{
	"id": "e048a47b-023e-447d-9c65-bb627a1caa3a",
	"created_at": "2026-04-06T02:12:53.323701Z",
	"updated_at": "2026-04-10T03:21:27.729753Z",
	"deleted_at": null,
	"sha1_hash": "2b93cc14138736e0730630fda1407f53fd127941",
	"title": "Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 341968,
	"plain_text": "Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)\r\nBy No items found.\r\nPublished: 2025-08-21 · Archived: 2026-04-06 01:30:20 UTC\r\nA new malware, dubbed “Blister,” by the Elastic Security team that identified it, is leveraging valid code-signing certificates\r\nin Windows systems, to avoid detection by antivirus software. The malware is named after one of its payloads, Blister,\r\nwhich further deploys second-stage payloads.\r\nThe threat actors orchestrating the Blister campaigns have been active since 15 September 2021, and have been using code-signing certificates that were validated on 23 August 2021. These certificates were issued by Sectigo to Blist LLC’s mail.ru\r\nemail address. It is notable that mail.ru is a widely used Russian email service provider.  \r\nThe malware masquerades malicious components as genuine executable files, due to which it has a low detection rate. Apart\r\nfrom using code-signing certificates, the threat actors are also leveraging other techniques, such as binding Blister to a\r\nlegitimate library on the infected system, to stay under the radar. \r\nModus Operandi of the Blister Campaign\r\nThreat actors are known to use code-signing to circumvent basic static security checks to compromise the victim systems.\r\nThe Blister malware is no different in that it uses a Sectigo issued certificate to make the loader malware program look\r\ngenuine to security products. It then deploys a Remote Access Trojan (RAT) on the target system to gain unauthorized\r\naccess. \r\nA .dll file is used as a second stage payload to execute the encoded RAT/ CobaltStrike beacon. Since the .dll file has no\r\nmalicious traces there have been very few detections on VirusTotal. However, the loader uses Rundll32.exe to execute the\r\nLaunchColorCpl function exported by the malicious .dll file. \r\nOverview of the Blister malware campaign\r\nLeveraging Code-Signing Certificates to Avoid Detection\r\nThe below image contains the details of the certificate to an entity called “Blist LLC”. It is common  for\r\ncybercriminals to either steal code-signing certificates from compromised targets, or to use a front company to obtain\r\nthe certificate, to sign the malware with.\r\nCertificate issued to Blist LLC\r\nSectigo has since revoked the certificate issued to the binary. \r\nhttps://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/\r\nPage 1 of 6\n\nCertificate issued by Sectigo\r\nFirst Stage of Infection\r\nOverview of the Loader\r\nThe loader writes a malicious .dll file in a directory created inside the user Temp folder. \r\nIn one of the analysed samples, the malware created a folder named “goalgames” and inside it the loader dumped\r\nholorui.dll. \r\nThe .dll houses the code for deploying the RAT to gain unauthorized access to the infected system.\r\nThe loader writes a .dll file in the user Temp folder\r\nStep by Step Working of the Loader\r\nThe Win32 API createDirectoryW is used to create a folder called “goalgames” in the path: C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Temp directory. as shown below.\r\nUsing Win32 API createDirectoryW to create a folder in the user Temp folder\r\nBefore dumping the .dll, the loader sets the working directory to C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\goalgames\r\nvia Win32 API SetCurrentDirectoryW.\r\nUsing Win32 API SetCurrentDirectoryW to set the working directory\r\nAfter setting the working directory, the malware resolves the filename for the .dll file to holorui.dll and stores it in\r\nthe register RCX, to later pass it to Win32 API CreateFileW.