{ "id": "c92b5289-2d2d-4137-9173-6a1fb6b0ca38", "created_at": "2026-04-06T00:18:22.07034Z", "updated_at": "2026-04-10T03:29:39.712528Z", "deleted_at": null, "sha1_hash": "26102c9b2e236dfa31af44975b637ac76d80a262", "title": "Exmatter malware levels up: S-RM observes new variant with simultaneous remote code execution and data targeting", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2916285, "plain_text": "Exmatter malware levels up: S-RM observes new variant with\r\nsimultaneous remote code execution and data targeting\r\nBy David Broome, Gavin Hull\r\nPublished: 2024-06-04 · Archived: 2026-04-05 17:19:55 UTC\r\nS-RM’s incident response team has observed a new variant of the data exfiltration tool, Exmatter, being used by a\r\nLockBit affiliate on a recent ransomware engagement.\r\nIn this special edition of the Cyber Intelligence Briefing, S-RM cyber experts, David Broome and Gavin Hull,\r\nexplore the technical details underpinning this development, what it means for potential victims, and how\r\norganisations can identify and mitigate similar malware in their environments.\r\nWhat is Exmatter?\r\nExmatter is a custom-built data exfiltration tool which aims to automate and increase the efficiency of data\r\nexfiltration from victims’ systems by targeting specific directories and file types for collection and exfiltration.\r\nThe tool’s creation and use has been attributed to a ransomware affiliate tracked by Microsoft as Velvet Tempest\r\n(previously tracked as DEV-0504), which has deployed the following ransomware payloads between December\r\n2021 and June 2022: Ryuk, Revil, LockBit 2.0, BlackMatter, Conti and BlackCat aka AlphV. S-RM has observed\r\nthis affiliate deploying LockBit 3.0 payloads since August 2023..\r\nA new variant?\r\nIn a recent engagement, S-RM identified a LockBit affiliate using a new variant of Exmatter malware to exfiltrate\r\nsensitive data from the client’s network prior to the deployment of ransomware. The Exmatter binary was\r\ndiscovered using the file names ‘SMSAgent.exe’, ‘\u003ccompany_name\u003e.exe’ and ‘\u003ccompany_domain_name\u003e.exe’\r\n(company name redacted), with the SHA1 hash 7c67976bfc3ef3c673d5cabc60b7f6fbe0ab19dc. Analysis of the\r\nExmatter binary revealed that, beneath multiple layers of obfuscation, including the use of Spanish to write its\r\nfunctions, and encoding large sections of the malware in Base64, were features we have not previously observed.\r\nThe two most significant developments we detected in Exmatter’s code were its ability to read mapped network\r\ndrives from the registry of the host system, and its facilitation of inter-process communication (‘IPC’) between\r\nmultiple binary processes across multiple systems through the use of an open-source module named TinyIPC.\r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up\r\nPage 1 of 8\n\nFigure 1 – Querying of the Network registry key HKEY_CURRENT_USER\\Network\\*\\RemotePath, which\r\nstores the UNC paths of mounted shares.\r\nFigure 2 – Storing the RemotePath registry values as a list of UNC paths of mounted shares.\r\nFigure 3 – Instantiation of the TinyMessageBus class for IPC communication.\r\nThe use of IPC allowed it to move laterally between network shares on the victim’s network, simultaneously\r\ntargeting data for exfiltration whilst remotely executing itself on other systems. If executed with administrator\r\nrights, it was also able to modify the permissions of files using the command ‘takeown’, which uses the\r\nSeTakeOwnershipPrivilege Microsoft API, giving the threat actor ownership permissions over files they were\r\npreviously denied access to. This not only sped up the process of exfiltration, but also gave Exmatter more\r\nautonomy to target a larger number of systems and data with minimal input from the threat actor.