{
	"id": "8dd185c2-881f-4f66-a85e-cda46c67cac6",
	"created_at": "2026-04-06T00:18:53.815067Z",
	"updated_at": "2026-04-10T03:26:42.78583Z",
	"deleted_at": null,
	"sha1_hash": "8e558b8ca58d746cbb2b0eece371821e256be8fe",
	"title": "A new secret stash for “fileless” malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 308318,
	"plain_text": "A new secret stash for “fileless” malware\r\nBy Denis Legezo\r\nPublished: 2022-05-04 · Archived: 2026-04-05 18:34:41 UTC\r\nIn February 2022 we observed the technique of putting the shellcode into Windows event logs for the first time “in\r\nthe wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in\r\nthe file system. Such attention to the event logs in the campaign isn’t limited to storing shellcodes. Dropper\r\nmodules also patch Windows native API functions, related to event tracing (ETW) and anti-malware scan interface\r\n(AMSI), to make the infection process stealthier.\r\nBesides event logs there are numerous other techniques in the actor’s toolset. Among them let us distinguish how\r\nthe actor takes initial recon into consideration while developing the next malicious stages: the C2 web domain\r\nname mimicking the legitimate one and the name in use belonging to the existing and software used by the victim.\r\nFor hosting the attacker uses virtual private servers on Linode, Namecheap, DreamVPS.\r\nOne more visible common approach is the use of a lot of anti-detection decryptors. Actor uses different compilers,\r\nfrom Microsoft’s cl.exe or GCC under MinGW to a recent version of Go. Also, to avoid detection, some modules\r\nare signed with a digital certificate. We believe it is issued by the actor, because our telemetry doesn’t show any\r\nlegitimate software signed with it, only malicious code used in this campaign.\r\nRegarding last stage Trojans: the actor decided not to stick to just one – there are HTTP and named pipe based\r\nones. Obviously besides the event logs the actor is obsessed with memory injection – lots of RAT commands are\r\nrelated to it and are used heavily. Along with the aforementioned custom modules and techniques, several\r\ncommercial pentesting tools like Cobalt Strike and SilentBreak’s toolset are used.\r\nActually, as we don’t have commercial versions of the latter it’s hard to say which enumerated techniques came\r\nfrom the product and which are home-brewed. For sure, third-party code from GitHub is also in use: we registered\r\nat least BlackBone for legitimate processes in memory patching.\r\nThe infection chain\r\nWe started the research from the in-memory last stager and then, using our telemetry, were able to reconstruct\r\nseveral infection chains. What piqued our attention was the very targeted nature of the campaign and the vast set\r\nof tools in use, including commercial ones.\r\nThe variety of the campaign’s techniques and modules looks impressive. Let us divide it into classes to technically\r\ndescribe this campaign. Actually, we need to cover the following sets of modules: commercial pentesting suites,\r\ncustom anti-detection wrappers around them and last stage Trojans.\r\nCommercial tool\r\nsets\r\nSilentBreaks’s toolset\r\nCobalt Strike\r\nhttps://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nPage 1 of 12\n\nAnti-detection\r\nwrappers\r\nGo decryptor with heavy usage of the syscall library. Keeps Cobalt Strike module\r\nencoded several times, and AES256 CBC encrypted blob. We haven’t previously\r\nobserved Go usage with Cobalt Strike\r\nA library launcher, compiled with GCC under MinGW environment. The only possible\r\nreason for this stage is anti-detection\r\nAES decryptor, compiled with Visual Studio compiler\r\nLast stage RAT\r\nHTTP-based Trojan. Possible original names are ThrowbackDLL.dll and drxDLL.dll,\r\nbut code is more complex than old publicly available version of SilentBreak’s\r\nThrowback\r\nNamed pipes-based Trojan. Possible original names are monolithDLL.dll and\r\nSlingshotDLL.dll. Based on file names there is a possibility that last stage modules are\r\nparts of a commercial Slingshot version\r\nOnce again, some modules which we consider custom, such as wrappers and last stagers, could possibly be parts\r\nof commercial products. So now after some classification we are ready to analyze modules one by one.