{
	"id": "b9966b7a-e480-4e31-ab2b-c5b92a708ca8",
	"created_at": "2026-04-06T00:22:15.451144Z",
	"updated_at": "2026-04-10T03:24:16.884054Z",
	"deleted_at": null,
	"sha1_hash": "f81c63619f00a5d2f2f7f337e62d3b981a21e693",
	"title": "Insights from one year of tracking a polymorphic threat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 943652,
	"plain_text": "Insights from one year of tracking a polymorphic threat\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2019-11-26 · Archived: 2026-04-05 21:48:38 UTC\r\nA little over a year ago, in October 2018, our polymorphic outbreak monitoring system detected a large surge in reports,\r\nindicating that a large-scale campaign was unfolding. We observed as the new threat attempted to deploy files that\r\nchanged every 20-30 minutes on thousands of devices. We gave the threat the name “Dexphot,” based on certain\r\ncharacteristics of the malware code.\r\nThe Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation,\r\nencryption, and the use of randomized file names hid the installation process. Dexphot then used fileless techniques to\r\nrun malicious code directly in memory, leaving only a few traces that can be used for forensics. It hijacked legitimate\r\nsystem processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a cryptocurrency miner on the\r\ndevice, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the\r\nmalware.\r\nIn the months that followed, we closely tracked the threat and witnessed the attackers upgrade the malware, target new\r\nprocesses, and work around defensive measures:\r\nWhile Microsoft Defender Advanced Threat Protection’s pre-execution detection engines blocked Dexphot in most\r\ncases, behavior-based machine learning models provided protection for cases where the threat slipped through. Given\r\nthe threat’s persistence mechanisms, polymorphism, and use of fileless techniques, behavior-based detection was a\r\ncritical component of the comprehensive protection against this malware and other threats that exhibit similar malicious\r\nbehaviors.\r\nMicrosoft Defender ATP data shows the effectiveness of behavioral blocking and containment capabilities in stopping\r\nthe Dexphot campaign. Over time, Dexphot-related malicious behavior reports dropped to a low hum, as the threat lost\r\nsteam.\r\nhttps://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/\r\nPage 1 of 9\n\nOur close monitoring of Dexphot helped us ensure that our customers were protected from the evolving threat. More\r\nimportantly, one year’s worth of intelligence helped us gain insight not only into the goals and motivations of Dexphot’s\r\nauthors, but of cybercriminals in general.\r\nComplex attack chain\r\nThe early stages of a Dexphot infection involves numerous files and processes. During the execution stage, Dexphot\r\nwrites five key files to disk:\r\n1. An installer with two URLs\r\n2. An MSI package file downloaded from one of the URLs\r\n3. A password-protected ZIP archive\r\n4. A loader DLL, which is extracted from the archive\r\n5. An encrypted data file that holds three additional executables that are loaded into system processes via process\r\nhollowing\r\nExcept for the installer, the other processes that run during execution are legitimate system processes. This can make\r\ndetection and remediation more difficult. These legitimate system processes include msiexec.exe (for installing MSI\r\npackages), unzip.exe (for extracting files from the password-protected ZIP archive), rundll32.exe (for loading the loader\r\nDLL), schtasks.exe (for scheduled tasks), powershell.exe (for forced updates). In later stages, Dexphot targets a few\r\nother system processes for process hollowing: svchost.exe, tracert.exe, and setup.exe.\r\nhttps://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/\r\nPage 2 of 9\n\nMultiple layers of security evasion\r\nBased on Microsoft Defender ATP signals, SoftwareBundler:Win32/ICLoader and its variants are primarily used to drop\r\nand run the Dexphot installer. The installer uses two URLs to download malicious payloads. These are the same two\r\nURLs that Dexphot use later to establish persistence, update the malware, and re-infect the device.\r\nThe installer downloads an MSI package from one of the two URLs, and then launches msiexec.exe to perform a silent\r\ninstall. This is the first of several instances of Dexphot employing living-off-the-land techniques, the use of legitimate\r\nsystem processes for nefarious purposes.