DEV Community: THREAT CHAIN

QuasarRAT Sample Detected: 7z2600-x32.exe

THREAT CHAIN — Sun, 10 May 2026 19:15:22 +0000

It's open-source on GitHub. It's also on thousands of infected machines right now, giving attackers full remote control.

A new QuasarRAT sample was identified by threat intelligence feeds on 2026-05-10 18:14:01. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`00e6af4b4e3df4c09673e4492483f3cec7bb27b4565bdd112973fb4952ad897c`
File name	`7z2600-x32.exe`
File type	exe
Size	3.09 MB
Origin (first observed)	VN
First seen	2026-05-10 18:14:01
Family	QuasarRAT
Tags	botnet, c2, exe, QuasarRAT, trojan
VirusTotal detection	58/75 engines flagged malicious

What QuasarRAT Does

QuasarRAT is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. QuasarRAT samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': 'quasar', 'verdict': 'Malicious activity', 'file_name': '7z2600-x32.exe', 'date': '2026-04-19 07:02:32', 'analysis_url': 'https://app.any.run/tasks/4a244ab1-5983-4e32-b831-fc11499356b6', 'tags': ['quasar']}]
YOROI_YOMI: iSpy Keylogger
vxCube: malware2
Intezer: malicious
CAPE: QuasarRAT
Triage: quasar
Spamhaus_HBL: [{'detection': 'malicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': '00e6af4b4e3df4c09673e4492483f3cec7bb27b4565bdd112973fb4952ad897c', 'md5_hash': 'cbf264674171a3810c737e31e851abe0', 'sha1_hash': 'abfd48110be614dba6217c534f2babe1c74ce454', 'detections': ['QuasarRAT'], 'link': 'https://www.unpac.me/results/adfb05e4-a907-4c44-9cc8-9fa2e47b9c81/'}]
FileScan-IO: MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related QuasarRAT activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 00e6af4b4e3df4c09673e4492483f3cec7bb27b4565bdd112973fb4952ad897c
Filename pattern: 7z2600-x32.exe
File type: exe
Behavioral tags: botnet, c2, exe, QuasarRAT, trojan
YARA rules matched: BLOWFISH_Constants, CP_Script_Inject_Detector, DetectEncryptedVariants, Detect_PowerShell_Obfuscation, FreddyBearDropper

How to Check If You're Affected

Search your endpoint logs for the SHA-256 00e6af4b4e3df4c09673e4492483f3cec7bb27b4565bdd112973fb4952ad897c. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename 7z2600-x32.exe in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — QuasarRAT typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. QuasarRAT frequently targets these.
Check for secondary payloads. QuasarRAT is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

You can verify any suspicious hash against the ThreatChain database for free — no signup, no API key required. Paste any MD5, SHA-1, or SHA-256 at threatchain.io/lookup and get results across multiple intel sources in seconds.

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

Cobalt Strike Sample Detected: 申请项目同行评议意见反馈信.exe

THREAT CHAIN — Sun, 10 May 2026 11:15:23 +0000

Your security tools might have missed this one. Cobalt Strike is actively targeting networks right now — here's what you need to know before it hits yours.

A new Cobalt Strike sample was identified by threat intelligence feeds on 2026-05-10 05:20:49. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`d46e966d978515b900ae003dc3b56225199de590e62165bb073138935e9b4294`
File name	`申请项目同行评议意见反馈信.exe`
File type	exe
Size	4.60 MB
Origin (first observed)	SG
First seen	2026-05-10 05:20:49
Family	Cobalt Strike
Tags	Cobalt Strike, CobaltStrike, exe
VirusTotal detection	41/75 engines flagged malicious

What Cobalt Strike Does

Cobalt Strike is a legitimate penetration testing tool that has been widely cracked and abused by criminals for post-exploitation, lateral movement, and command-and-control operations. Its presence on a system is a strong indicator of a hands-on attacker.

