{
	"id": "c35bb96f-01e8-40ec-a1d2-06454059e2bf",
	"created_at": "2026-04-06T00:22:37.15126Z",
	"updated_at": "2026-04-10T03:20:16.058424Z",
	"deleted_at": null,
	"sha1_hash": "2eeef5aa97b609cdbc7faa51c49654f4aacef0e3",
	"title": "Unknown Malware Using Azure Functions as C2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 594121,
	"plain_text": "Unknown Malware Using Azure Functions as C2\r\nPublished: 2025-09-07 · Archived: 2026-04-05 20:48:24 UTC\r\nOn August 28, 2025, an ISO named Servicenow-BNM-Verify.iso was uploaded to VirusTotal from Malaysia with very low\r\ndetections:\r\nThe ISO image contains 4 files, two of them hidden.\r\nservicenow-bnm-verify.lnk , a shortcut file that simply executes PanGpHip.exe\r\nPanGpHip.exe , a legitimate Palo Alto Networks executable\r\nlibeay32.dll , a legitimate OpenSSL library (hidden)\r\nlibwaapi.dll , a malicious library (hidden)\r\nservicenow-bnm-verify.lnk only executes the legitimate Palo Alto executable. The metadata of the LNK file reveals the\r\nmachine used to create the link ( desktop-rbg1pik ), the user ( john.GIB ), and the creation date ( 08/25/2025\r\n(04:39:00.540) [UTC] ), 3 days before the LNK ISO was uploaded to VirusTotal. The target path of the LNK points to the\r\nexecutable in the excluded folder. This is likely a location in the threat actor’s development environment. Even though that\r\npath does not exist on the victim’s device, the LNK falls back to its same directory, where PanGpHip.exe also resides.\r\nLNK metadata:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n[Link Info]\r\nLocation flags: 0x00000001 (VolumeIDAndLocalBasePath)\r\nDrive type: 3 (DRIVE_FIXED)\r\nDrive serial number: fa5a-f20e\r\nVolume label (ASCII):\r\nLocal path (ASCII): C:\\Users\\john.GIB\\Desktop\\excluded\\paloalto\\PanGpHip.exe\r\n[Distributed Link Tracker Properties]\r\nVersion: 0\r\nNetBIOS name: desktop-rbg1pik\r\nDroid volume identifier: 711034a2-0123-44ae-ae6c-462a77afcd54\r\nDroid file identifier: 6b9dc172-816d-11f0-a497-7c214a295e9f\r\nBirth droid volume identifier: 711034a2-0123-44ae-ae6c-462a77afcd54\r\nBirth droid file identifier: 6b9dc172-816d-11f0-a497-7c214a295e9f\r\nMAC address: 7c:21:4a:29:5e:9f\r\nUUID timestamp: 08/25/2025 (04:39:00.540) [UTC]\r\nhttps://dmpdump.github.io/posts/AzureFunctionsMalware/\r\nPage 1 of 10\n\n17\r\n18\r\nUUID sequence number: 9367\r\nPayload Injection\r\nThe presence of hidden DLLs and a legitimate executable is typically indicative of DLL side-loading. The libwaapi.dll\r\nlibrary contains malicious logic that is executed when it is dynamically loaded by the legitimate PanGpHip.exe executable\r\nusing LoadLibraryW .\r\nThis DLL, although malicious, has almost no detection in VirusTotal:\r\nThe only exported function in libwaapi.dll that implements code is wa_api_setup . The rest of the exports do not have\r\nany code.\r\nhttps://dmpdump.github.io/posts/AzureFunctionsMalware/\r\nPage 2 of 10\n\nThe wa_api_setup export:\r\nUses an array of function pointers to call GetConsoleWindow , SetForegroundWindow , GetForegroundWindow , and\r\nShowWindow with its second argument set to 0, which is SW_HIDE according to the API documentation. This is a\r\ncommon technique to hide the console from the victim\r\nIt then creates/checks mutex 47c32025 via the CreateMutexExW API\r\nIf the mutex does not exist, it executes a payload injection function that I renamed to fn_payload_injection\r\nThe fn_payload_injection function implements logic to inject payload in memory. This function starts by computing the\r\nSHA-256 hash of string rdfY*\u0026689uuaijs . This hash\r\n( B639D4DC948B66A2AAB5B59D0B4114B4B11229E9DED0F415B594B8ADE11F8180 ) is subsequently used as the RC4 key for payload\r\ndecryption.