DEV Community: THREAT CHAIN

Prometei Sample Detected: 77bd50f5f45bc364014a015c203bd353881e59ecef3ca7ebab005cfaacca6d36

THREAT CHAIN — Sun, 31 May 2026 19:15:22 +0000

Your security tools might have missed this one. Prometei is actively targeting networks right now — here's what you need to know before it hits yours.

A new Prometei sample was identified by threat intelligence feeds on 2026-05-31 18:12:52. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`77bd50f5f45bc364014a015c203bd353881e59ecef3ca7ebab005cfaacca6d36`
File name	`77bd50f5f45bc364014a015c203bd353881e59ecef3ca7ebab005cfaacca6d36`
File type	exe
Size	240.1 KB
Origin (first observed)	US
First seen	2026-05-31 18:12:52
Family	Prometei
Tags	exe, Prometei, wraith
VirusTotal detection	48/75 engines flagged malicious

What Prometei Does

Prometei is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. Prometei samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': None, 'verdict': 'No threats detected', 'file_name': '_77bd50f5f45bc364014a015c203bd353881e59ecef3ca7ebab005cfaacca6d36.exe', 'date': '2026-05-31 18:21:56', 'analysis_url': 'https://app.any.run/tasks/72ec559b-98c8-478a-aee3-b06d582aa643', 'tags': []}]
vxCube: malware2
Intezer: suspicious
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': '77bd50f5f45bc364014a015c203bd353881e59ecef3ca7ebab005cfaacca6d36', 'md5_hash': 'e93dcd96c9e5540143173bc7fa728d0b', 'sha1_hash': 'db22b303f1db9b38552d1bf536d0abe509c5d085', 'detections': [], 'link': 'https://www.unpac.me/results/0c116a48-a35a-4291-98d9-7e4a80b2fd2a/'}, {'sha256_hash': 'ab5d784fe95790b41078417818adbcc6e7e168aca01110910b8c0041e4905b65', 'md5_hash': 'ac26feb566fed4d57921da6d1bf7eb22', 'sha1_hash': '0b07145d14d3dc10d5aae9672d7036424c167f20', 'detections': [], 'link': 'https://www.unpac.me/results/0c116a48-a35a-4291-98d9-7e4a80b2fd2a/'}]
FileScan-IO: MALICIOUS

Indicators of Compromise

If you're hunting for this sample or related Prometei activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 77bd50f5f45bc364014a015c203bd353881e59ecef3ca7ebab005cfaacca6d36
Filename pattern: 77bd50f5f45bc364014a015c203bd353881e59ecef3ca7ebab005cfaacca6d36
File type: exe
Behavioral tags: exe, Prometei, wraith
YARA rules matched: golang_bin_JCorn_CSC846, VECT_Ransomware

How to Check If You're Affected

Search your endpoint logs for the SHA-256 77bd50f5f45bc364014a015c203bd353881e59ecef3ca7ebab005cfaacca6d36. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename 77bd50f5f45bc364014a015c203bd353881e59ecef3ca7ebab005cfaacca6d36 in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — Prometei typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. Prometei frequently targets these.
Check for secondary payloads. Prometei is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

You can verify any suspicious hash against the ThreatChain database for free — no signup, no API key required. Paste any MD5, SHA-1, or SHA-256 at threatchain.io/lookup and get results across multiple intel sources in seconds.

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

SalatStealer Sample Detected: winwsdriver.exe

THREAT CHAIN — Sun, 31 May 2026 11:15:21 +0000

Your security tools might have missed this one. SalatStealer is actively targeting networks right now — here's what you need to know before it hits yours.