Seeing this family on your network — or finding a file matching this hash — is a red flag. Cobalt Strike samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': None, 'verdict': 'No threats detected', 'file_name': 'exe', 'date': '2026-05-10 05:23:10', 'analysis_url': 'https://app.any.run/tasks/d144e18c-3cd1-42f5-8f2b-ec9ef7fbfb14', 'tags': ['rust']}]
YOROI_YOMI: Malicious File
vxCube: malware2
Intezer: malicious
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': 'd46e966d978515b900ae003dc3b56225199de590e62165bb073138935e9b4294', 'md5_hash': '078b3ab17372d9f6568dae2be29393e1', 'sha1_hash': '0539bac46f6aeaa1910a54a24acde9f5e5a1ca5a', 'detections': [], 'link': 'https://www.unpac.me/results/2bdf51dc-e3a5-4aa9-859d-f4e37e18cbca/'}]
FileScan-IO: MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related Cobalt Strike activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: d46e966d978515b900ae003dc3b56225199de590e62165bb073138935e9b4294
Filename pattern: 申请项目同行评议意见反馈信.exe
File type: exe
Behavioral tags: Cobalt Strike, CobaltStrike, exe
YARA rules matched: DebuggerCheck_API, DebuggerCheck_QueryInfo, golang_bin_JCorn_CSC846, MD5_Constants, pe_detect_tls_callbacks

How to Check If You're Affected

Search your endpoint logs for the SHA-256 d46e966d978515b900ae003dc3b56225199de590e62165bb073138935e9b4294. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename 申请项目同行评议意见反馈信.exe in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — Cobalt Strike typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. Cobalt Strike frequently targets these.
Check for secondary payloads. Cobalt Strike is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

Vidar Sample Detected: file

THREAT CHAIN — Sat, 09 May 2026 11:15:24 +0000

That 'free software' download just exfiltrated every password, cookie, and autofill entry on your machine in under 5 seconds.

A new Vidar sample was identified by threat intelligence feeds on 2026-05-09 01:31:07. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`3339def7f554fc59bbf2658e323167188d579e379502f2c508c04bf3656a9e6e`
File name	`file`
File type	exe
Size	213.5 KB
Origin (first observed)	US
First seen	2026-05-09 01:31:07
Family	Vidar
Tags	d52f85, dropped-by-Amadey, exe, upx, Vidar
VirusTotal detection	51/75 engines flagged malicious

What Vidar Does

Vidar is an information stealer derived from the Arkei family. It targets crypto wallets, 2FA backups, browser passwords, and session cookies — and it's often dropped by malvertising campaigns targeting users searching for popular software downloads.

Seeing this family on your network — or finding a file matching this hash — is a red flag. Vidar samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': 'vidar', 'verdict': 'Malicious activity', 'file_name': 'exe', 'date': '2026-05-09 01:31:56', 'analysis_url': 'https://app.any.run/tasks/c12661d9-4c1e-4ca5-ac9b-732afbae9555', 'tags': ['vidar', 'stealer', 'upx']}]
YOROI_YOMI: Malicious File
vxCube: malware2
Intezer: suspicious
Triage: vidar
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': '3339def7f554fc59bbf2658e323167188d579e379502f2c508c04bf3656a9e6e', 'md5_hash': '9929dd9b673b7531cffcf3da5324c8ae', 'sha1_hash': '28eda4d556e488009d6e9125d4eb3c0f60c1a553', 'detections': [], 'link': 'https://www.unpac.me/results/3343d26b-3e7c-4602-b054-d9e34b70889f/'}, {'sha256_hash': '3fa483f53405ca08a41ac9c0eae2d484b46001ea7df71c987dad848f3963e639', 'md5_hash': '4b73124cd33bafc506d102a316a63643', 'sha1_hash': 'b24c19e20a4f055da39294652560004169765a8c', 'detections': [], 'link': 'https://www.unpac.me/results/3343d26b-3e7c-4602-b054-d9e34b70889f/'}]
FileScan-IO: MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related Vidar activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 3339def7f554fc59bbf2658e323167188d579e379502f2c508c04bf3656a9e6e
Filename pattern: file
File type: exe
Behavioral tags: d52f85, dropped-by-Amadey, exe, upx, Vidar
YARA rules matched: CP_Script_Inject_Detector, DebuggerCheck_API, DebuggerCheckQueryInfo, DebuggerCheckRemoteAPI, DebuggerHiding_Active

How to Check If You're Affected

Search your endpoint logs for the SHA-256 3339def7f554fc59bbf2658e323167188d579e379502f2c508c04bf3656a9e6e. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename file in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — Vidar typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. Vidar frequently targets these.
Check for secondary payloads. Vidar is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

AsyncRAT Sample Detected: Telegram (1).exe

THREAT CHAIN — Fri, 08 May 2026 19:15:14 +0000

Open-source. Free. And in the hands of thousands of attackers who use it to watch your every move through your own webcam.