\r\nInitial infection\r\nThe earliest phase of attack we observed took place in September 2021. The spreading of the Cobalt Strike\r\nmodule was achieved by persuading the target to download the link to the .rar on the legitimate site file.io, and run\r\nit themselves. The digital certificate for the Cobalt Strike module inside is below (during the campaign with the\r\nsame one, 15 different stagers from wrappers to last stagers were signed):\r\nOrganization: Fast Invest ApS\r\nE-mail: sencan.a@yahoo.com\r\nThumbprint 99 77 16 6f 0a 94 b6 55 ef df 21 05 2c 2b 27 9a 0b 33 52 c4\r\nSerial 34 d8 cd 9d 55 9e 81 b5 f3 8d 21 d6 58 c4 7d 72\r\nDue to the different infection scenarios for all the targeted hosts we will describe just one of the observed ones.\r\nHaving an ability to inject code into any process using Trojans, the attackers are free to use this feature widely to\r\ninject the next modules into Windows system processes or trusted applications such as DLP.\r\nKeeping in mind truncated process injections, and even mimicking web domain registration, we could describe the\r\nattack process as quite iterative: initial recon with some modules and then preparation of additional attacks.\r\nRegarding the commercial tools, traces of SilentBreak and Cobalt Strike toolset usage in this campaign are quite\r\nvisible. Trojans named ThrowbackDLL.dll and SlingshotDLL.dll remind us of Throwback and Slingshot, which\r\nhttps://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nPage 2 of 12\n\nare both tools in SilentBreak’s framework, while the “sb” associated with the dropper (sb.dll) could be an\r\nabbreviation of the vendor’s name.\r\nHere we want to mention that several .pdb paths inside binaries contain the project’s directory\r\nC:\\Users\\admin\\source\\repos\\drx\\ and other modules not named after Throwback or Slingshot, such as\r\ndrxDLL.dll. However, encryption functions are the same as in the publicly available Throwback code.\r\nAnti-detection wrappers\r\nFor the anti-detection wrappers, different compilers are in use. Besides MSVC, Go compiler 1.17.2 and GCC\r\nunder MinGW have been used. Decryptors differ a lot; the features they contain are listed in the table below:\r\nAnti-detection\r\ntechnique\r\nUsage\r\nSeveral compilers The same AES256 CBC decryption could be done with Go and C++ modules\r\nWhitelisted\r\nlaunchers\r\nAutorunned copy of WerFault.exe maps the launcher into process address space\r\nDigital certificate\r\n15 files are signed with “Fast Invest” certificate. We didn’t observe any legitimate\r\nfiles signed with it\r\nPatch logging\r\nexports of ntdll.dll\r\nTo be more stealthy, Go droppers patch logging-related API functions like\r\nEtwEventWriteFull in self-address space with empty functionality\r\nKeep shellcode in\r\nevent logs\r\nThis is the main innovation we observed in this campaign. Encrypted shellcode with\r\nthe next stager is divided into 8 KB blocks and saved in the binary part of event logs\r\nC2 web domain\r\nmimicking\r\nActor registered a web domain name with ERP in use title\r\nThis layer of infection chain decrypts, maps into memory and launches the code. Not all of them are worth\r\ndescribing in detail, but we will cover the Go decryptor launcher for Cobalt Strike. All corresponding hashes are\r\nlisted in the appendix.\r\nFunction names in the main package are obfuscated. Main.init decodes Windows API function names from\r\nkernel32.dll and ntdll.dll libraries (WriteProcessMemory and other functions) related to event log creation. Each\r\nof these names in the binary are base64-encoded four times in a row. Using WriteProcessMemory, the dropper\r\npatches with “xor rax, rax; ret” code the following functions in memory: EtwNotificationRegister,\r\nEtwEventRegister, EtwEventWriteFull, EtwEventWriteFull, EtwEventWrite.\r\nIn Main.start the malware checks if the host is in the domain and only works if it’s true. Then it dynamically\r\nresolves the addresses of the aforementioned functions. The next stager is encrypted with AES256 (CBC mode),\r\nthe key and IV are encoded with base64.