A new SalatStealer sample was identified by threat intelligence feeds on 2026-05-31 08:19:26. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`a3a2fe509cb278c84202c7f6023db15692a1e501ea3dc6c46a1d45788cacd1f4`
File name	`winwsdriver.exe`
File type	exe
Size	3.43 MB
Origin (first observed)	AU
First seen	2026-05-31 08:19:26
Family	SalatStealer
Tags	exe, infostealer, psw, salat, salatstealer, stealer, upx
VirusTotal detection	52/75 engines flagged malicious

What SalatStealer Does

SalatStealer is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. SalatStealer samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': None, 'verdict': 'Malicious activity', 'file_name': 'winwsdriver.exe', 'date': '2026-05-31 08:18:49', 'analysis_url': 'https://app.any.run/tasks/905f635c-bcef-48f2-a95e-ba9b85eace26', 'tags': ['salatstealer', 'stealer', 'ms-smartcard', 'susp-powershell', 'upx', 'golang']}]
vxCube: malware2
Intezer: suspicious
CAPE: Salat
Triage: salatstealer
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': 'a3a2fe509cb278c84202c7f6023db15692a1e501ea3dc6c46a1d45788cacd1f4', 'md5_hash': 'd94447fd5b63b56f66f33a659f858d8d', 'sha1_hash': '61e19cd16d2acd8c33ec1fdb4597be99a73cf2af', 'detections': [], 'link': 'https://www.unpac.me/results/c65f6e3c-3dc7-411a-b300-641e9a3f3cad/'}, {'sha256_hash': '2d790f57a3ac3ca075726fa23e8acbb52c5a594697548472182122c6efd14d08', 'md5_hash': '7bf4cb96b53697b201e161d871a27f10', 'sha1_hash': 'a5cfbc683ab696b6014db7e27d0ced2e3316c7e5', 'detections': [], 'link': 'https://www.unpac.me/results/c65f6e3c-3dc7-411a-b300-641e9a3f3cad/'}]
FileScan-IO: LIKELY_MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related SalatStealer activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: a3a2fe509cb278c84202c7f6023db15692a1e501ea3dc6c46a1d45788cacd1f4
Filename pattern: winwsdriver.exe
File type: exe
Behavioral tags: exe, infostealer, psw, salat, salatstealer, stealer, upx
YARA rules matched: Base64_Encoded_Powershell_Directives, Base64_Encoded_Powershell_Directives, command_and_control, CP_Script_Inject_Detector, DebuggerCheck__QueryInfo

How to Check If You're Affected

Search your endpoint logs for the SHA-256 a3a2fe509cb278c84202c7f6023db15692a1e501ea3dc6c46a1d45788cacd1f4. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename winwsdriver.exe in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — SalatStealer typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. SalatStealer frequently targets these.
Check for secondary payloads. SalatStealer is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

Stealc Sample Detected: file

THREAT CHAIN — Sat, 30 May 2026 11:15:22 +0000

It costs $50 on Telegram. It steals everything in your browser. And most antivirus misses it completely.

A new Stealc sample was identified by threat intelligence feeds on 2026-05-30 09:43:13. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`1217681270b058cb08ff0eef8aad93219db13db2162a528d99267a354a85e62a`
File name	`file`
File type	exe
Size	766.0 KB
Origin (first observed)	US
First seen	2026-05-30 09:43:13
Family	Stealc
Tags	54e64e, dropped-by-Amadey, exe, Stealc
VirusTotal detection	38/75 engines flagged malicious

What Stealc Does

Stealc is a relatively new information stealer that mimics Vidar and RedLine. It targets browser data, crypto wallets, email clients, and messenger apps, and it's gained rapid adoption in underground markets.

Seeing this family on your network — or finding a file matching this hash — is a red flag. Stealc samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': None, 'verdict': 'Malicious activity', 'file_name': '_1217681270b058cb08ff0eef8aad93219db13db2162a528d99267a354a85e62a.exe', 'date': '2026-05-30 09:43:45', 'analysis_url': 'https://app.any.run/tasks/8a8f8c22-e686-49e4-b976-f17061f5f911', 'tags': ['stealc', 'stealer']}]
YOROI_YOMI: Malicious File
vxCube: clean2
Intezer: malicious
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': '1217681270b058cb08ff0eef8aad93219db13db2162a528d99267a354a85e62a', 'md5_hash': '10b058c85c45c213796b23b27f77346b', 'sha1_hash': 'c4525c16a8caeb4a02789d1df7c202d409969785', 'detections': ['win_stealc_auto'], 'link': 'https://www.unpac.me/results/626a62dc-88b6-4e4c-abd2-d523f6cb1e0b/'}, {'sha256_hash': '61ab1d22949eac0582e989ae065ec4caee9ac99998276317edda96735cd311fb', 'md5_hash': 'a8480ece517b8367ca8418d7888f410d', 'sha1_hash': '49802c5598b2e9d94229ae987d0ac47bbf8977ea', 'detections': ['win_stealc_auto'], 'link': 'https://www.unpac.me/results/626a62dc-88b6-4e4c-abd2-d523f6cb1e0b/'}]
VMRay: Stealc,Stealc.v2
FileScan-IO: LIKELY_MALICIOUS
Kaspersky: NoThreats

