{
	"id": "0876614d-9983-4bb4-8d88-b631c65921ae",
	"created_at": "2026-04-06T00:06:24.771155Z",
	"updated_at": "2026-04-10T03:34:22.512515Z",
	"deleted_at": null,
	"sha1_hash": "ec64ffec265edd4717975288521e13842fb58d10",
	"title": "Process Injection in BugSleep Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 402667,
	"plain_text": "Process Injection in BugSleep Loader\r\nArchived: 2026-04-05 21:52:04 UTC\r\nSHA256: 73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e\r\nTable of Contents\r\nIntroduction\r\nStrings Decryption\r\nProcess Injection\r\nWalking the PEB\r\nFinding a Running Process to Inject Into\r\nPortable Executable Process Injection\r\nSummary\r\nIntroduction\r\nThe BugSleep backdoor was recently reported on by both Check Point and Sekoia. It has typical backdoor\r\ncapabilities, such as establishing persistence, communicating with the C2 and executing commands, among others.\r\nBugSleep is attributed to the MuddyWater group which indulges in cyber espionage.\r\nThe primary focus of this analysis is on the process injection aspect of the execution flow. The BugSleep loader\r\ninjects shellcode that subsequently loads the BugSleep backdoor. Process injection can be leveraged for both\r\nprivilege escalation (for example, injecting into a privileged process) and/or for defense evasion (for example,\r\nblending in by injecting into a legitimate process).\r\nStrings Decryption\r\nBefore we get into process injection, we’ll take a look at a very simple string encryption algorithm employed by\r\nthe BugSleep loader.\r\nThe decryption algorithm involves subtracting a number (aka key), k from the ASCII code of each character in\r\nthe encrypted string. The sample leverages multiple values of k , such as 5 and 8 , among others. This is\r\nshown below in Fig. 1. This encryption technique is a type of substitution cipher where each unit of the plaintext\r\nis replaced with ciphertext with the help of a key.\r\nhttps://nikhilh-20.github.io/blog/inject_bugsleep/\r\nPage 1 of 6\n\nFig. 1: String Decryption Algorithm\r\nFor the occasional string decryption, it is straightforward to use CyberChef as shown in Fig. 2.\r\nFig. 2: String Decryption using CyberChef\r\nhttps://nikhilh-20.github.io/blog/inject_bugsleep/\r\nPage 2 of 6\n\nIf you need a Python script, then the below one-liner decode_string function is sufficient.\r\ndef decode_string(encoded_string, k):\r\n return \"\".join(chr(ord(s) - k) for s in encoded_string)\r\nIn [2]: print(decode_string(\"QtfiQngwfw~F\", 5))\r\nLoadLibraryA\r\nIn [3]: print(decode_string(\"KBdXzwoziuLi|idXiksiomUiviomz\", 8))\r\nC:\\ProgramData\\PackageManager\r\nProcess Injection\r\nAt a high level, process injection is a technique to insert code into the memory region of a process. If the malware\r\ninjects into a newly created process of itself, it is called self-injection. If the malware injects into a foreign\r\nprocess, it is called remote injection. While there are multiple ways to perform process injection (see sub-techniques in MITRE ATT\u0026CK), this blog looks at Portable Executable Injection which the BugSleep loader\r\nimplements.\r\nWalking the PEB\r\nThe BugSleep loader walks the PEB to dynamically load functions, such as CreateRemoteThread and\r\nWriteProcessMemory , among others. These functions are then used to perform process injection. I have\r\npreviously blogged about this obfuscation technique, i.e., walking the PEB, so I will not get into it here.\r\nFinding a Running Process to Inject Into\r\nEarlier, I mentioned that one of the objectives of process injection is defense evasion. The BugSleep loader tries to\r\nachieve this by injecting into a legitimate running process. Fig. 3 shows that the loader picks, in order, from the\r\nfollowing running processes to inject into:\r\n1. msedge.exe : Microsoft Edge browser\r\n2. opera.exe : Opera browser\r\n3. chrome.exe : Google Chrome browser\r\n4. anydesk.exe : AnyDesk remote desktop\r\n5. Onedrive.exe : Microsoft OneDrive\r\n6. powershell.exe : PowerShell\r\n7. svchost.exe : Service Host\r\nhttps://nikhilh-20.github.io/blog/inject_bugsleep/\r\nPage 3 of 6\n\nFig. 3: Finding Running Processes to Inject Into\r\nProcess injection can be risky. If the injected code is poorly written; for example, if it does not handle exceptions,\r\nor if the injected code interferes with critical memory regions (PEB, executable sections, stack, etc.) of the target\r\nprocess, then there is a risk of crashing the target process. Besides stopping the malware execution flow from\r\nmoving on to the next stage, process crashes will also result in Windows events being generated. Such events may\r\nbe interpreted by security solutions, such as EDRs, as an indicator of compromise or attack.\r\nThe order of processes to inject into suggests that the threat actor deprioritized processes whose crash may have\r\nsystem-wide consequences or seem very abnormal. For example, if injection into msedge.exe goes wrong then\r\nonly the Microsoft Edge browser will crash. However, svchost.exe is responsible for running important\r\nWindows services and is generally stable. If faulty injection occurs, a svchost.exe process crash will look\r\nespecially abnormal to EDRs or may even result in more severe consequences for system stability.