\r\nIf the SHA2 computation is successful, it proceeds to deobfuscate the string chakra.dll with a simple algorithm that\r\nresembles a Caesar cipher.\r\nhttps://dmpdump.github.io/posts/AzureFunctionsMalware/\r\nPage 3 of 10\n\nThe legitimate chakra.dll is loaded from the C:\\Windows\\System32\\ folder and a loop is implemented to find the first\r\nreadable + executable section in the DLL.\r\nWhen that section is found, its memory permissions are set to writable ( PAGE_READWRITE ) via the\r\nZwProtectVirtualMemory API and the content is zeroed out. The injector then proceeds to base64-decode a payload stored\r\nin the .data section of the DLL to the target section in the loaded chakra.dll . After decoding the payload, it is RC4\r\ndecrypted with the previously computed key ( B639D4DC948B66A2AAB5B59D0B4114B4B11229E9DED0F415B594B8ADE11F8180 ).\r\nhttps://dmpdump.github.io/posts/AzureFunctionsMalware/\r\nPage 4 of 10\n\nOnce the deobfuscated/decrypted payload is written to the DLL, an integrity check is implemented by comparing the SHA2\r\nhash of the injected payload to a hard-coded SHA2 value\r\n( 550c27fd8dc810df2056f1ec4a749a94ab4befc8843ba913c5f1197ef381a0a5 ). If the integrity check passes, memory\r\npermission is restored to PAGE_EXECUTE_READ and it proceeds to execute the injected payload.\r\nInjected Payload\r\nThe injected payload is an obfuscated shellcode that loads an embedded DLL. We can quickly find the embedded payload by\r\nloading the shellcode in a hex editor. However, we can see that the embedded payload needs to be processed before\r\nexecution. It is not a clean PE.\r\nhttps://dmpdump.github.io/posts/AzureFunctionsMalware/\r\nPage 5 of 10\n\nReviewing the shellcode, we can see that the buffer with the embedded portable executable is processed by the\r\nRtlDecompressBuffer API using 0x102 as the first argument.\r\nLooking at the prototype of RtlDecompressBuffer , we can see that the first argument is the compression format:\r\nhttps://dmpdump.github.io/posts/AzureFunctionsMalware/\r\nPage 6 of 10\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nNT_RTL_COMPRESS_API NTSTATUS RtlDecompressBuffer(\r\n [in] USHORT CompressionFormat,\r\n [out] PUCHAR UncompressedBuffer,\r\n [in] ULONG UncompressedBufferSize,\r\n [in] PUCHAR CompressedBuffer,\r\n [in] ULONG CompressedBufferSize,\r\n [out] PULONG FinalUncompressedSize\r\n);\r\nIn order to understand what the 0x102 means, we can check the ReactOS documentation. Here we can see that macro\r\ndefinitions indicate that 0x0100 is COMPRESSION_ENGINE_MAXIMUM and 0x0002 is COMPRESSION_FORMAT_LZNT1 . So,\r\nessentially, the embedded payload has maximum compression for LZNT1 .\r\nWe can then decompress the final payload embedded within the shellcode. The decompressed payload is an obfuscated DLL\r\n(SHA2: c0fc5ec77d0aa03516048349dddb3aa74f92cfe20d4bca46205f40ab0e728645) which I could not correlate to any\r\npayload I’ve seen before - possibly due to the obfuscation. I am still working on deobfuscating this payload, but here are\r\nsome initial observations. The DLL timestamp is May 5, 1984, which was likely modified. The malicious functionality is\r\nimplemented in the DllUnload exported function.\r\nA quick string review via emulation suggests that the DLL implements module unhooking to avoid detection.\r\nhttps://dmpdump.github.io/posts/AzureFunctionsMalware/\r\nPage 7 of 10\n\nThis final payload implements a loop to the C2, sending a POST request with victim profile data to\r\nlogsapi.azurewebsites[.]net/api/logs . The data is sent encoded/encrypted in a POST request.\r\nhttps://dmpdump.github.io/posts/AzureFunctionsMalware/\r\nPage 8 of 10\n\nThe Azure websites C2 hosts Azure Functions. Azure Functions is a serverless solution that operates with event-driven\r\ntriggers and bindings.