of ICS computers on which the activity of malicious objects from various categories was blocked</p></div>
<p>The only increases were in the percentages of ICS computers on which denylisted internet resources (1.2 times more than in the previous quarter) and malicious documents (1.1 times more) were blocked.</p>
<h2 id="main-threat-sources">Main threat sources</h2>
<p>Depending on the threat detection and blocking scenario, it is not always possible to reliably identify the source. The circumstantial evidence for a specific source can be the blocked threat’s type (category).</p>
<p>The internet (visiting malicious or compromised internet resources; malicious content distributed via messengers; cloud data storage and processing services and CDNs), email clients (phishing emails), and removable storage devices remain the primary sources of threats to computers in an organization’s technology infrastructure.</p>
<p>In Q2 2025, the percentage of ICS computers on which threats from email clients were blocked continued to increase. The main categories of threats from email clients blocked on ICS computers are malicious documents, spyware, malicious scripts and phishing pages. The indicator increased in all regions except Russia. By contrast, the global average for other threat sources decreased. Moreover, the rates reached their lowest levels since Q2 2022.</p>
<div id="attachment_117539" style="width: 927px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123941/report-q2-20257.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117539" class="size-full wp-image-117539" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123941/report-q2-20257.png" alt="Percentage of ICS computers on which malicious objects from various sources were blocked" width="917" height="389" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123941/report-q2-20257.png 917w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123941/report-q2-20257-300x127.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123941/report-q2-20257-768x326.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123941/report-q2-20257-825x350.png 825w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123941/report-q2-20257-740x314.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123941/report-q2-20257-660x280.png 660w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18123941/report-q2-20257-800x339.png 800w" sizes="auto, (max-width: 917px) 100vw, 917px" /></a><p id="caption-attachment-117539" class="wp-caption-text">Percentage of ICS computers on which malicious objects from various sources were blocked</p></div>
<p>The same computer can be attacked by several categories of malware from the same source during a quarter. That computer is counted when calculating the percentage of attacked computers for each threat category, but is only counted once for the threat source (we count unique attacked computers). In addition, it is not always possible to accurately determine the initial infection attempt. Therefore, the total percentage of ICS computers on which various categories of threats from a certain source were blocked exceeds the percentage of threats from the source itself.</p>
<p>The rates for all threat sources varied across the monitored regions.</p>
<ul>
<li>The percentage of ICS computers on which threats from the internet were blocked ranged from 6.35% in East Asia to 11.88% in Africa</li>
<li>The percentage of ICS computers on which threats from email clients were blocked ranged from 0.80% in Russia to 7.23% in Southern Europe</li>
<li>The percentage of ICS computers on which threats from removable media were blocked ranged from 0.04% in Australia and New Zealand to 1.77% in Africa</li>
<li>The percentage of ICS computers on which threats from network folders were blocked ranged from 0.01% in Northern Europe to 0.25% in East Asia</li>
</ul>
<h2 id="threat-categories">Threat categories</h2>
<p>A typical attack blocked within an OT network is a multi-stage process, where each subsequent step by the attackers is aimed at increasing privileges and gaining access to other systems by exploiting the security problems of industrial enterprises, including technological infrastructures.</p>
<p>It is worth noting that during the attack, intruders often repeat the same steps (TTPs), especially when they use malicious scripts and established communication channels with the management and control infrastructure (C2) to move laterally within the network and advance the attack.</p>
<h3 id="malicious-objects-used-for-initial-infection">Malicious objects used for initial infection</h3>
<p>In Q2 2025, the percentage of ICS computers on which denylisted internet resources were blocked increased to 5.91%.</p>