\r\nhttps://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/\r\nPage 2 of 6\n\nThe malware resolves the filename for the .dll file to holorui.dll\r\nThe file C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\goalgames\\holorui.dll is created using the CreateFileW API. \r\nholorui.dll created using CreateFileW API\r\nOnce the file is created, the malware starts writing the content to the file by iteratively transferring bytes from the .dll\r\npayload in the loader. The Win32 API WriteFile is used to write contents into holorui.dll.\r\nWin32 API WriteFile used to write contents into holorui.dll\r\nThe malicious .dll is embedded in the initialized data segment of the PE executable of the loader and the bytes are\r\ntransferred into C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\goalgames\\holorui.dll.\r\nThe MZ header of the embedded file\r\nUpon closing the handle to the holorui.dll file, written on to the disk in the Temp directory, the malware finishes\r\ndelivering the second stage payload. Then the file handles are closed by the malware.\r\nFile handles closed by the malware\r\nThe successful delivery of the malicious .dll can be confirmed by analyzing the interaction of the malware on the\r\nsystem.\r\nSuccessful delivery of the malicious .dll\r\nBased on analysing multiple signed loader samples, we have enumerated following distinct directory and payload\r\nnames used within different samples from the same campaign:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\goalgames\\holorui.dll\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\Framwork\\axsssig.dll\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\oarimgamings\\holorui.dll\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\guirtsframworks\\Pasade.dll\r\nhttps://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/\r\nPage 3 of 6\n\nNote: The content inside the .dll is the same despite having different names\r\nSecond Stage of Infection\r\nAt the second stage of infection, the loader generates a command line to execute the function LaunchColorCpl\r\nexported  from the .dll, via Rundll32.exe on the infected system.\r\nCommand line to execute the function LaunchColorCpl\r\nA new process is created with the above command line to spawn a Rundll32 process via CreateProcessW Win32\r\nAPI. \r\nSpawning a Rundll32 process via CreateProcessW Win32 API\r\nThe newly spawned Rundll32.exe process is listed in the process listing on the infected machine. \r\nNewly spawned Rundll32.exe process\r\nCommand line confirmation for the newly spawned process\r\nThe final payload is executed by the Rundll32.exe process.  \r\nNetwork activities between the infected host and the attacker C2\r\nIn the part 2 of this article we will cover the internal working of the .dll payload in detail.\r\nIndicators of Compromise (IoCs)\r\nFileHash-MD5\r\ne6404260b4e42b7aa75bb0a96627ed3a 304921a919ab5228687a4932bb66fab9\r\ndb8827d0d7b2addc05719e407216da14 1b33c1f232b2ed68ac108519caa2d35f\r\n755f50457416aeb7fee95a67abfea9fe 1896e6b20128e85a9851b94753eabbdf\r\n6f76505a91c91c29238f0ed70b369417 a91ba8f4a339a98fa94e810831e83d96\r\n5a7dea7aa86ccd600f5a97e3b53f7338 b8c9c560c6970a877a7ad359f37811d7\r\nhttps://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/\r\nPage 4 of 6\n\n3efcd76417a185e48da71e22d230c547\r\nFileHash-SHA1\r\nf8fa1ba14df6f8ab2b307ee0ce04054ea9d538c0 77b11cc7fc02f2ece71c380afbed82a39df9b8fa\r\nf534e15bbc104cafab80f954ba30f12de87b0f48 72134bbf433c51d475412d16ff7abb4ce2b08110\r\nd58e06727c551756cbee1fc6539929553a09878b 4800d1f8e6ebc489c6c8a1d3a1f99b8339cf0980\r\nc039362e891b01040c20e75e16b02169c512aebd 21799d1d30344428697f3a186733b283a993ac16\r\nbb69d5da32164813be5af29d31edc951a8f1f088 871e52778597185f98eb0a57127024bcd094cf07\r\na492b5e329b55d4a0f66217e5352ab56fabacad1\r\nFileHash-SHA256\r\nfe7357d48906b68f094a81d19cc0ff93f56cc40454ac5f00e2e2d9c8ccdbc388 fa885e9ea1293552cb45a89e740426fa9c313225ff77ad1980\r\nf5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76d ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa7\r\ned241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a df8142e5cf897af65972041024ebe74c7915df0e18c6364c5f\r\nd54dfedda0efa36ed445d501845b61ab73c2102786be710ac19f697fc8d4ca5c