{
	"id": "026d7264-498e-43cd-8001-1a3a6a587f2d",
	"created_at": "2026-04-06T01:32:03.042207Z",
	"updated_at": "2026-04-10T13:11:46.162832Z",
	"deleted_at": null,
	"sha1_hash": "9272094f83a1d45a789785bb9dcc817546ff7d26",
	"title": "Elastic Security uncovers BLISTER malware campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 791850,
	"plain_text": "Elastic Security uncovers BLISTER malware campaign\r\nBy Joe Desimone, Samir Bousseaden\r\nPublished: 2022-08-03 · Archived: 2026-04-06 01:26:40 UTC\r\nKey takeaways:\r\nElastic Security uncovered a stealthy malware campaign that leverages valid code signing certificates to evade\r\ndetection\r\nA novel malware loader, BLISTER was used to execute second stage malware payloads in-memory and maintain\r\npersistence\r\nThe identified malware samples have very low or no detections on VirusTotal\r\nElastic provided layered prevention coverage from this threat out of the box\r\nFor information on the BLISTER malware loader and campaign observations, check out our blog post and\r\nconfiguration extractor detailing this:\r\nBLISTER Malware Analysis\r\nBLISTER Configuration Extractor\r\nOverview\r\nThe Elastic Security team identified a noteworthy cluster of malicious activity after reviewing our threat prevention\r\ntelemetry. A valid code signing certificate is used to sign malware to help the attackers remain under the radar of the security\r\ncommunity. We also discovered a novel malware loader used in the campaign, which we’ve named BLISTER. The majority\r\nof the malware samples observed have very low, or no, detections in\r\nElastic’s layered approach to preventing attacks protects from this and similar threats.\r\nIn one prevented attack, our malicious behavior prevention triggered multiple high-confidence alerts for Execution via\r\nRenamed Signed Binary Proxy, Windows Error Manager/Reporting Masquerading, and Suspicious PowerShell Execution\r\nvia Windows Scripts. Further, our memory threat prevention identified and stopped BLISTER from injecting its embedded\r\npayload to target processes.\r\nFinally, we have additional coverage from our open source detection engine rules [\r\nDetails\r\nCertificate abuse\r\nA key aspect of this campaign is the use of a valid code signing certificate issued by\r\nWe responsibly disclosed the activity to Sectigo so they could take action and revoke the abused certificates. Below shows\r\ndetails about the compromised certificate. We have observed malware signed with this certificate as early as September 15,\r\n2021.\r\nIssuer: Sectigo Public Code Signing CA R36_Issued to: _Blist LLC_Serial number:\r\n_2f4a25d52b16eb4c9dfe71ebbd8121bb_Valid from: _Monday, August 23, 2021 4:00:00 PM_Valid to: _Wednesday, August\r\n24, 2022 3:59:59 PM\r\nVirusTotal. The infection vector and goals of the attackers remain unknown at this time.1] [2]. To ensure coverage for the\r\nentire community, we are including YARA rules and IoCs to help defenders identify impacted systems.Sectigo. Adversaries\r\ncan either steal legitimate code-signing certificates or purchase them from a certificate authority directly or through front\r\ncompanies. Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned\r\nexecutables. Their use allows attackers to remain under the radar and evade detection for a longer period of time.\r\nhttps://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign\r\nPage 1 of 6\n\nBLISTER malware loader\r\nAnother interesting aspect of this campaign is what appears to be a novel malware loader with limited detections in\r\nVirusTotal. We refer to it as the BLISTER loader. The loader is spliced into legitimate libraries such as colorui.dll, likely to\r\nensure the majority of the on-disk footprint has known-good code and metadata. The loader can be initially written to disk\r\nfrom simple dropper executables. One such dropper writes a signed BLISTER loader to %temp%\\Framwork\\axsssig.dll and\r\nexecutes it with