\r\nhttps://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nPage 3 of 12\n\nWith such an approach, it requires the researcher to code some script to gather the encrypted parts of the next\r\nmodule. After decryption, to get the final portable executable, data has to be converted further.\r\nLast stager types\r\nLast stagers have two communication mechanisms – over HTTP with RC4 encryption and unencrypted with\r\nnamed pipes. The latter way is technically able to communicate with any network visible external host, but under\r\nWindows named pipes are built upon the SMB protocol, which would barely open for external networks. So these\r\nmodules most probably serve for lateral movement.\r\nFeature HTTP-based trojan\r\nNamed pipes-based\r\ntrojan\r\nC2 communication\r\nActive connection to a randomly chosen C2 from\r\na hardcoded list\r\nPassive mode\r\nEncryption XOR-based, RC4 Plaintext\r\nSelf version in beacon 1.1 No\r\nNatural language artifacts Unused argument “dave” No\r\nCommand set Quite basic, 7 of them\r\nMore profound, 20 of\r\nthem\r\nInjection functionality Yes and much in use Yes and much in use\r\nQuite unusual among the\r\ncommands\r\nSleep time randomization: (random between 0,9\r\n– 1,1) * sleep time\r\nGet minutes since last\r\nuser input\r\nAfter this introduction into the set of malware, we will now describe the infection chain: dropper injection with\r\nCobalt Strike pentesting suite.\r\nDropper in DLL, search order hijacking\r\nWe start custom module analysis from the wrapper-dropper dynamic library. This code is injected into Windows\r\nprocesses such as explorer.exe. At its single entry point after being loaded into the virtual address space of the\r\nlauncher process, the dropper removes files created by previous stages or executions.\r\nFirstly, the module copies the original legitimate OS error handler WerFault.exe to C:\\Windows\\Tasks. Then it\r\ndrops one of the encrypted binary resources to the wer.dll file in the same directory for typical DLL search order\r\nhijacking. For the sake of persistence, the module sets the newly created WerFault.exe to autorun, creating a\r\nWindows Problem Reporting value in the Software\\Microsoft\\Windows\\CurrentVersion\\Run Windows system\r\nregistry branch.\r\nhttps://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nPage 4 of 12\n\nThe dropper not only puts the launcher on disk for side-loading, but also writes information messages with\r\nshellcode into existing Windows KMS event log\r\nThe dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs.\r\nThe dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key\r\nManagement Service as a source. If none is found, the 8KB chunks of shellcode are written into the information\r\nlogging messages via the ReportEvent() Windows API function (lpRawData parameter). Created event IDs are\r\nautomatically incremented, starting from 1423.\r\nLauncher in wer.dll\r\nThis launcher, dropped into the Tasks directory by the first stager, proxies all calls to wer.dll and its exports to the\r\noriginal legitimate library. At the entry point, a separate thread combines all the aforementioned 8KB pieces into a\r\ncomplete shellcode and runs it. The same virtual address space, created by a copy of the legitimate WerFault.exe,\r\nis used for all this code.\r\nTo prevent WerFault continuing its error handling process, the DLL patches the launcher’s entry point with\r\ntypical Blackbone trampolines\r\nThe way to stop the legitimate launcher’s execution isn’t traditional. In the main thread, wer.dll finds its entry\r\npoint and patches it with a simple function. WaitAndExit() on the screenshot above would just call\r\nWaitForSingleObject() with the log gathering thread id and then exit, meaning no real WerFault.exe error handling\r\ncode could ever be executed: the spoofed DLL mapped into its address space would block it.\r\nShellcode into Windows event logs\r\nThe launcher transmits control to the very first byte of the gathered shellcode. Here, three arguments for the next\r\nfunction are prepared:\r\nAddress of next stage Trojan. It is also contained within the data extracted from the event logs\r\nThe standard ROR13 hash of exported function name Load inside this Trojan (0xE124D840)\r\nhttps://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nPage 5 of 12\n\nAddresses of the string “dave” and constant “4”, which become the arguments of the exported function,\r\nfound by hash\r\nThe parsing of the next Windows portable executable to locate its entry point is quite typical. To make the next\r\nstage Trojan less visible, the actor wiped the “MZ” magic in its header. After calling the code at the Trojan’s entry\r\npoint, the shellcode also searches for the requested export and invokes it.