Cybersecurity researchers from Outpost24’s KrakenLabs observed a new and quite unique malware campaign that appears to prioritize quantity over quality.
When hackers compromise a device, they typically deploy a single piece of malware and do their best to remain invisible and persistent while using the computer for whatever end goal they have.
But this new campaign, called Unfurling Hemlock, does the exact opposite, making it stand out in the world of cybercrime. The researchers say that once the victim activates the malware executables – in this case called ‘EXTRACT.EXE’ – they receive a handful of different malware, infostealers and botnet executables.
Malware cluster bomb
The malware is likely to be picked up by cybersecurity solutions, but researchers believe the attackers are hoping that at least some of the payloads will survive the purge. Among the payloads dropped on the devices are Redline (a popular infostealer), RisePro (an upcoming infostealer), Mystic Stealer (malware-as-a-service infostealing), Amadey (loader), SmokeLoader (another loader), Protection Disabler (a utility that disables Windows Defender and other security features), Enigma Packer (obfuscation tool), Healer (antisecurity solution), and Performance Checker (a utility that monitors and logs the performance of malware execution).
This “malware cluster bomb” was first discovered in February 2024, the researchers said. They claimed to have seen more than 50,000 cluster bomb files, all with unique characteristics that they linked to Unfurling Hemlock.
KrakenLabs cannot say with absolute certainty who the threat actors behind Unfurling Hemlock are, but they are fairly certain they are of Eastern European descent. Some of the evidence pointing in that direction is the use of the Russian language in some of the examples, and the use of the Autonomous System 203727, related to a hosting service that cybercrime groups in the region commonly use.
Fortunately, the malware distributed through this campaign is well-known and is flagged by most reputable antivirus programs.
Through BleepingComputer