rundll32. LaunchColorCpl is a common DLL export and entry point name used by BLISTER as seen in the\r\ncommand line parameters:\r\nRundll32.exe C:\\Users\\user\\AppData\\Local\\Temp\\Framwork\\axsssig.dll,LaunchColorCpl\r\nOnce executed, BLISTER decodes bootstrapping code stored in the resource section with a simple 4-byte XOR routine\r\nshown below:\r\nThe bootstrapping code is heavily obfuscated and initially sleeps for 10 minutes. This is likely an attempt to evade sandbox\r\nanalysis. After the delay, it decrypts the embedded malware payload. We have observed CobaltStrike and BitRat as\r\nembedded malware payloads. Once decrypted, the embedded payload is loaded into the current process or injected into a\r\nnewly spawned WerFault.exe process.\r\nFinally, BLISTER establishes persistence by copying itself to the C:\\ProgramData folder, along with a re-named local copy\r\nof rundll32.exe. A link is created in the current user’s Startup folder to launch the malware at logon as a child of\r\nexplorer.exe.\r\nYARA\r\nWe have created a YARA rule to identify this BLISTER activity:\r\nrule Windows_Trojan_Blister{\r\n meta:\r\n author = “Elastic Security”\r\n creation_date = \"2021-12-20\"\r\n last_modified = \"2021-12-20\"\r\n os = \"Windows\"\r\n category_type = \"Trojan\"\r\n family = \"Blister\"\r\n threat_name = \"Windows.Trojan.Blister\"\r\n reference_sample = \"0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00\"\r\n strings:\r\n $a1 = {8D 45 DC 89 5D EC 50 6A 04 8D 45 F0 50 8D 45 EC 50 6A FF FF D7}\r\n $a2 = {75 F7 39 4D FC 0F 85 F3 00 00 00 64 A1 30 00 00 00 53 57 89 75}\r\nhttps://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign\r\nPage 2 of 6\n\ncondition:\r\n any of them\r\n}\r\nDefensive recommendations\r\nElastic Endpoint Alerts\r\nElastic Endpoint Security provides deep coverage for this threat by stopping the in-memory thread execution and preventing\r\nmalicious behaviors.\r\nMemory Threat Detection Alert: Shellcode Injection\r\nMalicious Behavior Detection Alert: Execution via Renamed Signed Binary Proxy\r\nHunting queries\r\nThese queries can be used in Kibana's Security -\\\u003e Timelines -\\\u003e Create new timeline -\\\u003e Correlation query editor. While\r\nthese queries will identify this intrusion set, they can also identify other events of note that, once investigated, could lead to\r\nother malicious activities.\r\nProxy Execution via Renamed Rundll32\r\nHunt for renamed instances of rundll32.exe\r\nprocess where event.action == \"start\" and\r\nprocess.name != null and\r\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and not process.name : \"RUNDLL32.EXE\")\r\nMasquerading as WerFault\r\nHunt for potential rogue instances of WerFault.exe (Windows Errors Reporting) in an attempt to masquerade as a legitimate\r\nsystem process that is often excluded from behavior-based detection as a known frequent false positive:\r\nprocess where event.action == \"start\" and\r\n process.executable :\r\n (\"?:\\\\Windows\\\\Syswow64\\\\WerFault.exe\" ,\"?:\\\\Windows\\\\System32\\\\WerFault.exe\") and\r\n /*\r\n legit WerFault will have more than one argument in process.command_line\r\n */\r\n process.args_count == 1\r\nhttps://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign\r\nPage 3 of 6\n\nEvasion via Masquerading as WerFault and Renamed Rundll32\r\nPersistence via Registry Run Keys / Startup Folder\r\nMalware creates a new run key for persistence:\r\nregistry where registry.data.strings != null and\r\n registry.path : (\r\n /* Machine Hive */ \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\r\n\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\r\n /* Users Hive */\r\n\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\r\n\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \"HKEY_USERS\\\\*\\\\Software\\\\Micro\r\n )\r\nPersistence via Run key\r\nSuspicious Startup Shell Folder Modification\r\nModify the default Startup value in the registry via