Indicators of Compromise

If you're hunting for this sample or related Stealc activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 1217681270b058cb08ff0eef8aad93219db13db2162a528d99267a354a85e62a
Filename pattern: file
File type: exe
Behavioral tags: 54e64e, dropped-by-Amadey, exe, Stealc
YARA rules matched: cobalt_strike_tmp01925d3f, DebuggerCheck__API, DetectEncryptedVariants, golang_bin_JCorn_CSC846, Heuristics_ChromeABE

How to Check If You're Affected

Search your endpoint logs for the SHA-256 1217681270b058cb08ff0eef8aad93219db13db2162a528d99267a354a85e62a. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename file in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — Stealc typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. Stealc frequently targets these.
Check for secondary payloads. Stealc is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

Xtrat Sample Detected: eastvillageeaterys

THREAT CHAIN — Fri, 29 May 2026 19:15:23 +0000

Your security tools might have missed this one. Xtrat is actively targeting networks right now — here's what you need to know before it hits yours.

A new Xtrat sample was identified by threat intelligence feeds on 2026-05-29 15:31:35. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`bffa9209a6fac3a4a7ff7b42f235ea38976a89e925356b9c751981f418e2d775`
File name	`eastvillageeaterys`
File type	exe
Size	19.0 KB
Origin (first observed)	BE
First seen	2026-05-29 15:31:35
Family	Xtrat
Tags	auto-reg, exe, rat, upx, xtrat
VirusTotal detection	64/75 engines flagged malicious

What Xtrat Does

Xtrat is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. Xtrat samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': 'xtrat', 'verdict': 'Malicious activity', 'file_name': 'eastvillageeaterys.exe', 'date': '2026-05-29 15:23:14', 'analysis_url': 'https://app.any.run/tasks/91016a88-ead9-499a-ad1e-0d17dd3047ec', 'tags': ['auto-reg', 'xtrat', 'rat', 'upx']}]
vxCube: malware2
Intezer: malicious
CAPE: Xtreme
Triage: xtremerat
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': 'bffa9209a6fac3a4a7ff7b42f235ea38976a89e925356b9c751981f418e2d775', 'md5_hash': '6623ded5d0339f3275b05c8df3257518', 'sha1_hash': '31d73157cdf85b012526bdabaf6170c62db8abc0', 'detections': [], 'link': 'https://www.unpac.me/results/160f9150-362e-4aa7-8cb6-705c220b9139/'}, {'sha256_hash': '9feed9d389ef5992ca78a11d5292a89f62f885b8c21599f308e45d9752436f95', 'md5_hash': '76cb054e3e151f0ae39baae82c4941e1', 'sha1_hash': 'b2dc728d1b02c1039b76afdfc045820f7581a8bb', 'detections': ['win_extreme_rat_auto', 'win_extreme_rat_w0', 'triage_xtremerat_rat'], 'link': 'https://www.unpac.me/results/160f9150-362e-4aa7-8cb6-705c220b9139/'}]
VMRay: XtremeRAT
FileScan-IO: MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related Xtrat activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: bffa9209a6fac3a4a7ff7b42f235ea38976a89e925356b9c751981f418e2d775
Filename pattern: eastvillageeaterys
File type: exe
Behavioral tags: auto-reg, exe, rat, upx, xtrat
YARA rules matched: CP_Script_Inject_Detector, pe_detect_tls_callbacks, pe_detect_tls_callbacks, RAT_Xtreme, ThreadControl__Context

How to Check If You're Affected

Search your endpoint logs for the SHA-256 bffa9209a6fac3a4a7ff7b42f235ea38976a89e925356b9c751981f418e2d775. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename eastvillageeaterys in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — Xtrat typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. Xtrat frequently targets these.
Check for secondary payloads. Xtrat is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

Mirai Sample Detected: boatnet.mpsl

THREAT CHAIN — Fri, 29 May 2026 11:15:12 +0000

Your home router might be attacking websites right now and you'd never know. Millions are already compromised.