\r\nBesides searching for the entry point and calling it, the shellcode also searches for a Trojan export by\r\nhardcoded hash and runs the found function with arguments “dave” and “4”\r\nHTTP Trojan\r\nFor last stagers we will be a bit more detailed than for auxiliary modules before. The C++ module obviously used\r\nthe code from SilentBreak’s (now NetSPI’s) Throwback public repository: XOR-based encryption function,\r\noriginal file name for some samples, e.g., ThrowbackDLL.dll, etc. Let us start here with the aforementioned\r\nLoad() exported function. It’s just like the patching of WerFault above (the function waits on the main Trojan\r\nthread) but it ignores any parameters, so “dave” and “4” are unused. It is possible this launcher supports more\r\nmodules than just this one, which would require parameters.\r\nTarget fingerprinting\r\nThe module decrypts C2 domains with a one- byte XOR key. In the case of this sample there is only one domain,\r\neleed[.]online. The Trojan is able to handle many of them, separated by the “|” character and encrypted. For\r\nhttps://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nPage 6 of 12\n\nfurther communications over plain HTTP, the Trojan chooses a random C2 from this set with user agent “Mozilla\r\n5.0”.\r\nThe malware generates a fingerprinting string by gathering the following information, also separated by “|’:\r\nValues of MachineGUID from the SOFTWARE\\Microsoft\\Cryptography\r\nComputer name\r\nLocal IP addresses obtained with GetAdaptersInfo\r\nArchitecture (x86 or x64)\r\nOS version\r\nWhether the current process has SeDebugPrivilege\r\nThe fingerprinter also appends “1.1” to the string (which could be the malware version) and the sleep time from\r\nthe current config.\r\nEncrypted HTTP communication with C2\r\nBefore HTTP communications, the module sends empty (but still encrypted) data in an ICMP packet to check\r\nconnection, using a hardcoded 32-byte long RC4 key. Like any other strings, this key is encrypted with the\r\nThrowback XOR-based algorithm.\r\nIf the ping of a control server with port 80 available is successful, the aforementioned fingerprint data is sent to it.\r\nIn reply, the C2 shares the encrypted command for the Trojan’s main loop.\r\nTrojan commands\r\nCode Command features\r\n0 Fingerprint the target again.\r\n1\r\nExecute command. The Trojan executes the received command in the new process and sends the\r\nresult back to the C2.\r\n2 Download from a URL and save to the given path.\r\n3\r\nSet a new sleep time. This time in minutes is used as a timeout if the C2 hasn’t replied with a\r\ncommand to execute yet. Formula for randomization is (random number between 0,9 – 1,1) * sleep\r\ntime.\r\n4 Sleep the given number of minutes without changing the configuration.\r\n5 List processes with PID, path, owner, name and parent data.\r\n6\r\nInject and run shellcode into the target process’ address space. To inject into the same process, the\r\ncommand argument should be “local”. Like the shellcode in the event logs, this one would run the\r\nprovided PE’s entry point and as well as a specific export found by hash.\r\n99 Terminates the session between trojan and C2.\r\nhttps://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nPage 7 of 12\n\nAnother Trojan in use during this campaign is named pipe-based and has a more profound command system,\r\nincluding privilege escalation, screenshotting, inactivity time measurement, etc. Here, we come to the infection\r\nchain end. We continue with another last stage Trojan type, which we observed injected into processes like\r\nedge.exe.\r\nNamed pipes-based Trojan\r\nThe Trojan location is C:\\Windows\\apds.dll. The original legitimate Microsoft Help Data Services Module library\r\nwith the same name is in C:\\Windows\\System32. The main Trojan working cycle is in a separate thread. The\r\nmalware also exports a Load() function, whose only purpose is to wait for a working thread, which is typical for\r\nthis campaign’s modules.