\r\nDexphot’s package often contains an obfuscated batch script. If the package contains this file, the script is the first thing\r\nthat msiexec.exe runs when it begins the installation process. The said obfuscated script is designed to check for\r\nantivirus products. Dexphot halts the infection process immediately if an antivirus product is found running.\r\nWhen we first began our research, the batch script only checked for antivirus products from Avast and AVG. Later,\r\nWindows Defender Antivirus was added to the checklist.\r\nIf the process is not halted, Dexphot decompresses the password-protected ZIP archive from the MSI package. The\r\npassword to this archive is within the MSI package. Along with the password, the malware’s authors also include a\r\nhttps://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/\r\nPage 3 of 9\n\nclean version of unzip.exe so that they don’t have to rely on the target system having a ZIP utility. The unzip.exe file in\r\nthe package is usually named various things, such as z.exe or ex.exe, to avoid scrutiny.\r\nThe ZIP archive usually contains three files: the loader DLL, an encrypted data file (usually named bin.dat), and, often,\r\none clean unrelated DLL, which is likely included to mislead detection.\r\nDexphot usually extracts the decompressed files to the target system’s Favorites folder. The files are given new, random\r\nnames, which are generated by concatenating words and numbers based on the time of execution (for example,\r\nC:\\Users\\\u003cuser\u003e\\Favorites\\\\Res.Center.ponse\\\u003cnumbers\u003e). The commands to generate the new names are also\r\nobfuscated, for example:\r\nMsiexec.exe next calls rundll32.exe, specifying loader DLL (urlmon.7z in the example above) in order to decrypt the\r\ndata file. The decryption process involves ADD and XOR operations, using a key hardcoded in the binary.\r\nThe decrypted data contains three executables. Unlike the files described earlier, these executables are never written to\r\nthe filesystem. Instead, they exist only in memory, and Dexphot runs them by loading them into other system processes\r\nvia process hollowing.\r\nStealthy execution through fileless techniques\r\nProcess hollowing is a technique that can hide malware within a legitimate system process. It replaces the contents of\r\nthe legitimate process with malicious code. Detecting malicious code hidden using this method is not trivial, so process\r\nhollowing has become a prevalent technique used by malware today.\r\nThis method has the additional benefit of being fileless: the code can be run without actually being saved on the file\r\nsystem. Not only is it harder to detect the malicious code while it’s running, it’s harder to find useful forensics after the\r\nprocess has stopped.\r\nTo initiate process hollowing, the loader DLL targets two legitimate system processes, for example svchost.exe or\r\nnslookup.exe, and spawns them in a suspended state. The loader DLL replaces the contents of these processes with the\r\nfirst and second decrypted executables. These executables are monitoring services for maintaining Dexphot’s\r\ncomponents. The now-malicious processes are released from suspension and run.\r\nNext, the loader DLL targets the setup.exe file in SysWoW64. It removes setup.exe’s contents and replaces them with\r\nthe third decrypted executable, a cryptocurrency miner. Although Dexphot always uses a cryptocurrency miner of some\r\nkind, it’s not always the same miner. It used different programs like XMRig and JCE Miner over the course of our\r\nresearch.\r\nhttps://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/\r\nPage 4 of 9\n\nPersistence through regularly scheduled malware updates\r\nThe two monitoring services simultaneously check the status of all three malicious processes. Having dual monitoring\r\nservices provides redundancy in case one of the monitoring processes is halted. If any of the processes are terminated,\r\nthe monitors immediately identify the situation, terminate all remaining malicious processes, and re-infect the device.\r\nThis forced update/re-infection process is started by a PowerShell command similar to the one below:\r\nThe monitoring components also detect freshly launched cmd.exe processes and terminate them promptly. As a final\r\nfail-safe, Dexphot uses schtasks.exe to create scheduled tasks, with the command below.\r\nThis persistence technique is interesting, because it employs two distinct MITRE ATT\u0026CK techniques: Scheduled Task\r\nand Signed Binary Proxy Execution.\r\nThe scheduled tasks call msiexec.exe as a proxy to run the malicious code, much like how msiexec.exe was used during\r\ninstallation. Using msiexec.exe, a legitimate system process, can make it harder to trace the source of malicious activity.