\r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up\r\nPage 2 of 8\n\nThe binary also contained a Base64 encoded WebDAV client configured to a WebDAV server controlled by the\r\nthreat actor, which was used for command and control. Exmatter then used the HTTP PUT method over port 80 to\r\ntransfer data from the victim’s network, ultimately resulting in the exfiltration of up to 1TB of data.\r\nTowards automation and autonomy\r\nOur analysis of Exmatter demonstrates that threat actors are becoming increasingly sophisticated in their ability to\r\nexfiltrate large amounts of data from victim networks whilst remaining undetected. The new functions highlight a\r\ngrowing trend towards automation and autonomy, with malware authors continuously finetuning their source code\r\nto reduce the time needed to achieve their objectives and minimise the need for human input.\r\nProtection\r\nIn response to this increasing sophistication, organisations need to be proficient at detecting and preventing the\r\nuse of data exfiltration tools in their environment. Sensitive data is a primary target for cyber criminals who seek\r\nto use it as leverage over their victims. Below, we have outlined five recommendations for identifying and\r\nmitigating these threats in your environment.\r\n1. Block inbound SMB connections to endpoints via Group Policy Object (GPO). As Exmatter utilises\r\nIPC to perform lateral movement and remote execution, blocking inbound SMB connections on endpoints\r\ncan limit its ability to function. On Windows devices, this can be achieved by disabling the following\r\nsettings on endpoints using Microsoft Defender firewall: File and Printer Sharing (SMB-In), Netlogon\r\nService (NP-In), Remote Event Log Management (NP-In), and Remote Service Management (NP-In).\r\n2. Disable Windows administrative shares. Exmatter abuses Windows administrative shares to perform\r\nlateral movement, a type of share enabled by default in Windows environments to facilitate the remote\r\nmanagement of hosts by administrators and software. Organisations should consider if administrative\r\nshares are needed in their environment, and if not, consider disabling them. These can be disabled via GPO\r\nor by changing the following registry subkeys to the value 0:\r\nDisabling administrative shares on servers:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\r\nDWORD Name = AutoShareServer\r\nValue = 0\r\nDisabling administrative shares on endpoints:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\r\nDWORD Name = AutoShareWks\r\nValue = 0\r\n3. Use an intrusion detection system (IDS). Exmatter exfiltrates data via the HTTP PUT method, making it\r\ndifficult for the victim to detect it leaving their network. This is a common issue for many organisations,\r\nwith large amounts of HTTP traffic allowing threat actors to disguise their data exfiltration and remain\r\nundetected. Whilst identifying data exfiltration can be difficult, organisations can utilise intrusion detection\r\nsystems (IDS) to monitor their network traffic and detect anomalous behaviour, alerting IT staff to any\r\nirregularities in the flow of data.\r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up\r\nPage 3 of 8\n\n4. Limit the use of web browser-based password managers. Exmatter targets .sqlite files that are\r\ncommonly used by web browsers to store sensitive information such as usernames and passwords. Theft of\r\nthese files from your environment could lead to a much larger and more protracted compromise of your\r\nuser accounts and data. Consider limiting the use of web browser-based password managers for your\r\norganisation’s users to prevent the theft of credentials.\r\n5. Conduct tactical threat hunting. Understanding normal processes and behaviour in an environment is\r\nessential to identifying anomalies that are associated with malicious activity. Process, file integrity, and\r\ncommand monitoring can give defenders enhanced visibility into their network to detect deviations from\r\nbaseline activities. These can then be combined with SIGMA rules to conduct threat hunting exercises to\r\nidentify activity associated with lateral movement and data exfiltration.