\r\nThe encrypted data sent to the C2 can be captured before it is encrypted. We can see that it is an XML containing the\r\ncomputer name, user name, the OS uptime, protocol, process running the malware, parent process, and other values that I\r\nam still reviewing.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\r\n\u003croot\u003e\r\n \u003cc331219780 type=\"int\"\u003e64\u003c/c331219780\u003e // likely architecture\r\n \u003cc693503181 type=\"int\"\u003e3\u003c/c693503181\u003e\r\n \u003cc278266627 type=\"int\"\u003e3916\u003c/c278266627\u003e\r\n \u003cc335283027 type=\"int\"\u003e3380\u003c/c335283027\u003e\r\n \u003cc375980915 type=\"int\"\u003e60\u003c/c375980915\u003e\r\n \u003cc446104534 type=\"int\"\u003e30\u003c/c446104534\u003e\r\n \u003cc581502030 type=\"int\"\u003e1759243228\u003c/c581502030\u003e\r\n \u003cc660735130 type=\"int\"\u003e805074430\u003c/c660735130\u003e\r\n \u003cc1666058129 type=\"bool\"\u003efalse\u003c/c1666058129\u003e\r\n \u003cc269419238 type=\"str\"\u003e%random string%\u003c/c269419238\u003e\r\n \u003cc327025478 type=\"str\"\u003ev2.17.3\u003c/c327025478\u003e //unknown version\r\n \u003cc589169778 type=\"str\"\u003eHTTP_HTTPS\u003c/c589169778\u003e\r\n \u003cc441910204 type=\"str\"\u003eSUE48\u003c/c441910204\u003e\r\n \u003cc671024323 type=\"str\"\u003e\u003c/c671024323\u003e\r\n \u003cc228262600 type=\"str\"\u003eWindows 10.0 (OS Build 1337)\u003c/c228262600\u003e // OS build (1337 is an interesting value.\r\n \u003cc610731141 type=\"str\"\u003e%COMPUTERNAME%\u003c/c610731141\u003e\r\n \u003cc467272698 type=\"str\"\u003e0d 6h 43m\u003c/c467272698\u003e //uptime\r\n \u003cc613221510 type=\"str\"\u003e%COMPUTERNAME%\\%USER%\u003c/c613221510\u003e // computer name and user name\r\n \u003cc869336422 type=\"str\"\u003e%PROCESS%\u003c/c869336422\u003e //process the malware is executing from\r\n \u003cc968295862 type=\"str\"\u003e%PARENTPROCESS%\u003c/c968295862\u003e //parent process\r\n\u003c/root\u003e\r\nhttps://dmpdump.github.io/posts/AzureFunctionsMalware/\r\nPage 9 of 10\n\nI am still deobfuscating this final payload to understand all the details, and I may post a follow up blog post once I am done.\r\nThis sample seems to be quite unique, but @L3hu3s0 found another DLL (SHA2:\r\n28e85fd3546c8ad6fb2aef37b4372cc4775ea8435687b4e6879e96da5009d60a ) with the same imphash\r\n( B74596632C4C9B3A853E51964E96FC32 ) uploaded from Singapore on September 5, 2025. I reviewed that DLL and it is\r\npretty much the same thing, with some minor differences.\r\nIOCs\r\nServicenow-BNM-Verify.iso: 0ba328aeb0867def650694c5a43fdd47d719c6b3c55a845903646ccdbf3ec239\r\nservicenow-bnm-verify.lnk: 9e312214b44230c1cb5b6ec591245fd433c7030cb269a9b31f0ff4de621ff517\r\nlibeay32.dll: 1fa3e14681bf7f695a424c64927acfc26053ebaa54c4a2a6e30fe1e24b4c20a8\r\nlibwaapi.dll: b03a2c0d282cbbddfcf6e7dda0b4b55494f4a5c0b17c30cd586f5480efca2c17\r\nPanGpHip.exe: b778d76671b95df29e15a0af4d604917bfba085f7b04e0ce5d6d0615017e79db\r\nDecrypted shellcode: 550c27fd8dc810df2056f1ec4a749a94ab4befc8843ba913c5f1197ef381a0a5\r\nDecompressed DLL: c0fc5ec77d0aa03516048349dddb3aa74f92cfe20d4bca46205f40ab0e728645\r\nRelated DLL: 28e85fd3546c8ad6fb2aef37b4372cc4775ea8435687b4e6879e96da5009d60a\r\nC2: logsapi.azurewebsites[.]net\r\nSource: https://dmpdump.github.io/posts/AzureFunctionsMalware/\r\nhttps://dmpdump.github.io/posts/AzureFunctionsMalware/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://dmpdump.github.io/posts/AzureFunctionsMalware/"
	],
	"report_names": [
		"AzureFunctionsMalware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434957,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2eeef5aa97b609cdbc7faa51c49654f4aacef0e3.pdf",
		"text": "https://archive.orkl.eu/2eeef5aa97b609cdbc7faa51c49654f4aacef0e3.txt",
		"img": "https://archive.orkl.eu/2eeef5aa97b609cdbc7faa51c49654f4aacef0e3.jpg"
	}
}