d0f934fd5d63a1524616bc13b51ce274539a8ead9b072e7f7\r\ncc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028 cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46\r\nca09d9cd2f3cfcc06b33eff91d55602cb33a66ab3fd4f540b9212fce5ddae54a c61d2ba1e001c137533cd7fb6b38fe71fee489d61dbcfea45c\r\nc0f3b27ae4f7db457a86a38244225cca35aa0960eb6a685ed350e99a36c32b61 bee3210360c5d0939c5d38b7b9f0c232cf9fbf93b46a19e539\r\nba3a50930e7a144637faf88a98f2990a27532bfd20a93dc160eb2db4fbc17b58 afb77617a4ca637614c429440c78da438e190dd1ca24dc784\r\naf555d61becfcf0c13d4bc8ea7ab97dcdc6591f8c6bb892290898d28ebce1c5d a486e836026e184f7d3f30eaa4308e2f0c381c070af1f52511\r\na34821b50aadee0dd85c382c43f44dae1e5fef0febf2f7aed6abf3f3e21f7994 9bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0f\r\n96bf7bd5f405d3b4c9a71bcd1060395f28f2466fdb91cafc6e261a31d41eb37a 9472d4cb393256a62a466f6601014e5cb04a71f115499c320\r\n923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f928884129 8e22cf159345852be585bc5a8e9af476b00bc91cdda98fd6a3\r\n8ae2c205220c95f0f7e1f67030a9027822cc18e941b669e2a52a5dbb5af74bc9 8a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e\r\n863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc665\r\n81edf3a3b295b0189e54f79387e7df61250cc8eab4f1e8f42eb5042102df8f1f 7cd03b30cfeea07b5ea4c8976e6456cb65e09f6b8e7dcc6888\r\n7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f 6c6f808f9b19e1fab1c1b83dc99386f0ceee8593ddfd461ac0\r\n696f6274af4b9e8db4727269d43c83c350694bd1ef4bd5ccdc0806b1f014568a 56ca9ea3f7870561ed3c6387daf495404ed3827f212472501\r\n5651e8a8e6f9c63c4c1162efadfcb4cdd9ad634c5e00a5ab03259fcdeaa225ac 516cac58a6bfec5b9c214b6bba0b724961148199d32fb42c0\r\n4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5 44e5770751679f178f90ef7bd57e8e4ccfb6051767d8e9067\r\n3c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0 359ffa33784cb357ddabc42be1dcb9854ddb113fd8d6caf3bf\r\n2d049f7658a8dccd930f7010b32ed1bc9a5cc0f8109b511ca2a77a2104301369 294c710f4074b37ade714c83b6b7bf722a46aef61c02ba654\r\n25a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1 216cb4f2caeaf59f297f72f7f271b084637e5087d59411ac77\r\n1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d 17ea84d547e97a030d2b02ac2eaa9763ffb4f96f6c54659533\r\n00eb2f75822abeb2e222d007bdec464bfbc3934b8be12983cc898b37c6ace081 0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e\r\nDomains\r\ndiscountshadesdirect.com\r\ndomain clippershipintl.com\r\ndomain bimelectrical.com\r\nhttps://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/\r\nPage 5 of 6\n\nIPv4\r\n93.115.18.248\r\n188.68.221.203\r\n185.170.213.186\r\nSigned loaders\r\ned6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8\r\ncb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926\r\n7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f\r\n84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74\r\ncc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028\r\n9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc615245c7594d4\r\n4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5\r\n1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d\r\n9bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffcaa23025318a60\r\n8a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7db0e41c1a7658\r\n923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f928884129\r\ned241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a\r\n294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60\r\nDLL\r\nBE7E259D5992180EADFE3F4F3AB1A5DECC6A394DF60C7170550B3D222FCE5F19\r\nSource: https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/\r\nhttps://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/"
	],
	"report_names": [
		"technical-analysis-of-code-signed-blister-malware-campaign-part-1"
	],
	"threat_actors": [],
	"ts_created_at": 1775441573,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b93cc14138736e0730630fda1407f53fd127941.pdf",
		"text": "https://archive.orkl.eu/2b93cc14138736e0730630fda1407f53fd127941.txt",
		"img": "https://archive.orkl.eu/2b93cc14138736e0730630fda1407f53fd127941.jpg"
	}
}