A new Mirai sample was identified by threat intelligence feeds on 2026-05-29 09:57:43. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`d157b6505220f50d286020848830814a51b32cd58a82cd77ee51b2ebfb54e2ab`
File name	`boatnet.mpsl`
File type	elf
Size	74.3 KB
Origin (first observed)	NL
First seen	2026-05-29 09:57:43
Family	Mirai
Tags	elf, Mirai, upx-dec

What Mirai Does

Mirai is a family of IoT botnets that spread by brute-forcing default credentials on routers, cameras, and other embedded devices. Infected devices are typically used to launch DDoS attacks or as proxies for other criminal activity.

Seeing this family on your network — or finding a file matching this hash — is a red flag. Mirai samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

CERT-PL_MWDB: mirai
YOROI_YOMI: Legit File
vxCube: malware2
Intezer: not_supported
Triage: mirai
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
FileScan-IO: UNKNOWN

Indicators of Compromise

If you're hunting for this sample or related Mirai activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: d157b6505220f50d286020848830814a51b32cd58a82cd77ee51b2ebfb54e2ab
Filename pattern: boatnet.mpsl
File type: elf
Behavioral tags: elf, Mirai, upx-dec
YARA rules matched: botnet_Yakuza, linux_generic_ipv6_catcher, Linux_Trojan_Gafgyt_28a2fe0c, Linux_Trojan_Gafgyt_ea92cca8, Mirai_Botnet_Malware

How to Check If You're Affected

Search your endpoint logs for the SHA-256 d157b6505220f50d286020848830814a51b32cd58a82cd77ee51b2ebfb54e2ab. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename boatnet.mpsl in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — Mirai typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. Mirai frequently targets these.
Check for secondary payloads. Mirai is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

WannaCry Sample Detected: 2318cacaf04dccd78420bfb0510ddd906e670fe0eb63113d00d3a04b3f4fff96

THREAT CHAIN — Thu, 28 May 2026 19:15:23 +0000

Your security tools might have missed this one. WannaCry is actively targeting networks right now — here's what you need to know before it hits yours.

A new WannaCry sample was identified by threat intelligence feeds on 2026-05-28 16:15:10. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`2318cacaf04dccd78420bfb0510ddd906e670fe0eb63113d00d3a04b3f4fff96`
File name	`2318cacaf04dccd78420bfb0510ddd906e670fe0eb63113d00d3a04b3f4fff96`
File type	exe
Size	5.05 MB
Origin (first observed)	US
First seen	2026-05-28 16:15:10
Family	WannaCry
Tags	dionaea, exe, WannaCry
VirusTotal detection	58/75 engines flagged malicious

What WannaCry Does

WannaCry is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. WannaCry samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': None, 'verdict': 'No threats detected', 'file_name': 'exe', 'date': '2026-05-28 16:17:50', 'analysis_url': 'https://app.any.run/tasks/fbc2ec6e-ba7a-4cd6-9a15-54dd246dd439', 'tags': []}]
vxCube: malware2
Intezer: malicious
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': '2318cacaf04dccd78420bfb0510ddd906e670fe0eb63113d00d3a04b3f4fff96', 'md5_hash': '6a5ccfb1a5e88d806355c76edf5afcad', 'sha1_hash': '1b425a860647f78c70c24eb4872893c475264c3a', 'detections': ['WannaCry'], 'link': 'https://www.unpac.me/results/2420055a-6e76-4197-944c-8dfd7e37bd60/'}]
FileScan-IO: MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related WannaCry activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 2318cacaf04dccd78420bfb0510ddd906e670fe0eb63113d00d3a04b3f4fff96
Filename pattern: 2318cacaf04dccd78420bfb0510ddd906e670fe0eb63113d00d3a04b3f4fff96
File type: exe
Behavioral tags: dionaea, exe, WannaCry
YARA rules matched: DebuggerCheck__API, golang_bin_JCorn_CSC846, malware_shellcode_hash, WannaCry_Ransomware

