{
	"id": "5f21041e-faeb-4605-8ec2-af3a55cd14df",
	"created_at": "2026-04-06T00:21:01.740928Z",
	"updated_at": "2026-04-10T03:21:43.805062Z",
	"deleted_at": null,
	"sha1_hash": "95220bd6ade543147f0438b447b2879faac71768",
	"title": "Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 805356,
	"plain_text": "Technical Analysis of Code-Signed “Blister” Malware Campaign\r\n(Part 2)\r\nBy No items found.\r\nPublished: 2025-08-21 · Archived: 2026-04-05 17:08:41 UTC\r\nThe blister is a code-signed malware that drops a malicious DLL file on the victim’s system, which is then\r\nexecuted by the loader via rundll32.exe, resulting in the deployment of a RAT/ C2 beacon, thus allowing\r\nunauthorized access to the target system over the internet. Blister Malware campaigns have been active since 15\r\nSeptember 2021. \r\nPart I of CloudSEK’s analysis provides a detailed understanding of how the loader functions. Part 2 will delve into\r\nthe details of this campaign’s second stage, which is the .dll payload, and its internal working.\r\nDissecting the Malicious DLL – Blister Malware\r\nAs discussed in Part 1, the Blister dropper drops the malicious .dll file in the Temp directory of the user,\r\ninside a newly created folder. This malicious .dll then carries out the second stage of the campaign, in which a\r\nRAT/ agent is deployed on the system to gain unauthorized access and steal data. \r\nThe Blister dropper calls the function LaunchColorCpl, which is one of the functions exported by the .dll,\r\nvia rundll32.exe.\r\nFunctions exported by the malicious DLL\r\nAnti-Analysis\r\nThe staging code is heavily obfuscated, and has a logic similar to a spaghetti code, to hinder analysis. All\r\nthe calls to Windows APIs are obscured and dynamically resolved.\r\nThe first thing that the staging code does is to make the malware go to sleep by calling the Sleep Windows\r\nAPI. This is a typical strategy used by most malicious codes to bypass security sandboxes and dynamic\r\nhttps://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/\r\nPage 1 of 4\n\ntesting of security products. \r\nStackframe before the malware calls the Sleep Windows API\r\nThe hex value “927C0” is passed to kernel32.759F9010 i.e the Sleep function. This value (927C0)\r\ntranslates to “600000” in decimal. Since the Sleep API takes arguments in milliseconds (ms), the 600000\r\nms get converted to 10 minutes.\r\nWhen the malware resumes from sleep, it fetches the final payload from the resource section of the PE\r\nfile. \r\nSnippet of the protected payload stored in the memory\r\nIn the memory, the protected payload is decoded. The presence of a DOS header, in the payload bytes,\r\nconfirms that the payload is in PE format and not a shellcode.\r\nDecrypted payload stored in the memory\r\nAn interesting observation from this analysis, is the addition of MZ byte after the decryption process. In\r\nthe above image, the initial byte is not MZ, rather the MZ byte is later added at the beginning of the\r\npayload separately. This behavior is primarily for operational security.\r\nhttps://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/\r\nPage 2 of 4\n\nAddition of the MZ byte after the decryption process\r\nProcess Hollowing\r\nIn general, process hollowing allows an attacker to change the content of a legitimate process from genuine code\r\nto malicious code before it is executed by carving out the code logic within the target process.\r\nAfter decrypting the final payload, the malware prepares for execution. \r\nThis is done by creating a new process to deploy the extracted code and then performing process hollowing\r\nto execute the payload in the remote process. The staging code retrieves the Rundll32.exe location from the\r\ncompromised system. \r\nRetrieval of the location of rundll32.exe\r\nA new process of Rundll32.exe is created via the CreateProcessInternalW API in the suspended state.\r\nCreation of the new rendll32.exe\r\nThe malware uses the following Win32 APIs for process hollowing:\r\nZwUnmapViewOfSection\r\nZwReadVirtualMemory\r\nZwWriteVirtualMemory\r\nZwGetContextThread\r\nZwSetContextThread\r\nNtResumeThread\r\nZwWriteVirtualMemory is used to write malicious code into the target process. \r\nTo make the thread of the new process point to newly written code, the attacker alters the entry point of the\r\ncurrent thread via ZwGetContextThread and ZwSetContextThread. \r\nThese functions are used to perform processor housekeeping activities on the data structure that stores the\r\ncurrent context of the running thread. Process hollowing takes advantage of these features to make the\r\nhttps://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/\r\nPage 3 of 4\n\nprocess thread run the attacker code.\r\nConclusion\r\nGiven that threat actors are actively using valid code-signing certificates in Windows systems, to avoid detection\r\nby antivirus software, it is essential for network and endpoint security products to be updated with the malwares’\r\nlatest Indicators of Compromise (IoCs). The latest IoCs for the Blister Malware are enumerated in Part 1 of the\r\ntechnical analysis.\r\nSource: https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/\r\nhttps://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/"
	],
	"report_names": [
		"technical-analysis-of-code-signed-blister-malware-campaign-part-2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434861,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/95220bd6ade543147f0438b447b2879faac71768.pdf",
		"text": "https://archive.orkl.eu/95220bd6ade543147f0438b447b2879faac71768.txt",
		"img": "https://archive.orkl.eu/95220bd6ade543147f0438b447b2879faac71768.jpg"
	}
}