<div id="attachment_117540" style="width: 896px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18124057/report-q2-20258.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117540" class="size-full wp-image-117540" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18124057/report-q2-20258.png" alt="Percentage of ICS computers on which denylisted internet resources were blocked, Q2 2022–Q2 2025" width="886" height="393" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18124057/report-q2-20258.png 886w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18124057/report-q2-20258-300x133.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18124057/report-q2-20258-768x341.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18124057/report-q2-20258-789x350.png 789w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18124057/report-q2-20258-740x328.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18124057/report-q2-20258-631x280.png 631w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/18124057/report-q2-20258-800x355.png 800w" sizes="auto, (max-width: 886px) 100vw, 886px" /></a><p id="caption-attachment-117540" class="wp-caption-text">Percentage of ICS computers on which denylisted internet resources were blocked, Q2 2022–Q2 2025</p></div>
<p>The percentage of ICS computers on which denylisted internet resources were blocked ranged from 3.28% in East Asia to 6.98% in Africa. Russia and Eastern Europe were also among the top three regions for this indicator. It increased in all regions and this growth is associated with the addition of direct links to malicious code hosted on popular public websites and file-sharing services.</p>
<p>The percentage of ICS computers on which malicious documents were blocked has grown for two consecutive quarters. The rate reached 1.97% (up 0.12 pp) and returned to the level seen in Q3 2024. The percentage increased in all regions except Latin America.<br />
The percentage of ICS computers on which malicious scripts and phishing pages were blocked decreased to 6.49% (down 0.67 pp).</p>
<h3 id="next-stage-malware">Next-stage malware</h3>
<p>Malicious objects used to initially infect computers deliver next-stage malware (spyware, ransomware, and miners) to victims’ computers. As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.</p>
<p>In Q2 2025, the percentage of ICS computers on which malicious objects from all categories were blocked decreased. The rates are:</p>
<ul>
<li>Spyware: 3.84% (down 0.36 pp);</li>
<li>Ransomware: 0.14% (down 0.02 pp);</li>
<li>Miners in the form of executable files for Windows: 0.63% (down 0.15 pp);</li>
<li>Web miners: 0.30% (down 0.23 pp), its lowest level since Q2 2022.</li>
</ul>
<h3 id="self-propagating-malware">Self-propagating malware</h3>
<p>Self-propagating malware (worms and viruses) is a category unto itself. Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.</p>
<p>To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software such as Radmin2.</p>
<p>In Q2 2025, the percentage of ICS computers on which worms and viruses were blocked decreased to 1.22% (down 0.09 pp) and 1.29% (down 0.24 pp). Both are the lowest values since Q2 2022.</p>
<h2 id="autocad-malware">AutoCAD malware</h2>
<p>This category of malware can spread in a variety of ways, so it does not belong to a specific group.</p>
<p>In Q2 2025, the percentage of ICS computers on which AutoCAD malware was blocked continued to decrease to 0.29% (down 0.05 pp) and reached its lowest level since Q2 2022.</p>
<p>For more information on industrial threats see <a href="https://ics-cert.kaspersky.com/publications/reports/2025/09/11/threat-landscape-for-industrial-automation-systems-q2-2025/" target="_blank" rel="noopener">the full version of the report</a>.</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/industrial-threat-report-q2-2025/117532/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/19094238/SL-ICS-CERT-Q2-2025-report-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/19094238/SL-ICS-CERT-Q2-2025-report-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/19094238/SL-ICS-CERT-Q2-2025-report-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/19094238/SL-ICS-CERT-Q2-2025-report-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT</title>
<link>https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/</link>
<comments>https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/#respond</comments>
<dc:creator><![CDATA[Lisandro Ubiedo]]></dc:creator>
<pubDate>Tue, 16 Sep 2025 10:00:41 +0000</pubDate>
<category><![CDATA[GReAT research]]></category>
<category><![CDATA[Malware Technologies]]></category>
<category><![CDATA[Targeted attacks]]></category>
<category><![CDATA[Malware Descriptions]]></category>
<category><![CDATA[Malware]]></category>
<category><![CDATA[RAT Trojan]]></category>