How to Check If You're Affected

Search your endpoint logs for the SHA-256 2318cacaf04dccd78420bfb0510ddd906e670fe0eb63113d00d3a04b3f4fff96. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename 2318cacaf04dccd78420bfb0510ddd906e670fe0eb63113d00d3a04b3f4fff96 in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — WannaCry typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. WannaCry frequently targets these.
Check for secondary payloads. WannaCry is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

AgentTesla Sample Detected: SCANDOC275.vbs

THREAT CHAIN — Thu, 28 May 2026 11:15:16 +0000

That email attachment your coworker just opened? It's copying every password they've ever saved. Right now.

A new AgentTesla sample was identified by threat intelligence feeds on 2026-05-28 09:52:26. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`d702322e43f468163353b2478ec1626e569d8a33e2732e95d6d4abf2432168bb`
File name	`SCANDOC275.vbs`
File type	vbs
Size	415.4 KB
Origin (first observed)	CH
First seen	2026-05-28 09:52:26
Family	AgentTesla
Tags	AgentTesla, vbs
VirusTotal detection	11/75 engines flagged malicious

What AgentTesla Does

Agent Tesla is a .NET-based keylogger and credential stealer that's been active for years. It's typically delivered via phishing and steals browser passwords, FTP credentials, and email client data.

Seeing this family on your network — or finding a file matching this hash — is a red flag. AgentTesla samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

Triage: agenttesla
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
FileScan-IO: MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related AgentTesla activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: d702322e43f468163353b2478ec1626e569d8a33e2732e95d6d4abf2432168bb
Filename pattern: SCANDOC275.vbs
File type: vbs
Behavioral tags: AgentTesla, vbs

How to Check If You're Affected

Search your endpoint logs for the SHA-256 d702322e43f468163353b2478ec1626e569d8a33e2732e95d6d4abf2432168bb. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename SCANDOC275.vbs in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — AgentTesla typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. AgentTesla frequently targets these.
Check for secondary payloads. AgentTesla is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

Vidar Sample Detected: Launcher.exe

THREAT CHAIN — Wed, 27 May 2026 19:15:11 +0000

That 'free software' download just exfiltrated every password, cookie, and autofill entry on your machine in under 5 seconds.

A new Vidar sample was identified by threat intelligence feeds on 2026-05-27 17:41:40. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`3cc6feeec3edb145763876a396d902d6ef1de2b0f181fc38baa23363ad9a84da`
File name	`Launcher.exe`
File type	exe
Size	2.19 MB
Origin (first observed)	DE
First seen	2026-05-27 17:41:40
Family	Vidar
Tags	exe, RemusStealer, signed, Vidar
VirusTotal detection	16/75 engines flagged malicious

What Vidar Does

Vidar is an information stealer derived from the Arkei family. It targets crypto wallets, 2FA backups, browser passwords, and session cookies — and it's often dropped by malvertising campaigns targeting users searching for popular software downloads.

Seeing this family on your network — or finding a file matching this hash — is a red flag. Vidar samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': 'vidar', 'verdict': 'Malicious activity', 'file_name': 'Launcher.exe', 'date': '2026-05-27 17:41:34', 'analysis_url': 'https://app.any.run/tasks/0d5cb8df-219c-41b8-af85-321aeae476ed', 'tags': ['stealer', 'stealc', 'vidar', 'golang', 'attachments', 'attc-unc']}]
vxCube: malware2
Intezer: unknown
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': '3cc6feeec3edb145763876a396d902d6ef1de2b0f181fc38baa23363ad9a84da', 'md5_hash': 'd6cd359f07bb002c4f893ec4e0bcd71c', 'sha1_hash': '3dfe9266a1e61fed1119113868bc89956dc4c336', 'detections': [], 'link': 'https://www.unpac.me/results/9c1e87c2-1f26-41b9-9bd3-5c471fff9d94/'}]
VMRay: Vidar
FileScan-IO: LIKELY_MALICIOUS
Kaspersky: NoThreats

