{
	"id": "8e279539-367a-4ca3-a133-0bc650f45a54",
	"created_at": "2026-04-06T00:22:18.711533Z",
	"updated_at": "2026-04-10T03:20:50.118343Z",
	"deleted_at": null,
	"sha1_hash": "bb83dc9b93ba25b3166832c05ee05185f739a95d",
	"title": "Sakula Malware Analysis: INOCNATION Campaign Obfuscation | Report | Fidelis Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34882,
	"plain_text": "Sakula Malware Analysis: INOCNATION Campaign Obfuscation |\r\nReport | Fidelis Security\r\nPublished: 2022-10-04 · Archived: 2026-04-05 15:06:26 UTC\r\nLast month, CrowdStrike published a blog on malware campaigns attributed to Sakula. We took a look at the\r\nmalware specifically in the INOCNATION campaign to analyze what was new and different about the techniques\r\nused by the threat actor. It appears the entity behind this campaign took steps to make reverse engineering more\r\ndifficult and chose the use of Cisco’s AnyConnect Client as a lure to trick victims into installing the malware.\r\nThe RAT delivered by this campaign was not particularly interesting and had all the features you would expect in\r\nsuch a tool. The use of the obfuscation techniques was novel and this advisory discusses those in detail, along with\r\nhow we detected them.\r\nKey Findings:\r\nTwo passes with different XOR keys used to obfuscate components and strings in the malware\r\nTrusted software used as a decoy for initial installation\r\nA mangled MZ header used to deceive security products\r\nString stacking obfuscation with Unicode strings\r\nMultiple layers of obfuscation for command and control traffic\r\nBuilt-in uninstall functionality.\r\nMD5 Hashes used in this analysis:\r\nFidelis Security’s products detect the activity documented in this paper and additional technical indicators are\r\npublished in the appendices of this paper and to the Fidelis Security github at https://github.com/fideliscyber.\r\nWe want to thank our fellow security researchers at CrowdStrike for sharing hashes of the malware samples\r\nanalyzed in this report.\r\nSource: https://fidelissecurity.com/resource/report/fidelis-threat-advisory-1020-dissecting-the-malware-involved-in-the-inocnation-campaign/\r\nhttps://fidelissecurity.com/resource/report/fidelis-threat-advisory-1020-dissecting-the-malware-involved-in-the-inocnation-campaign/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://fidelissecurity.com/resource/report/fidelis-threat-advisory-1020-dissecting-the-malware-involved-in-the-inocnation-campaign/"
	],
	"report_names": [
		"fidelis-threat-advisory-1020-dissecting-the-malware-involved-in-the-inocnation-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434938,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb83dc9b93ba25b3166832c05ee05185f739a95d.pdf",
		"text": "https://archive.orkl.eu/bb83dc9b93ba25b3166832c05ee05185f739a95d.txt",
		"img": "https://archive.orkl.eu/bb83dc9b93ba25b3166832c05ee05185f739a95d.jpg"
	}
}