\r\nFig. 4 shows the decompiled code used to find a running process with a given substring (see procname variable)\r\nin its file name. When such a process is found, a handle to it is opened (via OpenProcess ) and read-write\r\nmemory is allocated in it (via VirtualAllocEx ).\r\nhttps://nikhilh-20.github.io/blog/inject_bugsleep/\r\nPage 4 of 6\n\nFig. 4: Decrypt Shellcode and Inject\r\nA given process cannot simply access any other process on the system. It can only access other processes from the\r\nsame user unless it has SeDebugPrivilege enabled. This privilege is assigned disabled (default action) to all\r\nAdministrator-owned processes and they have to explicitly enable it, if required. Other user-owned processes do\r\nnot have this privilege assigned (but it can be given through Group Policy). The BugSleep loader does not enable\r\nSeDebugPrivilege , but it still attempts to access the memory of svchost.exe , a privileged process, which\r\nresults in an Access Denied error as expected.\r\nFig. 5: svchost.exe Access Denied\r\nPortable Executable Process Injection\r\nhttps://nikhilh-20.github.io/blog/inject_bugsleep/\r\nPage 5 of 6\n\nAssuming that the BugSleep loader was able to allocate memory in the target process, it performs the following\r\noperations:\r\n1. Decrypt the shellcode in the same manner as the previously described string decryption algorithm.\r\n2. Write it into the allocated memory in the target process (via WriteProcessMemory ) and mark it as\r\nexecutable (via VirtualProtectEx ).\r\n3. Create a thread in the target process (via CreateRemoteThread ) with the previously injected shellcode as\r\nthe start address.\r\nFig. 6: Decrypt Shellcode and Inject\r\nWindows APIs like WriteProcessMemory and CreateRemoteThread internally call NtWriteVirtualMemory and\r\nNtCreateThreadEx respectively from ntdll.dll . These functions are generally hooked by EDRs, i.e., calls to\r\nthese functions will be inspected and blocked, if appropriate.\r\nSummary\r\nIn this blog, we looked at the BugSleep loader which has a trivial execution flow to load the next stage. It\r\nimplements a simple string decryption algorithm, finds a relevant running process to inject into, and then uses\r\nhigh-level Windows APIs to perform portable executable process injection.\r\nSource: https://nikhilh-20.github.io/blog/inject_bugsleep/\r\nhttps://nikhilh-20.github.io/blog/inject_bugsleep/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://nikhilh-20.github.io/blog/inject_bugsleep/"
	],
	"report_names": [
		"inject_bugsleep"
	],
	"threat_actors": [
		{
			"id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b",
			"created_at": "2022-10-25T15:50:23.308924Z",
			"updated_at": "2026-04-10T02:00:05.298591Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"MuddyWater",
				"Earth Vetala",
				"Static Kitten",
				"Seedworm",
				"TEMP.Zagros",
				"Mango Sandstorm",
				"TA450"
			],
			"source_name": "MITRE:MuddyWater",
			"tools": [
				"STARWHALE",
				"POWERSTATS",
				"Out1",
				"PowerSploit",
				"Small Sieve",
				"Mori",
				"Mimikatz",
				"LaZagne",
				"PowGoop",
				"CrackMapExec",
				"ConnectWise",
				"SHARPSTATS",
				"RemoteUtilities",
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ed8d590-defa-4873-b2de-b75c9b30931e",
			"created_at": "2023-01-06T13:46:38.730137Z",
			"updated_at": "2026-04-10T02:00:03.08136Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"TEMP.Zagros",
				"Seedworm",
				"COBALT ULSTER",
				"G0069",
				"ATK51",
				"Mango Sandstorm",
				"TA450",
				"Static Kitten",
				"Boggy Serpens",
				"Earth Vetala"
			],
			"source_name": "MISPGALAXY:MuddyWater",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb",
			"created_at": "2022-10-25T16:07:23.880522Z",
			"updated_at": "2026-04-10T02:00:04.775749Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"ATK 51",
				"Boggy Serpens",
				"Cobalt Ulster",
				"G0069",
				"ITG17",
				"Mango Sandstorm",
				"MuddyWater",
				"Operation BlackWater",
				"Operation Earth Vetala",
				"Operation Quicksand",
				"Seedworm",
				"Static Kitten",
				"T-APT-14",
				"TA450",
				"TEMP.Zagros",
				"Yellow Nix"
			],
			"source_name": "ETDA:MuddyWater",
			"tools": [
				"Agentemis",
				"BugSleep",
				"CLOUDSTATS",
				"ChromeCookiesView",
				"Cobalt Strike",
				"CobaltStrike",
				"CrackMapExec",
				"DCHSpy",
				"DELPHSTATS",
				"EmPyre",
				"EmpireProject",
				"FruityC2",
				"Koadic",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"MZCookiesView",
				"Meterpreter",
				"Mimikatz",
				"MuddyC2Go",
				"MuddyRot",
				"Mudwater",
				"POWERSTATS",
				"PRB-Backdoor",
				"PhonyC2",
				"PowGoop",
				"PowerShell Empire",
				"PowerSploit",
				"Powermud",
				"QUADAGENT",
				"SHARPSTATS",
				"SSF",
				"Secure Socket Funneling",
				"Shootback",
				"Smbmap",
				"Valyria",
				"chrome-passwords",
				"cobeacon",
				"prb_backdoor"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433984,
	"ts_updated_at": 1775792062,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec64ffec265edd4717975288521e13842fb58d10.pdf",
		"text": "https://archive.orkl.eu/ec64ffec265edd4717975288521e13842fb58d10.txt",
		"img": "https://archive.orkl.eu/ec64ffec265edd4717975288521e13842fb58d10.jpg"
	}
}