A new AsyncRAT sample was identified by threat intelligence feeds on 2026-05-08 17:59:02. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`103bf7cda93749567f7e16e48cd205fd059fdda7f7396a781c6e4a096a3b47d7`
File name	`Telegram (1).exe`
File type	exe
Size	112.0 KB
Origin (first observed)	VN
First seen	2026-05-08 17:59:02
Family	AsyncRAT
Tags	AsyncRAT, c2, dcrat, exe, rat, windows
VirusTotal detection	53/75 engines flagged malicious

What AsyncRAT Does

AsyncRAT is an open-source remote access trojan that criminals have endlessly modified and reused. It provides persistent remote control, credential theft, and the ability to deploy additional payloads. Because the source code is public, defenders see constant variants that evade signature-based detection.

Seeing this family on your network — or finding a file matching this hash — is a red flag. AsyncRAT samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': 'asyncrat', 'verdict': 'Malicious activity', 'file_name': '_103bf7cda93749567f7e16e48cd205fd059fdda7f7396a781c6e4a096a3b47d7.exe', 'date': '2026-05-08 18:00:36', 'analysis_url': 'https://app.any.run/tasks/b7e29424-a134-4d5d-87da-640a0660b5ce', 'tags': ['auto-reg', 'asyncrat', 'rat']}]
CERT-PL_MWDB: asyncrat
vxCube: malware2
Intezer: malicious
Triage: asyncrat
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': '103bf7cda93749567f7e16e48cd205fd059fdda7f7396a781c6e4a096a3b47d7', 'md5_hash': 'b669f2d36b0b71f614751ed3c4486c0b', 'sha1_hash': 'd93d360643cd95ca8b2f2bbcf61b2fec5dc208f0', 'detections': ['win_asyncrat_w0', 'AsyncRAT'], 'link': 'https://www.unpac.me/results/2ea0565e-83d4-4435-aafc-783f730cef69/'}]
FileScan-IO: MALICIOUS
Kaspersky: NotCategorized

Indicators of Compromise

If you're hunting for this sample or related AsyncRAT activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 103bf7cda93749567f7e16e48cd205fd059fdda7f7396a781c6e4a096a3b47d7
Filename pattern: Telegram (1).exe
File type: exe
Behavioral tags: AsyncRAT, c2, dcrat, exe, rat, windows
YARA rules matched: AsyncRat, asyncrat, AsyncRAT_057B, asyncrat_kingrat, DebuggerCheck__RemoteAPI

How to Check If You're Affected

Search your endpoint logs for the SHA-256 103bf7cda93749567f7e16e48cd205fd059fdda7f7396a781c6e4a096a3b47d7. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename Telegram (1).exe in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — AsyncRAT typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. AsyncRAT frequently targets these.
Check for secondary payloads. AsyncRAT is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

RemcosRAT Sample Detected: DHL Shipment Details.xls

THREAT CHAIN — Fri, 08 May 2026 11:15:24 +0000

For $58 on a hacking forum, anyone can buy full remote control of your computer. Camera, keyboard, files — everything.