Indicators of Compromise

If you're hunting for this sample or related Vidar activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 3cc6feeec3edb145763876a396d902d6ef1de2b0f181fc38baa23363ad9a84da
Filename pattern: Launcher.exe
File type: exe
Behavioral tags: exe, RemusStealer, signed, Vidar
YARA rules matched: command_and_control, CP_Script_Inject_Detector, DebuggerException__SetConsoleCtrl, DetectGoMethodSignatures, GoBinTest

How to Check If You're Affected

Search your endpoint logs for the SHA-256 3cc6feeec3edb145763876a396d902d6ef1de2b0f181fc38baa23363ad9a84da. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename Launcher.exe in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — Vidar typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. Vidar frequently targets these.
Check for secondary payloads. Vidar is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

NanoCore Sample Detected: Backdoor.exe

THREAT CHAIN — Wed, 27 May 2026 11:15:15 +0000

An attacker is reading your keystrokes, watching your screen, and downloading your files. The RAT that infected you cost $25.

A new NanoCore sample was identified by threat intelligence feeds on 2026-05-27 09:35:06. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`a2a68b45676bf44538f2effae4064ba2124ca759b21e801bc7dd855a2bd9f254`
File name	`Backdoor.exe`
File type	exe
Size	203.0 KB
Origin (first observed)	NL
First seen	2026-05-27 09:35:06
Family	NanoCore
Tags	exe, NanoCore, RAT
VirusTotal detection	44/75 engines flagged malicious

What NanoCore Does

NanoCore is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. NanoCore samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': 'nanocore', 'verdict': 'Malicious activity', 'file_name': 'Backdoor.exe', 'date': '2026-05-26 11:19:54', 'analysis_url': 'https://app.any.run/tasks/9703f8a8-90de-45d8-b906-e69f1e074894', 'tags': ['auto-sch-xml', 'auto-reg', 'nanocore', 'rat', 'remote']}]
CERT-PL_MWDB: nanocore
vxCube: malware2
Intezer: malicious
CAPE: NanoCore
Triage: nanocore
Spamhaus_HBL: [{'detection': 'malicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': 'a2a68b45676bf44538f2effae4064ba2124ca759b21e801bc7dd855a2bd9f254', 'md5_hash': 'a3bf3b8d6e8242de1859665f9272e4fb', 'sha1_hash': '7a97ee0624781c95654ca4641d4c3a3e14276a1f', 'detections': ['win_nanocore_w0', 'triage_nanocore_rat'], 'link': 'https://www.unpac.me/results/edc6d070-bb7a-4564-a16c-2d16f434788e/'}, {'sha256_hash': '61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403', 'md5_hash': 'bdc8945f1d799c845408522e372d1dbd', 'sha1_hash': '874b7c3c97cc5b13b9dd172fec5a54bc1f258005', 'detections': ['triage_nanocore_rat'], 'link': 'https://www.unpac.me/results/edc6d070-bb7a-4564-a16c-2d16f434788e/'}, {'sha256_hash': '01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354', 'md5_hash': '9c8242440c47a4f1ce2e47df3c3ddd28', 'sha1_hash': '874f3caf663265f7dd18fb565d91b7d915031251', 'detections': ['triage_nanocore_rat'], 'link': 'https://www.unpac.me/results/edc6d070-bb7a-4564-a16c-2d16f434788e/'}, {'sha256_hash': 'f9b8c3f31375e9a1ec105f930f751869a804110d29d6b38e7298622eb74b2bec', 'md5_hash': '42006852619847f368bc4062849cd6dc', 'sha1_hash': 'ba6edc3a5aba8eac15b6a30e1407cdae80b2481d', 'detections': [], 'link': 'https://www.unpac.me/results/edc6d070-bb7a-4564-a16c-2d16f434788e/'}]
VMRay: NanoCore
FileScan-IO: MALICIOUS

Indicators of Compromise

If you're hunting for this sample or related NanoCore activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: a2a68b45676bf44538f2effae4064ba2124ca759b21e801bc7dd855a2bd9f254
Filename pattern: Backdoor.exe
File type: exe
Behavioral tags: exe, NanoCore, RAT
YARA rules matched: ach_NanoCore, malware_Nanocore_strings, MALWARE_Win_NanoCore, Nanocore, nanocore_rat