\r\nFurthermore, the tasks allow Dexphot to conveniently update the payload from the web every time the tasks run. They\r\nautomatically update all of Dexphot’s components, both upon system reboot as well as every 90 or 110 minutes while\r\nthe system is running.\r\nDexphot also generates the names for the tasks at runtime, which means a simple block list of hardcoded task names\r\nwill not be effective in preventing them from running. The names are usually in a GUID format, although after we\r\nreleased our first round of Dexphot-blocking protections, the threat authors began to use random strings.\r\nThe threat authors have one more evasion technique for these scheduled tasks: some Dexphot variants copy msiexec.exe\r\nto an arbitrary location and give it a random name, such as %AppData%\\\u003crandom\u003e.exe. This makes the system process\r\nrunning malicious code a literal moving target.\r\nPolymorphism\r\nDexphot exhibits multiple layers of polymorphism across the binaries it distributes. For example, the MSI package used\r\nin the campaign contains different files, as shown in the table below. The MSI packages generally include a clean\r\nversion of unzip.exe, a password-protected ZIP file, and a batch file that checks for currently installed antivirus\r\nproducts. However, the batch file is not always present, and the names of the ZIP files and Loader DLLs, as well as the\r\npassword for extracting the ZIP file, all change from one package to the next.\r\nIn addition, the contents of each Loader DLL differs from package to package, as does the encrypted data included in\r\nthe ZIP file. This leads to the generation of a different ZIP archive and, in turn, a unique MSI package, each time the\r\nattacker bundles the files together. Because of these carefully designed layers of polymorphism, a traditional file-based\r\ndetection approach wouldn’t be effective against Dexphot.\r\nhttps://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/\r\nPage 5 of 9\n\nMSI\r\npackage\r\nID\r\nMSI package contents\r\nPassword for\r\nZIP file\r\nContents of encrypted ZIP\r\nUnzip.exe\r\nname\r\nZIP file name\r\nBatch\r\nfile\r\nname\r\nLoader DLL file\r\nname\r\nEncrypted\r\ndata name\r\nMSI-1 ex.exe webUI.r0_ f.bat kjfhwehjkf IECache.dll bin.dat\r\nMSI-2 ex.exe analog.tv f.bat ZvDagW kernel32.bin bin.dat\r\nMSI-3 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat\r\nMSI-4 unzip.exe ERDNT.LOC.zip   iso100 ERDNT.LOC data.bin\r\nMSI-5 pck.exe mse.zip   kika _steam.dll bin.dat\r\nMSI-6 z.exe msi.zip   arima ic64.dll bin.dat\r\nMSI-7 z.exe mse.zip f.bat kika _steam.dll bin.dat\r\nMSI-8 z.exe mse.zip   kika _steam.dll bin.dat\r\nMSI-9 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat\r\nMSI-10 hf.exe update.dat f.bat namr x32Frame.dll data.bin\r\nMSI-11 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat\r\nMSI-12 unzip.exe PkgMgr.iso.zip   pack PkgMgr.iso data.bin\r\nMSI-13 ex.exe analog.tv f.bat kjfhwefkjwehjkf urlmon.7z bin.dat\r\nMSI-14 ex.exe icon.ico f.bat ZDADW default.ocx bin.dat\r\nMSI-15 hf.exe update.dat   namr AvastFileRep.dll data.bin\r\nMSI-16 pck.exe mse.zip f.bat kika _steam.dll bin.dat\r\nMSI-17 z.exe mse.zip f.bat joft win2k.wim bin.dat\r\nMSI-18 ex.exe plugin.cx f.bat ZDW _setup.ini bin.dat\r\nMSI-19 hf.exe update.dat   namr AvastFileRep.dll data.bin\r\nMSI-20 ex.exe installers.msu f.bat 000cehjkf MSE.Engine.dll bin.dat\r\nMSI-21 z.exe msi.zip f.bat arima ic64.dll bin.dat\r\nMSI-22 z.exe archive00.x f.bat 00Jmsjeh20 chrome_watcher.dll bin.dat\r\nA multitude of payload hosts\r\nBesides tracking the files and processes that Dexphot uses to execute an attack, we have also been monitoring the\r\ndomains used to host malicious payloads. The URLs used for hosting all follow a similar pattern. The domain address\r\nhttps://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/\r\nPage 6 of 9\n\nusually ends in a .info or .net TLD, while the file name for the actual payload consists of random characters, similar to\r\nthe randomness previously seen being used to generate file names and scheduled tasks. Some examples from our\r\nresearch are shown in the table below.