A new RemcosRAT sample was identified by threat intelligence feeds on 2026-05-08 09:56:04. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e`
File name	`DHL Shipment Details.xls`
File type	xls
Size	284.0 KB
Origin (first observed)	SE
First seen	2026-05-08 09:56:04
Family	RemcosRAT
Tags	DHL, RemcosRAT, xls
VirusTotal detection	14/75 engines flagged malicious

What RemcosRAT Does

RemcosRAT is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. RemcosRAT samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': None, 'verdict': 'No threats detected', 'file_name': '_25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e.xls', 'date': '2026-05-08 10:00:43', 'analysis_url': 'https://app.any.run/tasks/98f7db21-35fa-41d2-aaef-a1c053f42bf6', 'tags': ['ole-embedded']}]
CERT-PL_MWDB: remcos
YOROI_YOMI: Malicious File
vxCube: malware2
InQuest: SUSPICIOUS
DocGuard: Malicious
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
FileScan-IO: MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related RemcosRAT activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e
Filename pattern: DHL Shipment Details.xls
File type: xls
Behavioral tags: DHL, RemcosRAT, xls
YARA rules matched: FreddyBearDropper, informational_win_ole_exist, informational_win_ole_protected, XLS_STRINGS

How to Check If You're Affected

Search your endpoint logs for the SHA-256 25c3bd326e331a73559179092b5d981361dbc693dea7ee098dd4e279f56e084e. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename DHL Shipment Details.xls in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — RemcosRAT typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. RemcosRAT frequently targets these.
Check for secondary payloads. RemcosRAT is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

Amadey Sample Detected: file

THREAT CHAIN — Thu, 07 May 2026 19:15:27 +0000

It doesn't steal your data — it opens the door for everything else. Ransomware, stealers, miners. This loader delivers them all.

A new Amadey sample was identified by threat intelligence feeds on 2026-05-07 17:01:34. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`527c99c63beca1735ed785e3907aa7c88a467453a4a55f808400e8e402e6cbe3`
File name	`file`
File type	exe
Size	510.0 KB
Origin (first observed)	US
First seen	2026-05-07 17:01:34
Family	Amadey
Tags	Amadey, d52f85, dropped-by-Amadey, exe, upx
VirusTotal detection	24/75 engines flagged malicious

What Amadey Does

Amadey is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. Amadey samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': 'vidar', 'verdict': 'Malicious activity', 'file_name': '_527c99c63beca1735ed785e3907aa7c88a467453a4a55f808400e8e402e6cbe3.exe', 'date': '2026-05-07 17:03:09', 'analysis_url': 'https://app.any.run/tasks/95566d15-b71f-4349-9305-5e261df0f070', 'tags': ['stealer', 'stealc', 'vidar', 'upx', 'amadey', 'botnet', 'loader']}]
vxCube: clean2
Intezer: suspicious
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': '527c99c63beca1735ed785e3907aa7c88a467453a4a55f808400e8e402e6cbe3', 'md5_hash': 'ca856cc447d9176973ed01fb3cd8bbe9', 'sha1_hash': '107d0b261a92d98dc75d0b6bdd2a58293936ab1f', 'detections': [], 'link': 'https://www.unpac.me/results/d347ce89-e9e0-4fcb-8cef-99a852679ba7/'}, {'sha256_hash': 'f4e29cc8122b6bc3bd14910eae33c15b60059a4ba6145eebdb59090649e07fb0', 'md5_hash': '6560523a5f58a5ec460399be504365bb', 'sha1_hash': 'a78993894b694dc64b235fcd416071efbe4c8a1e', 'detections': [], 'link': 'https://www.unpac.me/results/d347ce89-e9e0-4fcb-8cef-99a852679ba7/'}]
VMRay: Amadey,Vidar
FileScan-IO: LIKELY_MALICIOUS
Kaspersky: NoThreats

Indicators of Compromise

If you're hunting for this sample or related Amadey activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 527c99c63beca1735ed785e3907aa7c88a467453a4a55f808400e8e402e6cbe3
Filename pattern: file
File type: exe
Behavioral tags: Amadey, d52f85, dropped-by-Amadey, exe, upx
YARA rules matched: CP_Script_Inject_Detector, DebuggerCheck_QueryInfo, DebuggerCheckQueryInfo, DebuggerHidingThread, DebuggerHiding_Thread

How to Check If You're Affected

Search your endpoint logs for the SHA-256 527c99c63beca1735ed785e3907aa7c88a467453a4a55f808400e8e402e6cbe3. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename file in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — Amadey typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. Amadey frequently targets these.
Check for secondary payloads. Amadey is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

NanoCore Sample Detected: ee88.exe

THREAT CHAIN — Thu, 07 May 2026 11:15:25 +0000

An attacker is reading your keystrokes, watching your screen, and downloading your files. The RAT that infected you cost $25.

