{
	"id": "d57f0bf0-cc56-4252-b3fa-39d8967e6a20",
	"created_at": "2026-04-06T00:09:45.678698Z",
	"updated_at": "2026-04-10T13:12:53.776265Z",
	"deleted_at": null,
	"sha1_hash": "0c6467a11a4b1df5edd397cbf6d65e81d9e0d88f",
	"title": "Revisiting BLISTER: New development of the BLISTER loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2366175,
	"plain_text": "Revisiting BLISTER: New development of the BLISTER loader\r\nBy Salim Bitam, Daniel Stepanic\r\nPublished: 2023-08-24 · Archived: 2026-04-05 22:03:44 UTC\r\nPreamble\r\nIn a fast-paced and ever-changing world of cybercrime threats, the tenacity and adaptability of malicious actors is\r\na significant concern. BLISTER, a malware loader initially discovered by Elastic Security Labs in 2021 and\r\nassociated with financially-motivated intrusions, is a testament to this trend as it continues to develop additional\r\ncapabilities. Two years after its initial discovery, BLISTER continues to receive updates while flying under the\r\nradar, gaining momentum as an emerging threat. Recent findings from Palo Alto’s Unit 42 describe an updated\r\nSOCGHOLISH infection chain used to distribute BLISTER and deploy a payload from MYTHIC, an open-source\r\nCommand and Control (C2) framework.\r\nKey takeaways\r\nElastic Security Labs has been monitoring malware loader BLISTER ramping up with new changes, and\r\nongoing development with signs of imminent threat activity\r\nNew BLISTER update includes keying feature that allows for precise targeting of victim networks and\r\nlowers exposure within VM/sandbox environments\r\nBLISTER now integrates techniques to remove any process instrumentation hook and has modified its\r\nconfiguration with multiple revisions, now encompassing additional fields and flags.\r\nOverview\r\nOur research uncovered new functionality that was previously absent within the BLISTER family, indicating\r\nongoing development. However, the malware authors continue to use a distinctive technique of embedding\r\nmalicious code in otherwise legitimate applications. This approach superficially appears successful, given the low\r\nrates of detection for many vendors as seen in VirusTotal. The significant amount of benign code and use of\r\nencryption to protect the malicious code are likely two factors impacting detection.\r\nExample of BLISTER detection rates on initial upload\r\nRecently, Elastic Security Labs has observed many new BLISTER loaders in the wild. After analyzing various\r\nsamples, it’s clear that the malware authors have made some changes and have been watching the antivirus\r\nhttps://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\r\nPage 1 of 11\n\nindustry closely. In one sample from early June, we can infer that the authors were testing with a non-production\r\nloader that displays a Message Box displaying the strings “Test”.\r\nBLISTER payload with Message Box test\r\nReaders can see a disassembled view of this functionality below.\r\nBLISTER testing payloads with Message Box\r\nBy the end of July, we observed campaigns involving a new BLISTER loader that targeted victim organizations to\r\ndeploy the MYTHIC implant.\r\nhttps://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\r\nPage 2 of 11\n\nMYTHIC running inside injected WerFault process\r\nAt the time of this writing, Elastic Security Labs is seeing a stream of BLISTER samples which deploy MYTHIC\r\nand have very low rates of detection.\r\nWave of BLISTER samples in August 2023\r\nComparative analyses\r\nSmuggling malicious code\r\nThe authors behind BLISTER employ a consistent strategy of embedding BLISTER's malicious code within a\r\nlegitimate library. The most recent variants of this loader have targeted the VLC Media Player library to smuggle\r\ntheir malware into victim environments. This blend of benign and malicious code seems effective at defeating\r\nsome kinds of machine-learning models.\r\nhttps://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\r\nPage 3 of 11\n\nMeta data of BLISTER sample\r\nThe following is a comparison between a legitimate VLC DLL and one that is infected with BLISTER’s code. In\r\nthe infected sample, the entry point that references malicious code has been indicated in red. This methodology is\r\nsimilar to prior BLISTER variants.\r\nComparison between original and patched VLC library\r\nDifferent hashing algorithm\r\nOne of the changes implemented since our last write-up is the adoption of a different hashing algorithm used in\r\nthe core and in the loader part of BLISTER. While the previous version used simple logic to shift bytes, this new\r\nversion includes a hard-coded seed with XOR and multiplication operations. Researchers speculate that changing\r\nthe hashing approach helps to evade antimalware products that rely on YARA signatures.\r\nhttps://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\r\nPage 4 of 11\n\nDisassembled hashing algorithm\r\nConfiguration retrieval\r\nFollowing the decryption of malicious code by the BLISTER’d loader, it employs an identical memory scanning\r\nmethod to identify the configuration data blob. This is accomplished by searching for a predetermined, hardcoded\r\nmemory pattern. A notable contrast from the earlier iteration of BLISTER lies in the fact that the configuration is\r\nnow decrypted in conjunction with the core code, rather than being treated as a separate entity.\r\nEnvironmental keying\r\nA recent addition to BLISTER is the capability to exclusively execute on designated machines. This behavior is\r\nactivated by configuring the appropriate flag within the malware’s configuration. Subsequently, the malware\r\nproceeds to extract the machine's domain name using the GetComputerNameExW Windows API. Following this, the\r\ndomain name is hashed using the previously mentioned algorithm, and the resulting hash is then compared to a\r\nhash present in the configuration. This functionality is presumably deployed for the purpose of targeted attacks or\r\nfor testing scenarios, ensuring that the malware refrains from infecting unintended systems such as those\r\nemployed by malware researchers.