\r\nFirst, the main trojan thread gets the original apds.dll and exports and saves it into an allocated new heap buffer\r\nright after the Trojan’s image in memory. Then the Trojan edits the self-exported functions data in a way that\r\nallows it to call the original apds.dll exports through the crafted stubs like the following, where the address is the\r\none parsed from the real apds.dll:\r\n48B8\u003caddr\u003e MOV RAX,\u003caddr\u003e\r\nFFE0 JMP RAX\r\nThis trampoline code is taken from the Blackbone Windows memory hacking library\r\n(RemoteMemory::BuildTrampoline function). DLL hijacking isn’t something new, we have seen such a technique\r\nused to proxy legitimate functions many times, but recreating self-exports with just short stubs to call the original\r\nlegitimate functions is unusual.  The module then creates a duplex-named pipe, “MonolithPipe”, and enters its\r\nmain loop.\r\nWork cycle\r\nAfter the aforementioned manipulations with exported functions, the module lightly fingerprints the host with\r\narchitecture and Windows version information. The Trojan also initializes a random 11-byte ASCII string using\r\nthe rare constant mentioned, e.g., here in the init_keys function. The result serves as a unique session id.\r\nThe malware connects to the hardcoded domain on port 443 (in this case https://opswat[.]info:443) and sends\r\nPOST requests to submit.php on the C2 side. HTTPS connection options are set to accept self-signed certificates\r\non the server side. The C2 communication in this case is encrypted with an RC4 algorithm with the\r\nDhga(81K1!392-!(43\u003cKakjaiPA8$#ja key. In the case of the named pipes- based Trojan, the common commands\r\nare:\r\nCode Command features\r\n0 Set the “continue” flag to False and stop working.\r\n1 N/A, reserved so far.\r\nhttps://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nPage 8 of 12\n\n2 Get time since the last user input in minutes.\r\n3 Get current process information: PID, architecture, user, path, etc.\r\n4 Get host domain and user account.\r\n5 Impersonate user with credentials provided.\r\n6 Get current process’s available privileges.\r\n7 Execute command with the cmd.exe interpreter.\r\n8 Test connection with a given host (address and port) using a raw TCP socket.\r\n9 Get running processes information: path, owner, name, parent, PID, etc.\r\n10 Impersonate user with the token of the process with a provided ID.\r\n11 List files in directory.\r\n12 Take a screenshot.\r\n13 Drop content to file.\r\n14 Read content from file\r\n15 Delete file.\r\n16 Inject provided code into process with the given name.\r\n17 Run shellcode from the C2.\r\n18 N/A, reserved so far.\r\n19\r\nRun PowerShell script. During this campaign we observed Invoke-ReflectivePEInjection to\r\nreflectively load Mimikatz in memory and harvest credentials.\r\nWe have now covered the three layers of the campaign. Interestingly, we observed a Trojan with a complete\r\ncommand set as in the table above, but still using RC4-encrypted HTTP communications with the C2 instead of\r\nnamed pipes. The last stage samples look like a modular platform, whose capabilities the actor is able to combine\r\naccording to their current needs.\r\nInfrastructure\r\nDomain IP First seen ASN\r\neleed[.]online 178.79.176[.]136 Jan 15, 2022 63949 – Linode\r\neleed[.]cloud 178.79.176[.]136 – 63949 – Linode\r\nhttps://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nPage 9 of 12\n\ntimestechnologies[.]org 93.95.228[.]97 Jan 17, 2022 44925 – The 1984\r\navstats[.]net 93.95.228[.]97 Jan 17, 2022 44925 – The 1984\r\nmannlib[.]com 162.0.224[.]144 Aug 20, 2021 22612  – Namecheap\r\nnagios.dreamvps[.]com 185.145.253[.]62 Jan 17, 2022 213038 – DreamVPS\r\nopswat[.]info 194.195.241[.]46 Jan 11, 2022 63949 – Linode\r\n– 178.79.176[.]1 – 63949 – Linode\r\nAttribution\r\nThe code, which we consider custom (Trojans, wrappers), has no similarities with previously known campaigns or\r\npreviously registered SilentBreak toolset modules. Right now we prefer not to name the activity and instead stick\r\nto just “SilentBreak” given it is the most used among the tools here. If new modules appear and allow us to\r\nconnect the activity to some actor we will update the name accordingly.