A new NanoCore sample was identified by threat intelligence feeds on 2026-05-07 10:00:06. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`884f2bd859993831630eaabc84cce99724c18c400f8be768d04c346ba9561474`
File name	`ee88.exe`
File type	exe
Size	203.0 KB
Origin (first observed)	NL
First seen	2026-05-07 10:00:06
Family	NanoCore
Tags	exe, NanoCore, RAT
VirusTotal detection	58/74 engines flagged malicious

What NanoCore Does

NanoCore is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. NanoCore samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': 'nanocore', 'verdict': 'Malicious activity', 'file_name': 'ee88.exe', 'date': '2026-05-06 13:40:52', 'analysis_url': 'https://app.any.run/tasks/e4a0c959-655a-4597-8c1c-7e37dda6fd62', 'tags': ['auto-reg', 'auto-sch-xml', 'nanocore', 'rat', 'remote']}]
CERT-PL_MWDB: nanocore
YOROI_YOMI: Malicious File
vxCube: malware2
Intezer: malicious
CAPE: NanoCore
Triage: nanocore
Spamhaus_HBL: [{'detection': 'malicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': '884f2bd859993831630eaabc84cce99724c18c400f8be768d04c346ba9561474', 'md5_hash': 'e4895511882e8067988b625910c093f5', 'sha1_hash': '07a15262a12702f36c23c4ca812318e13a138277', 'detections': ['win_nanocore_w0', 'triage_nanocore_rat'], 'link': 'https://www.unpac.me/results/a2085ccc-4e22-4300-81b3-5591ad0fa216/'}, {'sha256_hash': '61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403', 'md5_hash': 'bdc8945f1d799c845408522e372d1dbd', 'sha1_hash': '874b7c3c97cc5b13b9dd172fec5a54bc1f258005', 'detections': ['triage_nanocore_rat'], 'link': 'https://www.unpac.me/results/a2085ccc-4e22-4300-81b3-5591ad0fa216/'}, {'sha256_hash': '01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354', 'md5_hash': '9c8242440c47a4f1ce2e47df3c3ddd28', 'sha1_hash': '874f3caf663265f7dd18fb565d91b7d915031251', 'detections': ['triage_nanocore_rat'], 'link': 'https://www.unpac.me/results/a2085ccc-4e22-4300-81b3-5591ad0fa216/'}, {'sha256_hash': 'f9b8c3f31375e9a1ec105f930f751869a804110d29d6b38e7298622eb74b2bec', 'md5_hash': '42006852619847f368bc4062849cd6dc', 'sha1_hash': 'ba6edc3a5aba8eac15b6a30e1407cdae80b2481d', 'detections': [], 'link': 'https://www.unpac.me/results/a2085ccc-4e22-4300-81b3-5591ad0fa216/'}]
VMRay: NanoCore

Indicators of Compromise

If you're hunting for this sample or related NanoCore activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 884f2bd859993831630eaabc84cce99724c18c400f8be768d04c346ba9561474
Filename pattern: ee88.exe
File type: exe
Behavioral tags: exe, NanoCore, RAT
YARA rules matched: ach_NanoCore, malware_Nanocore_strings, MALWARE_Win_NanoCore, Nanocore, nanocore_rat

How to Check If You're Affected

Search your endpoint logs for the SHA-256 884f2bd859993831630eaabc84cce99724c18c400f8be768d04c346ba9561474. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename ee88.exe in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — NanoCore typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. NanoCore frequently targets these.
Check for secondary payloads. NanoCore is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

Formbook Sample Detected: Purchase Order 350088.exe

THREAT CHAIN — Wed, 06 May 2026 11:15:25 +0000

Someone on your team opened an Excel file 10 minutes ago. Their browser passwords, email credentials, and keystrokes are already being sent to a server in Eastern Europe.