<category><![CDATA[.NET]]></category>
<category><![CDATA[PowerShell]]></category>
<category><![CDATA[Brazil]]></category>
<category><![CDATA[Data theft]]></category>
<category><![CDATA[Thematic phishing]]></category>
<category><![CDATA[LLM]]></category>
<category><![CDATA[AI]]></category>
<category><![CDATA[Windows malware]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117493</guid>
<description><![CDATA[Kaspersky GReAT expert takes a closer look at the RevengeHotels threat actor's new campaign, including AI-generated scripts, targeted phishing, and VenomRAT.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114425/revengehotels-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="background">Background</h2>
<p>RevengeHotels, also known as TA558, is a threat group that has been active since 2015, stealing credit card data from hotel guests and travelers. RevengeHotels’ modus operandi involves sending emails with phishing links which redirect victims to websites mimicking document storage. These sites, in turn, download script files to ultimately infect the targeted machines. The final payloads consist of various remote access Trojan (RAT) implants, which enable the threat actor to issue commands for controlling compromised systems, stealing sensitive data, and maintaining persistence, among other malicious activities.</p>
<p><a href="https://securelist.com/revengehotels/95229/" target="_blank" rel="noopener">In previous campaigns</a>, the group was observed using malicious emails with Word, Excel, or PDF documents attached. Some of them exploited the <a href="https://www.cve.org/CVERecord?id=CVE-2017-0199" target="_blank" rel="noopener">CVE-2017-0199</a> vulnerability, loading Visual Basic Scripting (VBS), or PowerShell scripts to install customized versions of different RAT families, such as RevengeRAT, NanoCoreRAT, NjRAT, 888 RAT, and custom malware named ProCC. These campaigns affected hotels in multiple countries across Latin America, including Brazil, Argentina, Chile, and Mexico, but also hotel front-desks globally, particularly in Russia, Belarus, Turkey, and so on.</p>
<p>Later, this threat group expanded its arsenal by adding XWorm, a RAT with commands for control, data theft, and persistence, amongst other things. While investigating the campaign that distributed XWorm, we identified high-confidence indicators that RevengeHotels also used the RAT tool named DesckVBRAT in their operations.</p>
<p>In the summer of 2025, we observed new campaigns targeting the same sector and featuring increasingly sophisticated implants and tools. The threat actors continue to employ phishing emails with invoice themes to deliver VenomRAT implants via JavaScript loaders and PowerShell downloaders. A significant portion of the initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents. This suggests that the threat actor is now leveraging AI to evolve its capabilities, a trend also reported among other cybercriminal groups.</p>
<p>The primary targets of these campaigns are Brazilian hotels, although we have also observed attacks directed at Spanish-speaking markets. Through a comprehensive analysis of the attack patterns and the threat actor’s modus operandi, we have established with high confidence that the responsible actor is indeed RevengeHotels. The consistency of the tactics, techniques, and procedures (TTPs) employed in these attacks aligns with the known behavior of RevengeHotels. The infrastructure used for payload delivery relies on legitimate hosting services, often utilizing Portuguese-themed domain names.</p>
<h2 id="initial-infection">Initial infection</h2>
<p>The primary attack vector employed by RevengeHotels is phishing emails with invoicing themes, which urge the recipient to settle overdue payments. These emails are specifically targeted at email addresses associated with hotel reservations. While Portuguese is a common language used in these phishing emails, we have also discovered instances of Spanish-language phishing emails, indicating that the threat actor’s scope extends beyond Brazilian hospitality establishments and may include targets in Spanish-speaking countries or regions.</p>