\r\nEnvironmental keying feature\r\nOne of the few malware analysis tools capable of quickly exposing this behavior is the awesome Tiny Tracer\r\nutility by hasherezade. We’ve included an excerpt from Tiny_Tracer below which captures the BLISTER process\r\nimmediately terminating after the GetComputerNameExW validation is performed in a sandboxed analysis VM.\r\nhttps://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\r\nPage 5 of 11\n\nTinyTracer logs\r\nTime-based anti-debugging feature\r\nSimilar to its predecessors, the malware incorporates a time-based anti-debugging functionality. However, unlike\r\nthe previous versions in which the timer was hardcoded, the updated version introduces a new field in the\r\nconfiguration. This field enables the customization of the sleep timer, with a default value of 10 minutes. This\r\ndefault interval remains unchanged from prior iterations of BLISTER.\r\nTime-Based Anti-Debug Feature\r\nUnhook process instrumentation to detect syscalls\r\nIn this latest version, BLISTER introduces noteworthy functionality: it unhooks any ongoing process\r\ninstrumentation, a tactic designed to circumvent userland syscall detection mechanisms upon which certain EDR\r\nsolutions are based.\r\nUnhooking process instrumentation\r\nhttps://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\r\nPage 6 of 11\n\nBLISTER's configuration\r\nThe BLISTER configuration structure has also been changed with the latest variants. Two new fields have been\r\nadded and the flag field at offset 0 has been changed from a WORD to a DWORD value. The new fields pertain to\r\nthe hash of the domain for environmental keying and the configurable sleep time; these field values are at offset 4\r\nand 12 respectively. The following is the updated structure of the configuration:\r\nConfiguration structure\r\nChanges have also been made to the configuration flags, allowing the operator to activate different functions\r\nwithin the malware. Researchers have provided an updated list of functions built upon our prior research into\r\nBLISTER.\r\nhttps://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\r\nPage 7 of 11\n\nConfiguration flags enumeration\r\nPayload extractor update\r\nIn our previous research publication, we introduced an efficient payload extractor tailored to dissect and extract\r\nthe configuration and payload of the loader. To dissect the most recent BLISTER variants and capture these new\r\ndetails, we enhanced our extractor which is available here.\r\nConfiguration extractor\r\nConclusion\r\nhttps://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\r\nPage 8 of 11\n\nBLISTER is one small part of the global cybercriminal ecosystem, providing financially-motivated threats to gain\r\naccess to victim environments and avoid detection by security sensors. The community should consider these new\r\ndevelopments and assess the efficacy of BLISTER detections, Elastic Security Labs will continue to monitor this\r\nthreat and share actionable guidance.\r\nDetection logic\r\nPrevention\r\nWindows.Trojan.Blister\r\nDetection\r\nWindows Error Manager/Reporting Masquerading\r\nPotential Operation via Direct Syscall\r\nPotential Masquerading as Windows Error Manager\r\nUnusual Startup Shell Folder Modification\r\nPotential Masquerading as VLC DLL\r\nYARA\r\nElastic Security has created YARA rules to identify this activity. Below is the latest rule that captures the new\r\nupdate to BLISTER.\r\nrule Windows_Trojan_Blister {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-08-02\"\r\n last_modified = \"2023-08-08\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"Blister\"\r\n threat_name = \"Windows.Trojan.Blister\"\r\n license = \"Elastic License v2\"\r\n strings:\r\nhttps://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\r\nPage 9 of 11\n\n$b_loader_xor = { 48 8B C3 49 03 DC 83 E0 03 8A 44 05 48 [2-3] ?? 03 ?? 4D 2B ?? 75 }\r\n $b_loader_virtual_protect = { 48 8D 45 50 41 ?? ?? ?? ?? 00 4C 8D ?? 04 4C 89 ?? ?? 41 B9 04 00 00 00 4\r\n condition:\r\n all of them\r\n}\r\nObserved adversary tactics and techniques\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that\r\nadvanced persistent threats use against enterprise networks.\r\nTactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for\r\nperforming an action.\r\nExecution\r\nDefense Evasion\r\nPersistence\r\nTechniques / Sub techniques\r\nTechniques and Sub techniques represent how an adversary achieves a tactical goal by performing an action.\r\nSystem Binary Proxy Execution: Rundll32\r\nExecution Guardrails: Environmental Keying\r\nRegistry Run Keys / Startup Folder\r\nMasquerading\r\nProcess Injection: Process Hollowing\r\nReferences\r\nThe following were referenced throughout the above research:\r\nPalo Alto Unit42\r\nTrendmicro\r\nMalpedia\r\nObservables\r\nAll observables are also available for download in both ECS and STIX format in a combined zip bundle.\r\nThe following observables were discussed in this research.\r\nhttps://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\r\nPage 10 of 11\n\nIndicator Type Reference\r\n5fc79a4499bafa3a881778ef51ce29ef015ee58a587e3614702e69da304395db sha256\r\nBLISTER loader\r\nDLL\r\nSource: https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\r\nhttps://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader"
	],
	"report_names": [
		"revisiting-blister-new-developments-of-the-blister-loader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434185,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c6467a11a4b1df5edd397cbf6d65e81d9e0d88f.pdf",
		"text": "https://archive.orkl.eu/0c6467a11a4b1df5edd397cbf6d65e81d9e0d88f.txt",
		"img": "https://archive.orkl.eu/0c6467a11a4b1df5edd397cbf6d65e81d9e0d88f.jpg"
	}
}