COM (dllhost.exe) and then write a shortcut file for persistence in the\r\nnew modified Startup folder:\r\nsequence by host.id with maxspan=1m\r\n [registry where\r\n /* Modify User default Startup Folder */\r\n registry.path : (\r\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\r\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\r\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\r\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\r\n ) ]\r\n /* Write File to Modified Startup Folder */\r\n [file where event.type : (\"creation\", \"change\") and file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\S\r\nhttps://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign\r\nPage 4 of 6\n\nPersistence via Modified Startup\r\nElastic Detection Engine Rules\r\nThe following existing public detection rules can also be used to detect some of the employed techniques:\r\nPotential Windows Error Manager Masquerading\r\nWindows Defender Exclusions Added via PowerShell\r\nStartup or Run Key Registry Modification\r\nShortcut File Written or Modified for Persistence\r\nSuspicious Startup Shell Folder Modification\r\nMITRE ATT\u0026CK\r\nT1218.011 - Signed Binary Proxy Execution: Rundll32\r\nT1055 - Process Injection\r\nT1547.001 - Registry Run Keys / Startup Folder\r\nT1036 - Masquerading\r\nSummary\r\nThe BLISTER loader has several tricks which has allowed it to fly under the radar of the security community for months.\r\nThis includes leveraging valid code signing certificates, infecting legitimate libraries to fool machine learning models, and\r\nexecuting payloads in-memory. However, the depth of protection offered with Elastic Security meant we were still able to\r\nidentify and stop in-the-wild attacks.\r\nExisting Elastic Security can access these capabilities within the product. If you’re new to Elastic Security, take a look at our\r\nQuick Start guides (bite-sized training videos to get you started quickly) or our free fundamentals training courses. You can\r\nalways get started with a free 14-day trial of Elastic Cloud.\r\nIndicators\r\n| | |\r\nIndicator\r\nF3503970C2B5D57687EC9E31BB232A76B624C838\r\nmoduleloader.s3.eu-west-2.amazonaws[.]comdiscountshadesdirect[].com bimelectrical[.]comclippershipintl[.]com\r\n188.68.221[.]20393.115.18[.]24852.95.148[.]16284.38.183[.]17480.249.145[.]212185.170.213[.]186\r\ned6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8 cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a9\r\ndf8142e5cf897af65972041024ebe74c7915df0e18c6364c5fb9b2943426ed1a2d049f7658a8dccd930f7010b32ed1bc9a5cc0f8109b511ca2a77a210430136\r\nhttps://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign\r\nPage 5 of 6\n\nIndicator\r\nafb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2516cac58a6bfec5b9c214b6bba0b724961148199d32fb42c01b12ac31f6a60\r\nLauncher V7.3.13.exeGuiFramwork.exeffxivsetup.exePredictor V8.21 - Copy.exePredictor Release v5.9.rarPredictorGUI.exeReadhelper.exedxpo8umrz\r\nHolorui.dllColorui.dllPasade.dllAxsssig.dllHelper.CC.dllHeav.dllPasadeis.dllTermmgr.dllTermService.dllrdpencom.dlllibcef.dlltnt.dll\r\nSource: https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign\r\nhttps://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign\r\nPage 6 of 6\n\nreference_sample strings: = \"0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00\"  \n$a1 = {8D 45 DC 89 5D EC 50 6A 04 8D 45 F0 50 8D 45 EC 50 6A FF FF D7}\n$a2 = {75 F7 39 4D FC 0F 85 F3 00 00 00 64 A1 30 00 00 00 53 57 89 75}\n  Page 2 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign"
	],
	"report_names": [
		"elastic-security-uncovers-blister-malware-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775439123,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9272094f83a1d45a789785bb9dcc817546ff7d26.pdf",
		"text": "https://archive.orkl.eu/9272094f83a1d45a789785bb9dcc817546ff7d26.txt",
		"img": "https://archive.orkl.eu/9272094f83a1d45a789785bb9dcc817546ff7d26.jpg"
	}
}