<div id="attachment_117518" style="width: 1613px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114710/RevengeHotels-graphics.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117518" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114710/RevengeHotels-graphics.png" alt="Example of a phishing email about a booking confirmation" width="1603" height="1002" class="size-full wp-image-117518" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114710/RevengeHotels-graphics.png 1603w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114710/RevengeHotels-graphics-300x188.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114710/RevengeHotels-graphics-1024x640.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114710/RevengeHotels-graphics-768x480.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114710/RevengeHotels-graphics-1536x960.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114710/RevengeHotels-graphics-560x350.png 560w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114710/RevengeHotels-graphics-740x463.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114710/RevengeHotels-graphics-448x280.png 448w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114710/RevengeHotels-graphics-800x500.png 800w" sizes="auto, (max-width: 1603px) 100vw, 1603px" /></a><p id="caption-attachment-117518" class="wp-caption-text">Example of a phishing email about a booking confirmation</p></div>
<p>In recent instances of these attacks, the themes have shifted from hotel reservations to fake job applications, where attackers sent résumés in an attempt to exploit potential job opportunities at the targeted hotels.</p>
<h2 id="malicious-implant">Malicious implant</h2>
<p>The malicious websites, which change with each email, download a WScript JS file upon being visited, triggering the infection process. The filename of the JS file changes with every request. In the case at hand, we analyzed <code>Fat146571.js</code> (fbadfff7b61d820e3632a2f464079e8c), which follows the format <code>Fat\{NUMBER\}.js</code>, where “Fat” is the beginning of the Portuguese word “fatura”, meaning “invoice”.</p>
<p>The script appears to be generated by a large language model (LLM), as evidenced by its heavily commented code and a format similar to those produced by this type of technology. The primary function of the script is to load subsequent scripts that facilitate the infection.</p>
<p>A significant portion of the new generation of initial infectors created by RevengeHotels contains code that seems to have been generated by AI. These LLM-generated code segments can be distinguished from the original malicious code by several characteristics, including:</p>
<ul>
<li>The cleanliness and organization of the code</li>
<li>Placeholders, which allow the threat actor to insert their own variables or content</li>
<li>Detailed comments that accompany almost every action within the code</li>
<li>A notable lack of obfuscation, which sets these LLM-generated sections apart from the rest of the code</li>
</ul>
<div id="attachment_117504" style="width: 1913px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133434/latin-america2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117504" class="size-full wp-image-117504" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133434/latin-america2.png" alt="AI generated code in a malicious implant as compared to custom code" width="1903" height="2048" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133434/latin-america2.png 1903w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133434/latin-america2-279x300.png 279w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133434/latin-america2-952x1024.png 952w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133434/latin-america2-768x827.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133434/latin-america2-1427x1536.png 1427w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133434/latin-america2-325x350.png 325w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133434/latin-america2-740x796.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133434/latin-america2-260x280.png 260w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133434/latin-america2-800x861.png 800w" sizes="auto, (max-width: 1903px) 100vw, 1903px" /></a><p id="caption-attachment-117504" class="wp-caption-text">AI generated code in a malicious implant as compared to custom code</p></div>
<h2 id="second-loading-step">Second loading step</h2>
<p>Upon execution, the loader script, <code>Fat\{NUMBER\}.js</code>, decodes an obfuscated and encoded buffer, which serves as the next step in loading the remaining malicious implants. This buffer is then saved to a PowerShell (PS1) file named <code>SGDoHBZQWpLKXCAoTHXdBGlnQJLZCGBOVGLH_{TIMESTAMP}.ps1</code> (d5f241dee73cffe51897c15f36b713cc), where “\{TIMESTAMP\}” is a generated number based on the current execution date and time. This ensures that the filename changes with each infection and is not persistent. Once the script is saved, it is executed three times, after which the loader script exits.</p>
<p>The script <code>SGDoHBZQWpLKXCAoTHXdBGlnQJLZCGBOVGLH_{TIMESTAMP}.ps1</code> runs a PowerShell command with Base64-encoded code. This code retrieves the <code>cargajecerrr.txt</code> (b1a5dc66f40a38d807ec8350ae89d1e4) file from a remote malicious server and invokes it as PowerShell.</p>