\r\nScheduled task name Download URL\r\nhboavboja https://supe********709.info/xoslqzu.pdi\r\n{C0B15B19-AB02-0A10-259B-1789B8BD78D6}\r\nhttps://fa*****r.com/jz5jmdouv4js.uoe\r\nytiazuceqeif https://supe********709.info/spkfuvjwadou.bbo\r\nbeoxlwayou https://rb*****.info/xgvylniu.feo\r\n{F1B4C720-5A8B-8E97-8949-\r\n696A113E8BA5}\r\nhttps://emp*******winc.com/f85kr64p1s5k.naj\r\ngxcxhbvlkie https://gu*****me.net/ssitocdfsiu.pef\r\n{BE7FFC87-6635-429F-9F2D-CD3FD0E6DA51}\r\nhttps://sy*****.info/pasuuy/xqeilinooyesejou.oew\r\n{0575F553-1277-FB0F-AF67-\r\nEB649EE04B39}\r\nhttps://sumb*******on.info/gbzycb.kiz\r\ngposiiobhkwz https://gu*****me.net/uyuvmueie.hui\r\n{EAABDEAC-2258-1340-6375-\r\n5D5C1B7CEA7F}\r\nhttps://refr*******r711.info/3WIfUntot.1Mb\r\nzsayuuec https://gu*****me.net/dexaeuioiexpyva.dil\r\nnjibqhcq https://supe********709.info/aodoweuvmnamugu.fux\r\n{22D36F35-F5C2-29D3-1CF1-\r\nC51AC19564A4}\r\nhttps://pr*****.info/ppaorpbafeualuwfx/hix.ayk\r\nqeubpmnu https://gu*****me.net/ddssaizauuaxvt.cup\r\nadeuuelv https://supe********709.info/tpneevqlqziee.okn\r\n{0B44027E-7514-5EC6-CE79-\r\n26EB87434AEF}\r\nhttps://sy*****.info/huauroxaxhlvyyhp/xho.eqx\r\n{5A29AFD9-63FD-9F5E-F249-\r\n5EC1F2238023}\r\nhttps://refr*******r711rb.info/s28ZXoDH4.78y\r\n{C5C1D86D-44BB-8EAA-5CDC-26B37F92E411}\r\nhttps://fa*****r.com/rbvelfbflyvf.rws\r\nhttps://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/\r\nPage 7 of 9\n\nMany of the URLs listed were in use for an extended period. However, the MSI packages hosted at each URL are\r\nfrequently changed or updated. In addition, every few days more domains are generated to host more payloads. After a\r\nfew months of monitoring, we were able to identify around 200 unique Dexphot domains.\r\nConclusion: Dynamic, comprehensive protection against increasingly complex\r\neveryday threats\r\nDexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware\r\ncampaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin\r\nminer that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the\r\nlevel of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly\r\nunder the radar for the prospect of profit.\r\nTo combat threats, several next-generation protection engines in Microsoft Defender Advanced Threat Protection’s\r\nantivirus component detect and stop malicious techniques at multiple points along the attack chain. For Dexphot,\r\nmachine learning-based detections in the cloud recognize and block the DLLs loaded by rundll32.exe, stopping the\r\nattack chain in its early stages. Memory scans detect and terminate the loading of malicious code hidden by process\r\nhollowing — including the monitoring processes that attempt to update the malware code and re-infect the machine via\r\nPowerShell commands.\r\nBehavioral blocking and containment capabilities are especially effective in defeating Dexphot’s fileless techniques,\r\ndetection evasion, and persistence mechanisms, including the periodic and boot-time attempts to update the malware via\r\nscheduled tasks. As mentioned, given the complexity of the attack chain and of Dexphot’s persistence methods, we\r\nreleased a remediation solution that prevents re-infection by removing artifacts.\r\nThe detection, blocking, and remediation of Dexphot on endpoints are exposed in Microsoft Defender Security Center,\r\nwhere Microsoft Defender ATP’s rich capabilities like endpoint detection and response, automated investigation and\r\nremediation, and others enable security operations teams to investigate and remediate attacks in enterprise\r\nhttps://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/\r\nPage 8 of 9\n\nenvironments. With these capabilities, Microsoft Defender ATP provides comprehensive protection against Dexphot and\r\nthe countless other complex and evolving threats that we face every day.\r\nSample indicators of compromise (IoCs)\r\nInstaller (SHA-256):\r\n72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f\r\nMSI files (SHA-256):\r\n22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3\r\n65eac7f9b67ff69cefed288f563b4d77917c94c410c6c6c4e4390db66305ca2a\r\nba9467e0d63ba65bf10650a3c8d36cd292b3f846983032a44a835e5966bc7e88\r\nLoader DLLs  (SHA-256):\r\n537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e\r\n504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5\r\naa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152\r\nHazel Kim\r\nMicrosoft Defender ATP Research Team\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.\r\nRead all Microsoft security intelligence blog posts.\r\nFollow us on Twitter @MsftSecIntel.\r\nSource: https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/\r\nhttps://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/"
	],
	"report_names": [
		"insights-from-one-year-of-tracking-a-polymorphic-threat"
	],
	"threat_actors": [
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434935,
	"ts_updated_at": 1775791456,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f81c63619f00a5d2f2f7f337e62d3b981a21e693.pdf",
		"text": "https://archive.orkl.eu/f81c63619f00a5d2f2f7f337e62d3b981a21e693.txt",
		"img": "https://archive.orkl.eu/f81c63619f00a5d2f2f7f337e62d3b981a21e693.jpg"
	}
}