How to Check If You're Affected

Search your endpoint logs for the SHA-256 a2a68b45676bf44538f2effae4064ba2124ca759b21e801bc7dd855a2bd9f254. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename Backdoor.exe in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — NanoCore typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. NanoCore frequently targets these.
Check for secondary payloads. NanoCore is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

RemusStealer Sample Detected: Bootstrapper.exe

THREAT CHAIN — Tue, 26 May 2026 19:15:14 +0000

Your security tools might have missed this one. RemusStealer is actively targeting networks right now — here's what you need to know before it hits yours.

A new RemusStealer sample was identified by threat intelligence feeds on 2026-05-26 18:11:33. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`beff95d5326762401e1ea804d3c75f8cc71533f152a5711361476ce466b39b54`
File name	`Bootstrapper.exe`
File type	exe
Size	1.47 MB
Origin (first observed)	DE
First seen	2026-05-26 18:11:33
Family	RemusStealer
Tags	exe, RemusStealer, signed
VirusTotal detection	8/75 engines flagged malicious

What RemusStealer Does

RemusStealer is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. RemusStealer samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': None, 'verdict': 'Malicious activity', 'file_name': 'Bootstrapper.exe', 'date': '2026-05-26 18:10:46', 'analysis_url': 'https://app.any.run/tasks/feb26fe9-0f29-4bad-b4b2-616f86b50add', 'tags': ['stealer', 'remus', 'golang']}]
vxCube: malware2
Intezer: unknown
Triage: remus_stealer
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': 'beff95d5326762401e1ea804d3c75f8cc71533f152a5711361476ce466b39b54', 'md5_hash': '2318f6b101a6a0901d5ce999372ee37d', 'sha1_hash': '91ef70d735a286c752784d364557d257a943f03a', 'detections': [], 'link': 'https://www.unpac.me/results/270aec5e-bd3b-4cba-b582-21608fd6f1e7/'}]
VMRay: RemusStealer,RemusLogger
FileScan-IO: NO_THREAT
Kaspersky: NoThreats

Indicators of Compromise

If you're hunting for this sample or related RemusStealer activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: beff95d5326762401e1ea804d3c75f8cc71533f152a5711361476ce466b39b54
Filename pattern: Bootstrapper.exe
File type: exe
Behavioral tags: exe, RemusStealer, signed
YARA rules matched: command_and_control, CP_Script_Inject_Detector, DebuggerException__SetConsoleCtrl, DetectGoMethodSignatures, GoBinTest

How to Check If You're Affected

Search your endpoint logs for the SHA-256 beff95d5326762401e1ea804d3c75f8cc71533f152a5711361476ce466b39b54. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename Bootstrapper.exe in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — RemusStealer typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. RemusStealer frequently targets these.
Check for secondary payloads. RemusStealer is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

BlackMatter Sample Detected: file

THREAT CHAIN — Tue, 26 May 2026 11:15:23 +0000

Your security tools might have missed this one. BlackMatter is actively targeting networks right now — here's what you need to know before it hits yours.

A new BlackMatter sample was identified by threat intelligence feeds on 2026-05-26 08:11:32. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`cdc7d79ae4215dccf60882afb6c3abee6b95d9db7c1587746fc8d533d1631e9d`
File name	`file`
File type	exe
Size	146.0 KB
Origin (first observed)	US
First seen	2026-05-26 08:11:32
Family	BlackMatter
Tags	BlackMatter, dropped-by-phorpiex, exe
VirusTotal detection	61/75 engines flagged malicious