<p>This downloader, which is lightly obfuscated, is responsible for fetching the remaining files from the malicious server and loading them. Both downloaded files are Base64-encoded and have descriptive names: <code>venumentrada.txt</code> (607f64b56bb3b94ee0009471f1fe9a3c), which can be interpreted as “VenomRAT entry point”, and <code>runpe.txt</code> (dbf5afa377e3e761622e5f21af1f09e6), which is named after a malicious tool for in-memory execution. The first file, <code>venumentrada.txt</code>, is a heavily obfuscated loader (MD5 of the decoded file: 91454a68ca3a6ce7cb30c9264a88c0dc) that ensures the second file, a VenomRAT implant (3ac65326f598ee9930031c17ce158d3d), is correctly executed in memory.</p>
<p>The malicious code also exhibits characteristics consistent with generation by an AI interface, including a coherent code structure, detailed commenting, and explicit variable naming. Moreover, it differs significantly from previous samples, which had a structurally different, more obfuscated nature and lacked comments.</p>
<h2 id="exploring-venomrat">Exploring VenomRAT</h2>
<p>VenomRAT, an evolution of the open-source QuasarRAT, <a href="https://www.acronis.com/en-sg/tru/posts/venomrat-a-remote-access-tool-with-dangerous-consequences/" target="_blank" rel="noopener">was first discovered in mid-2020</a> and is offered on the dark web, with a lifetime license costing up to $650. Although the source code of VenomRAT was leaked, it is still being sold and used by threat actors.</p>
<div id="attachment_117505" style="width: 2058px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133605/latin-america3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117505" class="size-full wp-image-117505" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133605/latin-america3.png" alt="VenomRAT packages on the dark web" width="2048" height="1104" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133605/latin-america3.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133605/latin-america3-300x162.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133605/latin-america3-1024x552.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133605/latin-america3-768x414.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133605/latin-america3-1536x828.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133605/latin-america3-649x350.png 649w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133605/latin-america3-740x399.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133605/latin-america3-519x280.png 519w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11133605/latin-america3-800x431.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a><p id="caption-attachment-117505" class="wp-caption-text">VenomRAT packages on the dark web</p></div>
<p>According to the vendor’s website, VenomRAT offers a range of capabilities that build upon and expand those of QuasarRAT, including HVNC hidden desktop, file grabber and stealer, reverse proxy, and UAC exploit, amongst others.</p>
<p>As with other RATs, VenomRAT clients are generated with custom configurations. The configuration data within the implant (similar to QuasarRAT) is encrypted using AES and PKCS #5 v2.0, with two keys employed: one for decrypting the data and another for verifying its authenticity using HMAC-SHA256. Throughout the malware code, different sets of keys and initialization vectors are used sporadically, but they consistently implement the same AES algorithm.</p>
<h3 id="anti-kill">Anti-kill</h3>
<p>It is notable that VenomRAT features an anti-kill protection mechanism, which can be enabled by the threat actor upon execution. Initially, the RAT calls a function named <code>EnableProtection</code>, which retrieves the security descriptor of the malicious process and modifies the Discretionary Access Control List (DACL) to remove any permissions that could hinder the RAT’s proper functioning or shorten its lifespan on the system.</p>
<p>The second component of this anti-kill measure involves a thread that runs a continuous loop, checking the list of running processes every 50 milliseconds. The loop specifically targets those processes commonly used by security analysts and system administrators to monitor host activity or analyze .NET binaries, among other tasks. If the RAT detects any of these processes, it will terminate them without prompting the user.</p>
