{
	"id": "dafcbe5e-f290-4f96-8e13-f95a9ac6a8db",
	"created_at": "2026-04-06T00:22:31.057744Z",
	"updated_at": "2026-04-10T03:20:22.064124Z",
	"deleted_at": null,
	"sha1_hash": "d9db8c4608f7a2d325d2e2b2827921df6973f91e",
	"title": "Malware Tries to Trump Security Software With POTUS Impeachment",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2012054,
	"plain_text": "Malware Tries to Trump Security Software With POTUS Impeachment\r\nBy Lawrence Abrams\r\nPublished: 2020-01-30 · Archived: 2026-04-05 15:32:47 UTC\r\nThe TrickBot malware has been spotted using text from articles about President Trump's impeachment to bypass the\r\nscanning engines of security software.\r\nBefore distributing malware, developers commonly use a crypter to encrypt or obfuscate the malware's code to make it FUD\r\n(Fully UnDetectable) by antivirus software.\r\nOne common technique used by crypters is to take harmless text from books or news articles and inject it into the malware\r\nin the hopes that these strings will be whitelisted by security software.\r\nhttps://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThis exact technique was discovered by researchers in the past that allowed them to bypass Cylance's AI-driven scanning\r\nengine by adding strings from the Rocket League executable to malware.\r\nThe TrickBot trojan appears to be using a similar bypass by using article text from popular news sites.\r\nTrying to Trump security software\r\nIn two new samples of TrickBot discovered by Head of SentinelLabs Vitali Kremez and security researcher\r\nMalwareHunterTeam, the malware developers are injecting text from an article about President Trump's impeachment into\r\nthe malware.\r\n\"The anti-virus engines bypasses focus on adding and appending known \"goodware\" strings to binaries in order to bypass\r\nstatic machine learning engines as similarly it was discovered and used by Cylance engine model,\" Kremez told\r\nBleepingComputer in a conversation. \"Known goodware strings might include news headlines like widely populated Trump\r\nimpeachment news stories mixed with the actual and pseudo-real applications that become appended to the malicious\r\nbinaries by the malware crypter builder engine.\"\r\nThe first sample uses text from an impeachment story at Independent.co.uk and adds it as part of the file information for\r\nexecutable.\r\nTrickBot Sample #1\r\nThe second sample uses text ripped from a CNN article about Trump's impeachment and adds it as custom exif data tags.\r\n\"Ukrainian natural gas company is at\r\nrump has lambasted Schiff for previous inaccurately paraphrasing\r\nRussian propaganda that Ukraine opposed him in 2016,\r\nThursday Schiff went line-by-line through the real thing\r\ninvestigations was Donald Trump\r\nforeign leader to get in touch with\r\niuliani originated at the White House\r\nBurisma board. Impeachment managers\r\nBiden conspiracy theory played against the\r\nRudy Giuliani, about two different investigations\r\nBiden conspiracy theory played against the\"\r\nIt is not 100% clear if this text allowed it to bypass antivirus engines or if other changes were responsible, but when first\r\nsubmitted to VirusTotal, sample 1 was only detected by 11/70 security products and sample 2 was only detected by 6/70.\r\n\"This TrickBot crypter and related top cybercrime group invest significant resources in making sure they study and\r\nunderstand anti-virus detection model to be ahead of the game,\" Kremez explained. \"By and large, malware crypters and\r\ndetections remain to be a \"cat-and-mouse\" game with the TrickBot and other top crimes groups trying to evade anti-virus\r\nmodels and defense and detection trying to catch up.\"\r\nhttps://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/\r\nPage 3 of 4\n\nIt also illustrates how attackers use current events in the proliferation of their malware.  Another example shown today is a\r\nrecent Emotet spam campaign pretending to be information about the Coronavirus.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/\r\nhttps://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/"
	],
	"report_names": [
		"malware-tries-to-trump-security-software-with-potus-impeachment"
	],
	"threat_actors": [],
	"ts_created_at": 1775434951,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d9db8c4608f7a2d325d2e2b2827921df6973f91e.pdf",
		"text": "https://archive.orkl.eu/d9db8c4608f7a2d325d2e2b2827921df6973f91e.txt",
		"img": "https://archive.orkl.eu/d9db8c4608f7a2d325d2e2b2827921df6973f91e.jpg"
	}
}