\r\nConclusions\r\nWe consider the event logs technique, which we haven’t seen before, the most innovative part of this campaign.\r\nWith at least two commercial products in use, plus several types of last-stage RAT and anti-detection wrappers,\r\nthe actor behind this campaign is quite capable. There is the possibility that some of the modules we described\r\nhere as custom ones are part of a commercial toolset as well. The code is quite unique, with no similarities to\r\nknown malware. We will continue to monitor similar activity.\r\nIn the Targeted Malware Reverse Engineering training course, Kaspersky experts share its best and most valuable\r\npractices to build a safer world. Learn more about targeted malware with Denis Legezo and other GReAT experts\r\nat: https://kas.pr/bgy7\r\nIndicators of Compromise\r\nFile Hashes (malicious documents, trojans, emails, decoys)\r\nDropper\r\n822680649CDEABC781903870B34FB7A7\r\n345A8745E1E3AE576FBCC69D3C8A310B\r\nEF825FECD4E67D5EC5B9666A21FBBA2A\r\nFA5943C673398D834FB328CE9B62AAAD\r\nLogs code launcher\r\n2080A099BDC7AA86DB55BADFFBC71566\r\n0D415973F958AC30CB25BD845319D960\r\n209A4D190DC1F6EC0968578905920641\r\nE81187E1F2E6A2D4D3AD291120A42CE7\r\nhttps://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nPage 10 of 12\n\nHTTP Trojan\r\nACE22457C868DF82028DB95E5A3B7984\r\n1CEDF339A13B1F7987D485CD80D141B6\r\n24866291D5DEEE783624AB51516A078F\r\n13B5E1654869985F2207D846E4C0DBFD\r\nNamed pipes trojan and similar\r\n59A46DB173EA074EC345D4D8734CB89A\r\n0B40033FB7C799536C921B1A1A02129F\r\n603413FC026E4713E7D3EEDAB0DF5D8D\r\nAnti-detection wrappers/decryptors/launchers, not malicious by themselves\r\n42A4913773BBDA4BC9D01D48B4A7642F\r\n9619E13B034F64835F0476D68220A86B\r\n0C0ACC057644B21F6E76DD676D4F2389\r\n16EB7B5060E543237ECA689BDC772148\r\n54271C17684CA60C6CE37EE47B5493FB\r\n77E06B01787B24343F62CF5D5A8F9995\r\n86737F0AE8CF01B395997CD5512B8FC8\r\n964CB389EBF39F240E8C474E200CAAC3\r\n59A46DB173EA074EC345D4D8734CB89A\r\nA5C236982B0F1D26FB741DF9E9925018\r\nD408FF4FDE7870E30804A1D1147EFE7C\r\nDFF3C0D4F6E2C26936B9BD82DB5A1735\r\nE13D963784C544B94D3DB5616E50B8AE\r\nE9766C71159FC2051BBFC48A4639243F\r\nF3DA1E157E3E344788886B3CA29E02BD\r\nHost-based IoCs\r\nC:\\Windows\\Tasks\\wer.dll\r\nC:\\Windows\\Tasks\\WerFault.exe copy of the legit one to sideload the malicious .dll\r\nNamed pipe MonolithPipe\r\nEvent logs with category 0x4142 in Key Management Service source. Events ID auto increments starting from\r\n1423.\r\nPDB paths\r\nC:\\Users\\admin\\source\\repos\\drx\\x64\\Release\\sb.pdb\r\nC:\\Users\\admin\\source\\repos\\drx\\x64\\Release\\zOS.pdb\r\nC:\\Users\\admin\\source\\repos\\drx\\x64\\Release\\ThrowbackDLL.pdb\r\nC:\\Users\\admin\\source\\repos\\drx\\x64\\Release\\drxDLL.pdb\r\nC:\\Users\\admin\\source\\repos\\drx\\x64\\Release\\monolithDLL.pdb\r\nhttps://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nPage 11 of 12\n\nSource: https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nhttps://securelist.com/a-new-secret-stash-for-fileless-malware/106393/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/"
	],
	"report_names": [
		"106393"
	],
	"threat_actors": [
		{
			"id": "72aaa00d-4dcb-4f50-934c-326c84ca46e3",
			"created_at": "2023-01-06T13:46:38.995743Z",
			"updated_at": "2026-04-10T02:00:03.175285Z",
			"deleted_at": null,
			"main_name": "Slingshot",
			"aliases": [],
			"source_name": "MISPGALAXY:Slingshot",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f55c7778-a41c-4fc6-a2e7-fa970c5295f2",
			"created_at": "2022-10-25T16:07:24.198891Z",
			"updated_at": "2026-04-10T02:00:04.897342Z",
			"deleted_at": null,
			"main_name": "Slingshot",
			"aliases": [],
			"source_name": "ETDA:Slingshot",
			"tools": [
				"Cahnadr",
				"GollumApp",
				"NDriver"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434733,
	"ts_updated_at": 1775791602,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e558b8ca58d746cbb2b0eece371821e256be8fe.pdf",
		"text": "https://archive.orkl.eu/8e558b8ca58d746cbb2b0eece371821e256be8fe.txt",
		"img": "https://archive.orkl.eu/8e558b8ca58d746cbb2b0eece371821e256be8fe.jpg"
	}
}