{ "id": "d737ceb9-ba8c-477d-8823-c080b3ce5b79", "created_at": "2026-04-06T00:15:58.151321Z", "updated_at": "2026-04-10T13:12:19.111955Z", "deleted_at": null, "sha1_hash": "90ae4f4477f524a113b3dd4e3662aa2a9d2267b5", "title": "This New Fileless Malware Hides Shellcode in Windows Event Logs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 259935, "plain_text": "This New Fileless Malware Hides Shellcode in Windows Event\r\nLogs\r\nBy The Hacker News\r\nPublished: 2022-05-07 · Archived: 2026-04-05 22:49:22 UTC\r\nA new malicious campaign has been spotted taking advantage of Windows event logs to stash chunks of shellcode\r\nfor the first time in the wild.\r\n\"It allows the 'fileless' last stage trojan to be hidden from plain sight in the file system,\" Kaspersky researcher\r\nDenis Legezo said in a technical write-up published this week.\r\nThe stealthy infection process, not attributed to a known actor, is believed to have commenced in September 2021\r\nwhen the intended targets were lured into downloading compressed .RAR files containing Cobalt Strike and Silent\r\nBreak.\r\n\"The spreading of the Cobalt Strike module was achieved by persuading the target to download the link to the\r\n.RAR on the legitimate site file.io, and run it themselves,\" Legezo explained.\r\nThe adversary simulation software modules are then used as a launchpad to inject code into Windows system\r\nprocesses or trusted applications.\r\nhttps://thehackernews.com/2022/05/this-new-fileless-malware-hides.html\r\nPage 1 of 3\n\nAlso notable is the use of anti-detection wrappers as part of the toolset, suggesting an attempt on the part of the\r\noperators to fly under the radar.\r\nOne of the key methods is to keep encrypted shellcode containing the next-stage malware as 8KB pieces in event\r\nlogs, a never-before-seen technique in real-world attacks, that's then combined and executed.\r\nThe final payload is a set of trojans that employ two different communication mechanisms — HTTP with RC4\r\nencryption and unencrypted with named pipes — which allow it to run arbitrary commands, download files from a\r\nURL, escalate privileges, and take screenshots.\r\nhttps://thehackernews.com/2022/05/this-new-fileless-malware-hides.html\r\nPage 2 of 3\n\nAnother indicator of the threat actor's evasion tactics is the use of information gleaned from initial reconnaissance\r\nto develop succeeding stages of the attack chain, including the use of a remote server that mimics legitimate\r\nsoftware used by the victim.\r\n\"The actor behind this campaign is quite capable,\" Legezo said. \"The code is quite unique, with no similarities to\r\nknown malware.\"\r\nThe disclosure comes as Sysdig researchers demonstrated a way to compromise read-only containers with fileless\r\nmalware that's executed in-memory by leveraging a critical flaw in Redis servers.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html\r\nhttps://thehackernews.com/2022/05/this-new-fileless-malware-hides.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html" ], "report_names": [ "this-new-fileless-malware-hides.html" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434558, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/90ae4f4477f524a113b3dd4e3662aa2a9d2267b5.pdf", "text": "https://archive.orkl.eu/90ae4f4477f524a113b3dd4e3662aa2a9d2267b5.txt", "img": "https://archive.orkl.eu/90ae4f4477f524a113b3dd4e3662aa2a9d2267b5.jpg" } }