A new Formbook sample was identified by threat intelligence feeds on 2026-05-06 09:07:33. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`ead0a612c58e858cabd1248aca1ee32fa8d5e5a290bda6771bdc53e500140b12`
File name	`Purchase Order 350088.exe`
File type	exe
Size	1.12 MB
Origin (first observed)	DE
First seen	2026-05-06 09:07:33
Family	Formbook
Tags	exe, Formbook
VirusTotal detection	29/74 engines flagged malicious

What Formbook Does

Formbook is a credential-stealing trojan that hooks browser APIs to capture passwords, form submissions, and clipboard contents. It's been active since 2016 and continues to evolve, with recent campaigns using fake invoice and purchase order lures.

Seeing this family on your network — or finding a file matching this hash — is a red flag. Formbook samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': None, 'verdict': 'Malicious activity', 'file_name': 'PurchaseOrder350088.exe', 'date': '2026-05-06 09:11:02', 'analysis_url': 'https://app.any.run/tasks/b31b2eeb-564b-451d-938b-9fb2eed8ce46', 'tags': ['auto-reg']}]
YOROI_YOMI: Malicious File
vxCube: malware2
Intezer: suspicious
CAPE: Formbook
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': 'ead0a612c58e858cabd1248aca1ee32fa8d5e5a290bda6771bdc53e500140b12', 'md5_hash': '3c3d4e6dd0c27c1e623c198f7ecf2163', 'sha1_hash': '4397efc638c80dd6ab2ea8430793a4b7a047c402', 'detections': [], 'link': 'https://www.unpac.me/results/822dba64-8ee1-46d1-84a8-92d0ec8e347f/'}]
VMRay: FormBook
FileScan-IO: MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related Formbook activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: ead0a612c58e858cabd1248aca1ee32fa8d5e5a290bda6771bdc53e500140b12
Filename pattern: Purchase Order 350088.exe
File type: exe
Behavioral tags: exe, Formbook
YARA rules matched: CP_Script_Inject_Detector, DebuggerCheck_GlobalFlags, DebuggerCheckQueryInfo, DebuggerHidingActive, DebuggerHiding_Thread

How to Check If You're Affected

Search your endpoint logs for the SHA-256 ead0a612c58e858cabd1248aca1ee32fa8d5e5a290bda6771bdc53e500140b12. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename Purchase Order 350088.exe in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — Formbook typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. Formbook frequently targets these.
Check for secondary payloads. Formbook is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

Mirai Sample Detected: luxzz.mpsl

THREAT CHAIN — Tue, 05 May 2026 19:15:13 +0000

Your home router might be attacking websites right now and you'd never know. Millions are already compromised.

A new Mirai sample was identified by threat intelligence feeds on 2026-05-05 17:45:50. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`1a8d5043cc77d05834d1b64b4a86d8db66ba5a79a23c6778d8f6b1c8b8de46f1`
File name	`luxzz.mpsl`
File type	elf
Size	50.2 KB
Origin (first observed)	DE
First seen	2026-05-05 17:45:50
Family	Mirai
Tags	elf, Mirai, upx
VirusTotal detection	30/74 engines flagged malicious

What Mirai Does

Mirai is a family of IoT botnets that spread by brute-forcing default credentials on routers, cameras, and other embedded devices. Infected devices are typically used to launch DDoS attacks or as proxies for other criminal activity.

Seeing this family on your network — or finding a file matching this hash — is a red flag. Mirai samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

vxCube: malware2
Intezer: unknown
Triage: mirai
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
FileScan-IO: LIKELY_MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related Mirai activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 1a8d5043cc77d05834d1b64b4a86d8db66ba5a79a23c6778d8f6b1c8b8de46f1
Filename pattern: luxzz.mpsl
File type: elf
Behavioral tags: elf, Mirai, upx
YARA rules matched: linux_generic_ipv6_catcher, SUSP_ELF_LNX_UPX_Compressed_File, TH_Generic_MassHunt_Linux_Malware_2026_CYFARE, upx_packed_elf_v1

How to Check If You're Affected

Search your endpoint logs for the SHA-256 1a8d5043cc77d05834d1b64b4a86d8db66ba5a79a23c6778d8f6b1c8b8de46f1. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename luxzz.mpsl in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — Mirai typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. Mirai frequently targets these.
Check for secondary payloads. Mirai is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

PhantomStealer Sample Detected: PO 283974863 -R0-S - 0908273.exe

THREAT CHAIN — Tue, 05 May 2026 11:15:21 +0000

Your security tools might have missed this one. PhantomStealer is actively targeting networks right now — here's what you need to know before it hits yours.