<div id="attachment_117506" style="width: 2058px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11134004/latin-america4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117506" class="size-full wp-image-117506" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11134004/latin-america4.png" alt="List of processes that the malware looks for to terminate" width="2048" height="357" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11134004/latin-america4.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11134004/latin-america4-300x52.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11134004/latin-america4-1024x179.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11134004/latin-america4-768x134.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11134004/latin-america4-1536x268.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11134004/latin-america4-2008x350.png 2008w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11134004/latin-america4-740x129.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11134004/latin-america4-1600x280.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/11134004/latin-america4-800x139.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a><p id="caption-attachment-117506" class="wp-caption-text">List of processes that the malware looks for to terminate</p></div>
<p>The anti-kill measure also involves persistence, which is achieved through two mechanisms written into a VBS file generated and executed by VenomRAT. These mechanisms ensure the malware’s continued presence on the system:</p>
<ol>
<li>Windows Registry: The script creates a new key under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, pointing to the executable path. This allows the malware to persist across user sessions.</li>
<li>Process: The script runs a loop that checks for the presence of the malware process in the process list. If it is not found, the script executes the malware again.</li>
</ol>
<p>If the user who executed the malware has administrator privileges, the malware takes additional steps to ensure its persistence. It sets the <code>SeDebugPrivilege</code> token, enabling it to use the <code>RtlSetProcessIsCritical</code> function to mark itself as a critical system process. This makes the process “essential” to the system, allowing it to persist even when termination is attempted. However, when the administrator logs off or the computer is about to shut down, VenomRAT removes its critical mark to permit the system to proceed with these actions.</p>
<p>As a final measure to maintain persistence, the RAT calls the <code>SetThreadExecutionState</code> function with a set of flags that forces the display to remain on and the system to stay in a working state. This prevents the system from entering sleep mode.</p>
<p>Separately from the anti-kill methods, the malware also includes a protection mechanism against Windows Defender. In this case, the RAT actively searches for <code>MSASCui.exe</code> in the process list and terminates it. The malware then modifies the task scheduler and registry to disable Windows Defender globally, along with its various features.</p>
<h3 id="networking">Networking</h3>
<p>VenomRAT employs a custom packet building and serialization mechanism for its networking connection to the C2 server. Each packet is tailored to a specific action taken by the RAT, with a dedicated packet handler for each action. The packets transmitted to the C2 server undergo a multi-step process:</p>
<ol>
<li>The packet is first serialized to prepare it for transmission.</li>
<li>The serialized packet is then compressed using LZMA compression to reduce its size.</li>
<li>The compressed packet is encrypted using AES-128 encryption, utilizing the same key and authentication key mentioned earlier.</li>
</ol>
<p>Upon receiving packets from the C2 server, VenomRAT reverses this process to decrypt and extract the contents.</p>
<p>Additionally, VenomRAT implements tunneling by installing ngrok on the infected computer. The C2 server specifies the token, protocol, and port for the tunnel, which are sent in the serialized packet. This allows remote control services like RDP and VNC to operate through the tunnel and to be exposed to the internet.</p>
<h3 id="usb-spreading">USB spreading</h3>
<p>VenomRAT also possesses the capability to spread via USB drives. To achieve this, it scans drive letters from C to M and checks if each drive is removable. If a removable drive is detected, the RAT copies itself to all available drives under the name <code>My Pictures.exe</code>.</p>
<h3 id="extra-stealth-steps">Extra stealth steps</h3>
<p>In addition to copying itself to another directory and changing its executable name, VenomRAT employs several stealth techniques that distinguish it from QuasarRAT. Two notable examples include:</p>
<ul>
<li>Deletion of Zone.Identifier streams: VenomRAT deletes the Mark of the Web streams, which contain metadata about the URL from which the executable was downloaded. By removing this information, the RAT can evade detection by security tools like Windows Defender and avoid being quarantined, while also eliminating its digital footprint.</li>