\r\nTechnical details\r\nOverview\r\nIndicator\r\nname  \r\nDescription   \r\nMalware\r\nfamily\r\nExmatter\r\nAction on\r\nobjectives\r\nCollect and exfiltrate sensitive data\r\nDelivery\r\nmechanism\r\nDeployed via GPO, remote execution over network shares\r\nAttack\r\nchain stage\r\nExfiltration prior to ransomware deployment\r\nTarget\r\noperating\r\nsystem\r\nWindows\r\nCode\r\nlanguage\r\n.NET\r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up\r\nPage 4 of 8\n\nType of file .exe\r\nFile name SMSAgent.exe , \u003ccompany_name.exe\u003e, \u003ccompany_domain_name.exe\u003e\r\nFile path C:\\Windows\\SMSAgent.exe\r\nFile size   396Kb\r\nSHA1  7c67976bfc3ef3c673d5cabc60b7f6fbe0ab19dc\r\nMD5  d8b56615a416e27272e3a8dc6a6467bf\r\nSHA256  f13aae2f4995b0eb5ccf9f487003cd2c645d157f45ba6b79af6d39c18832bfc2\r\nSSDEEP\r\n12288:EDeBtyNAO1cgp9a7UT11H111TPro2KDzG/zUOrOeMrOFSW2PD2dUWF883n\r\n9aMpH7:ED0yNAO1cgp+UT11H111TPro2KDzG/zR\r\nImphash f34d5f2d4577ed6d9ceec516c1f5a744\r\nSigner   No signature found\r\nCompile\r\ntime\r\n2024-01-18 01:37:26\r\nVirusTotal Not present\r\nDirectories ignored by Exmatter\r\n1. \\System Volume Information\r\n2. C:\\Users\\All Users\\Microsoft\r\n3. C:\\ProgramData\r\n4. C:\\Windows\r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up\r\nPage 5 of 8\n\n5. C:\\$Recycle.Bin\r\n6. C:\\Documents and Settings\r\n7. C:\\PerfLogs\r\n8. AppData\\Roaming\\Microsoft\r\n9. AppData\\Local\\Microsoft\r\n10. AppData\\Local\\Packages\r\n11. C:\\Program Files\r\n12. C:\\Program Files (x86)\r\n13. Application Data\r\nFile types targeted by Exmatter\r\n1. .pdf\r\n2. .doc\r\n3. .docx\r\n4. .docm\r\n5. .xls\r\n6. .xlsx\r\n7. .xlsm\r\n8. .ppt\r\n9. .pptx\r\n10. .pptm\r\n11. .xps\r\n12. .accdb\r\n13. .png\r\n14. .jpg\r\n15. .jpeg\r\n16. .bmp\r\n17. .rdp\r\n18. .sql\r\n19. .sqlite\r\n20. .db\r\n21. .json\r\n22. .msg\r\n23. .pst\r\n24. .zip\r\n25. .rtf\r\n26. .ipt\r\n27. .dwg\r\n28. .txt\r\nExmatter arguments\r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up\r\nPage 6 of 8\n\nArgument Function\r\nipc \r\nInitiates a TinyIPC connection in slave mode, with the specified IPC node number. This number\r\nneeds to be greater than 1 as its value. For example, -ipc 373737.\r\nipcpref\r\nSets the IPC number to start from. If not selected, a random number is chosen between 100,000\r\nand 999,999.\r\npath Sets a specific path to target, such as the UNC path\r\nnorewrite Disables ‘Breaker mode’\r\nw Default argument, runs expected behaviour of the malware\r\nFigure 4 – Argument parser using cascaded conditional IF ELSE clause.\r\nHow can S-RM help?\r\nIf you are concerned about your organisation’s ability to detect and prevent the use of data exfiltration tools like\r\nExmatter in your environment, have recently detected suspicious activity within your network, or have additional\r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up\r\nPage 7 of 8\n\nquestions about this piece, our team is available to help. Please contact us for more information.\r\nSource: https://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up\r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up" ], "report_names": [ "exmatter-malware-levels-up" ], "threat_actors": [ { "id": "76e1fb02-1ceb-4fe5-8a68-456f0d4c62a4", "created_at": "2024-02-02T02:00:04.037062Z", "updated_at": "2026-04-10T02:00:03.535409Z", "deleted_at": null, "main_name": "Velvet Tempest", "aliases": [ "DEV-0504" ], "source_name": "MISPGALAXY:Velvet Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434702, "ts_updated_at": 1775791779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/26102c9b2e236dfa31af44975b637ac76d80a262.pdf", "text": "https://archive.orkl.eu/26102c9b2e236dfa31af44975b637ac76d80a262.txt", "img": "https://archive.orkl.eu/26102c9b2e236dfa31af44975b637ac76d80a262.jpg" } }