{
	"id": "9704de91-359f-4d77-8d8d-246f29c035ec",
	"created_at": "2026-04-06T00:17:22.542656Z",
	"updated_at": "2026-04-10T03:21:40.966183Z",
	"deleted_at": null,
	"sha1_hash": "7c726458a6ce89dbe64a065f3a9691db69374652",
	"title": "Wslink: Unique and undocumented malicious loader that runs as a server",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1008384,
	"plain_text": "Wslink: Unique and undocumented malicious loader that runs as a\r\nserver\r\nBy Vladislav Hrčka\r\nArchived: 2026-04-05 13:53:45 UTC\r\nESET Research\r\nThere are no code, functionality or operational similarities to suggest that this is a tool from a known threat actor\r\n27 Oct 2021  •  , 5 min. read\r\nESET researchers have discovered a unique and previously undescribed loader for Windows binaries that, unlike\r\nother such loaders, runs as a server and executes received modules in memory. We have named this new malware\r\nWslink after one of its DLLs.\r\nWe have seen only a few hits in our telemetry in the past two years, with detections in Central Europe, North\r\nAmerica, and the Middle East. The initial compromise vector is not known; most of the samples are packed with\r\nMPRESS and some parts of the code are virtualized. Unfortunately, so far we have been unable to obtain any of\r\nthe modules it is supposed to receive. There are no code, functionality or operational similarities that suggest this\r\nis likely to be a tool from a known threat actor group.\r\nThe following sections contain analysis of the loader and our own implementation of its client, which was initially\r\nmade to experiment with detection methods. This client’s source code might be of interest to beginners in malware\r\nhttps://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/\r\nPage 1 of 8\n\nanalysis – it shows how one can reuse and interact with existing functions of previously analyzed malware. The\r\nvery analysis could also serve as an informative resource documenting this threat for blue teamers.\r\nTechnical analysis\r\nWslink runs as a service and listens on all network interfaces on the port specified in the ServicePort registry\r\nvalue of the service’s Parameters key. The preceding component that registers the Wslink service is not known.\r\nFigure 1 depicts the code accepting incoming connections to that port.\r\nFigure 1. Hex-Rays decompilation of the loop accepting incoming connections\r\nAccepting a connection is followed by an RSA handshake with a hardcoded 2048-bit public key to securely\r\nexchange both the key and IV to be used for 256-bit AES in CBC mode (see Figure 2). The encrypted module is\r\nsubsequently received with a unique identifier – signature – and an additional key for its decryption.\r\nInterestingly, the most recently received encrypted module with its signature is stored globally, making it available\r\nto all clients. One can save traffic this way – transmit only the key if the signature of the module to be loaded\r\nmatches the previous one.\r\nhttps://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/\r\nPage 2 of 8\n\nFigure 2. Hex-Rays decompilation of receiving the module and its signature\r\nAs seen in Figure 3, the decrypted module, which is a regular PE file, is loaded into memory using the\r\nMemoryModule library and its first export is finally executed. The functions for communication, socket, key and\r\nIV are passed in a parameter to the export, enabling the module to exchange messages over the already established\r\nconnection.\r\nhttps://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/\r\nPage 3 of 8\n\nFigure 3. Hex-Rays decompilation of code executing the received module in memory\r\nImplementation of the client\r\nOur own implementation of a Wslink client, described below, simply establishes a connection with a modified\r\nWslink server and sends a module that is then decrypted and executed. As our client cannot know the private key\r\nmatching the public key in any given Wslink server instance, we produced our own key pair and modified the\r\nserver executable with the public key from that pair and used the private key in our Wslink client implementation.\r\nThis client enabled us to reproduce Wslink’s communication and search for unique patterns; it additionally\r\nconfirmed our findings, because we could mimic its behavior.\r\nInitially some functions for sending/receiving messages are obtained from the original sample (see Figure 4) – we\r\ncan use them right away and do not have to reimplement them later.\r\nFigure 4. The code for loading functions from a Wslink’s sample\r\nSubsequently, our client reads the private RSA key to be used from a file and a connection to the specified IP and\r\nport is established. It is expected that an instance of Wslink already listens on the supplied address and port.\r\nhttps://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/\r\nPage 4 of 8\n\nNaturally, its embedded public key must also be replaced with one whose private key is known.\r\nOur client and the Wslink server continue by performing the handshake that exchanges the key and IV to be used\r\nfor AES encryption. This consists of three steps, as seen in Figure 5: sending a client hello, receiving the\r\nsymmetric key with IV, and sending them back to verify successful decryption. From reversing the Wslink binary\r\nwe learned that the only constraint of the hello message, apart from size 240 bytes, is that the second byte must be\r\nzero, so we just set it to all zeroes.\r\nFigure 5. Our client’s code for the RSA handshake\r\nThe final part is sending the module. As one can see in Figure 6, it consists of a few simple steps:\r\nreceiving the signature of the previously loaded module – we decided not to do anything with it in our\r\nimplementation, as it was not important for us\r\nsending a hardcoded signature of the module\r\nreading the module from a file, encrypting it (see Figure 7) and sending it\r\nsending the encryption key of the module\r\nhttps://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/\r\nPage 5 of 8\n\nFigure 6. Our client’s code for sending the module\r\nFigure 7. Our client’s code for loading and encrypting the module\r\nThe full source code for our client is available in our WslinkClient GitHub repository. Note that the code still\r\nrequires a significant amount of work to be usable for malicious purposes and creating another loader from scratch\r\nwould be easier.\r\nhttps://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/\r\nPage 6 of 8\n\nConclusion\r\nWslink is a simple yet remarkable loader that, unlike those we usually see, runs as a server and executes received\r\nmodules in memory.\r\nInterestingly, the modules reuse the loader’s functions for communication, keys and sockets; hence they do not\r\nhave to initiate new outbound connections. Wslink additionally features a well-developed cryptographic protocol\r\nto protect the exchanged data.\r\nIoCs\r\nSamples\r\nSHA-1 ESET detection name\r\n01257C3669179F754489F92947FBE0B57AEAE573 Win64/TrojanDownloader.Wslink\r\nE6F36C66729A151F4F60F54012F242736BA24862 #rowspan#\r\n39C4DE564352D7B6390BFD50B28AA9461C93FB32 #rowspan#\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 9 of the ATT\u0026CK framework.\r\nTactic ID Name Description\r\nEnterprise T1587.001\r\nDevelop Capabilities:\r\nMalware\r\nWslink is a custom PE loader.\r\nExecution\r\nT1129 Shared Modules\r\nWslink loads and executes\r\nDLLs in memory.\r\nT1569.002\r\nSystem Services: Service\r\nExecution\r\nWslink runs as a service.\r\nObfuscated Files\r\nor Information\r\nT1027.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nWslink is packed with\r\nMPRESS and its code might\r\nbe virtualized.\r\nCommand and\r\nControl\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nWslink encrypts traffic with\r\nAES.\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric\r\nCryptography\r\nWslink exchanges a\r\nsymmetric key with RSA.\r\nhttps://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/\r\nPage 7 of 8\n\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/\r\nhttps://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/"
	],
	"report_names": [
		"wslink-unique-undocumented-malicious-loader-runs-server"
	],
	"threat_actors": [],
	"ts_created_at": 1775434642,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c726458a6ce89dbe64a065f3a9691db69374652.pdf",
		"text": "https://archive.orkl.eu/7c726458a6ce89dbe64a065f3a9691db69374652.txt",
		"img": "https://archive.orkl.eu/7c726458a6ce89dbe64a065f3a9691db69374652.jpg"
	}
}