<li>Clearing Windows event logs: The malware clears all Windows event logs on the compromised system, effectively creating a “clean slate” for its operations. This action ensures that any events generated during the RAT’s execution are erased, making it more challenging for security analysts to detect and track its activities.</li>
</ul>
<h2 id="victimology">Victimology</h2>
<p>The primary targets of RevengeHotels attacks continue to be hotels and front desks, with a focus on establishments located in Brazil. However, the threat actors have been adapting their tactics, and phishing emails are now being sent in languages other than Portuguese. Specifically, we’ve observed that emails in Spanish are being used to target hotels and tourism companies in Spanish-speaking countries, indicating a potential expansion of the threat actor’s scope. Note that among earlier victims of this threat are such Spanish-speaking countries as Argentina, Bolivia, Chile, Costa Rica, Mexico, and Spain.</p>
<p>It is important to point out that previously reported campaigns have mentioned the threat actor targeting hotel front desks globally, particularly in Russia, Belarus, and Turkey, although no such activity has yet been detected during the latest RevengeHotels campaign.</p>
<h2 id="conclusions">Conclusions</h2>
<p>RevengeHotels has significantly enhanced its capabilities, developing new tactics to target the hospitality and tourism sectors. With the assistance of LLM agents, the group has been able to generate and modify their phishing lures, expanding their attacks to new regions. The websites used for these attacks are constantly rotating, and the initial payloads are continually changing, but the ultimate objective remains the same: to deploy a remote access Trojan (RAT). In this case, the RAT in question is VenomRAT, a privately developed variant of the open-source QuasarRAT.</p>
<p>Kaspersky products detect these threats as <code>HEUR:Trojan-Downloader.Script.Agent.gen</code>, <code>HEUR:Trojan.Win32.Generic</code>, <code>HEUR:Trojan.MSIL.Agent.gen</code>, <code>Trojan-Downloader.PowerShell.Agent.ady</code>, <code>Trojan.PowerShell.Agent.aqx</code>.</p>
<h2 id="indicators-of-compromise">Indicators of compromise</h2>
<p><a href="https://opentip.kaspersky.com/fbadfff7b61d820e3632a2f464079e8c/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______11c095495d35df74&utm_source=SL&utm_medium=SL&utm_campaign=SL">fbadfff7b61d820e3632a2f464079e8c</a> Fat146571.js<br />
<a href="https://opentip.kaspersky.com/d5f241dee73cffe51897c15f36b713cc/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7883728a48b0302a&utm_source=SL&utm_medium=SL&utm_campaign=SL">d5f241dee73cffe51897c15f36b713cc</a> SGDoHBZQWpLKXCAoTHXdBGlnQJLZCGBOVGLH_{TIMESTAMP}.ps1<br />
<a href="https://opentip.kaspersky.com/1077ea936033ee9e9bf444dafb55867c/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1b73659670788504&utm_source=SL&utm_medium=SL&utm_campaign=SL">1077ea936033ee9e9bf444dafb55867c</a> cargajecerrr.txt<br />
<a href="https://opentip.kaspersky.com/b1a5dc66f40a38d807ec8350ae89d1e4/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______85ec13e958c9c6cc&utm_source=SL&utm_medium=SL&utm_campaign=SL">b1a5dc66f40a38d807ec8350ae89d1e4</a> cargajecerrr.txt<br />
<a href="https://opentip.kaspersky.com/dbf5afa377e3e761622e5f21af1f09e6/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______014e160c9c26a66d&utm_source=SL&utm_medium=SL&utm_campaign=SL">dbf5afa377e3e761622e5f21af1f09e6</a> runpe.txt<br />
<a href="https://opentip.kaspersky.com/607f64b56bb3b94ee0009471f1fe9a3c/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4e53765727c6307c&utm_source=SL&utm_medium=SL&utm_campaign=SL">607f64b56bb3b94ee0009471f1fe9a3c</a> venumentrada.txt<br />
<a href="https://opentip.kaspersky.com/3ac65326f598ee9930031c17ce158d3d/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e25f34a7be680b5d&utm_source=SL&utm_medium=SL&utm_campaign=SL">3ac65326f598ee9930031c17ce158d3d</a> deobfuscated runpe.txt<br />
<a href="https://opentip.kaspersky.com/91454a68ca3a6ce7cb30c9264a88c0dc/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f0db71705db2b119&utm_source=SL&utm_medium=SL&utm_campaign=SL">91454a68ca3a6ce7cb30c9264a88c0dc</a> deobfuscated venumentrada.txt</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114425/revengehotels-featured-image.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114425/revengehotels-featured-image-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114425/revengehotels-featured-image-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/15114425/revengehotels-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=http%3A//securelist.com/feed/"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=http%3A//securelist.com/feed/

Home · About · News · Docs · Terms