What BlackMatter Does

BlackMatter is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. BlackMatter samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': 'lockbit', 'verdict': 'Malicious activity', 'file_name': '_cdc7d79ae4215dccf60882afb6c3abee6b95d9db7c1587746fc8d533d1631e9d.exe', 'date': '2026-05-26 08:14:02', 'analysis_url': 'https://app.any.run/tasks/1ca9b8b8-6555-4687-8daf-0ca9cef69694', 'tags': ['lockbit', 'darkside', 'ransomware']}]
CERT-PL_MWDB: lockbit
vxCube: malware2
Intezer: malicious
Triage: lockbit
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': 'cdc7d79ae4215dccf60882afb6c3abee6b95d9db7c1587746fc8d533d1631e9d', 'md5_hash': '50b2838c53073e2ba3b97befe6880e94', 'sha1_hash': '2de73dca581ed0f4bb0308da1e3c8a3f0fa7fad6', 'detections': ['triage_blackmatter_ransomware', 'triage_lockbit3_ransomware', 'triage_lockbit_ransomware'], 'link': 'https://www.unpac.me/results/36198295-d98e-4407-8af0-69b591d813d5/'}]
VMRay: LockBitBlack,LockBit
FileScan-IO: SUSPICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related BlackMatter activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: cdc7d79ae4215dccf60882afb6c3abee6b95d9db7c1587746fc8d533d1631e9d
Filename pattern: file
File type: exe
Behavioral tags: BlackMatter, dropped-by-phorpiex, exe
YARA rules matched: CRIME_WIN32_RANSOM_BLACKMATTER, Darkside, Detect_all_IPv6_variants, lb_stack_string_decrypt_1, VECT_Ransomware

How to Check If You're Affected

Search your endpoint logs for the SHA-256 cdc7d79ae4215dccf60882afb6c3abee6b95d9db7c1587746fc8d533d1631e9d. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename file in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — BlackMatter typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. BlackMatter frequently targets these.
Check for secondary payloads. BlackMatter is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

RemcosRAT Sample Detected: Backdoor.exe

THREAT CHAIN — Mon, 25 May 2026 19:15:24 +0000

For $58 on a hacking forum, anyone can buy full remote control of your computer. Camera, keyboard, files — everything.

A new RemcosRAT sample was identified by threat intelligence feeds on 2026-05-25 14:23:29. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`ddfff81d72e630cb6d8e77e59f362c40b6032d16ed9cd004c7c2e049360b80c0`
File name	`Backdoor.exe`
File type	exe
Size	92.0 KB
Origin (first observed)	unknown
First seen	2026-05-25 14:23:29
Family	RemcosRAT
Tags	exe, rat, remcos, RemcosRAT, remote-access, trojan
VirusTotal detection	68/75 engines flagged malicious

What RemcosRAT Does

RemcosRAT is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. RemcosRAT samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': 'remcos', 'verdict': 'Malicious activity', 'file_name': 'Backdoor.exe', 'date': '2026-05-25 14:21:55', 'analysis_url': 'https://app.any.run/tasks/a06e3b37-7b01-4207-89d5-f74f80989358', 'tags': ['rat', 'remcos']}]
CERT-PL_MWDB: remcos
vxCube: malware2
Intezer: malicious
CAPE: Remcos
Triage: remcos
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': 'ddfff81d72e630cb6d8e77e59f362c40b6032d16ed9cd004c7c2e049360b80c0', 'md5_hash': 'b82ad2590f7b479aa1d2699401ce8b5e', 'sha1_hash': 'bcc4406ff6c46923e3bec6652915d1fae88bbe2e', 'detections': ['win_remcos_auto', 'win_remcos_g0', 'Remcos'], 'link': 'https://www.unpac.me/results/7a0068dc-7760-4aa5-ab0b-276c340134ab/'}]
FileScan-IO: MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related RemcosRAT activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: ddfff81d72e630cb6d8e77e59f362c40b6032d16ed9cd004c7c2e049360b80c0
Filename pattern: Backdoor.exe
File type: exe
Behavioral tags: exe, rat, remcos, RemcosRAT, remote-access, trojan
YARA rules matched: CMD_Ping_Localhost, CP_Script_Inject_Detector, FreddyBearDropper, INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, malware_Remcos_strings

How to Check If You're Affected

Search your endpoint logs for the SHA-256 ddfff81d72e630cb6d8e77e59f362c40b6032d16ed9cd004c7c2e049360b80c0. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename Backdoor.exe in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — RemcosRAT typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. RemcosRAT frequently targets these.
Check for secondary payloads. RemcosRAT is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.