A new PhantomStealer sample was identified by threat intelligence feeds on 2026-05-05 09:45:15. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`790945e17a51691483455a11af2efcbe15f2b473b65b151f50287623d1468516`
File name	`PO 283974863 -R0-S - 0908273.exe`
File type	exe
Size	1.46 MB
Origin (first observed)	CH
First seen	2026-05-05 09:45:15
Family	PhantomStealer
Tags	exe, PhantomStealer
VirusTotal detection	30/74 engines flagged malicious

What PhantomStealer Does

PhantomStealer is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. PhantomStealer samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': None, 'verdict': 'Malicious activity', 'file_name': 'exe', 'date': '2026-05-05 09:46:56', 'analysis_url': 'https://app.any.run/tasks/5dd132d8-7f38-4c18-a2d4-5853a62b501e', 'tags': ['auto-reg', 'stealer', 'phantom', 'evasion']}]
vxCube: malware2
Intezer: suspicious
Triage: phantom_stealer
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': '790945e17a51691483455a11af2efcbe15f2b473b65b151f50287623d1468516', 'md5_hash': 'e1faeb1fac915fb6c11273d220e7b11f', 'sha1_hash': '5ad3f0d0d8e0276dad0b1cc64aee36774db5543f', 'detections': [], 'link': 'https://www.unpac.me/results/63119f9d-581b-4166-bf5c-965285d9d7f2/'}, {'sha256_hash': '811859dcfc426727c9aaba5c18a50e81d14239cc66356535f51231af21a2fc4b', 'md5_hash': '85a88d1e4cd3423cd1127eb23baad1fa', 'sha1_hash': '080362d496998d60cb2ea0fcde11ffcb7f408db2', 'detections': [], 'link': 'https://www.unpac.me/results/63119f9d-581b-4166-bf5c-965285d9d7f2/'}, {'sha256_hash': '50b044fdf6ef68f9c4651f2058b889e7199ed9882342e5fbcb65c0372fc3498b', 'md5_hash': 'e741b14e6d5b9cb132b29d72e45deba1', 'sha1_hash': '4cd3be0545d2cd03bc177e017ebc29b544cc4d2e', 'detections': [], 'link': 'https://www.unpac.me/results/63119f9d-581b-4166-bf5c-965285d9d7f2/'}, {'sha256_hash': 'e10168e38bb5641a19bf4e5986d3ffc91aaefa1afe8cb781d14ce7e1b9090fd8', 'md5_hash': '07957d2377f93fd60bf885babf36295e', 'sha1_hash': 'daa46928a7a8542f59a3b4fb5558689a09f6ad3a', 'detections': ['phantom_stealer'], 'link': 'https://www.unpac.me/results/63119f9d-581b-4166-bf5c-965285d9d7f2/'}]
VMRay: PhantomStealer
FileScan-IO: LIKELY_MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related PhantomStealer activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 790945e17a51691483455a11af2efcbe15f2b473b65b151f50287623d1468516
Filename pattern: PO 283974863 -R0-S - 0908273.exe
File type: exe
Behavioral tags: exe, PhantomStealer
YARA rules matched: NET, NETexecutableMicrosoft, pe_imphash, Skystars_Malware_Imphash

How to Check If You're Affected

Search your endpoint logs for the SHA-256 790945e17a51691483455a11af2efcbe15f2b473b65b151f50287623d1468516. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename PO 283974863 -R0-S - 0908273.exe in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — PhantomStealer typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. PhantomStealer frequently targets these.
Check for secondary payloads. PhantomStealer is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

XoriumStealer Sample Detected: file

THREAT CHAIN — Mon, 04 May 2026 19:15:23 +0000

Your security tools might have missed this one. XoriumStealer is actively targeting networks right now — here's what you need to know before it hits yours.

A new XoriumStealer sample was identified by threat intelligence feeds on 2026-05-04 17:46:19. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`5c799922f4e11ec30bbb60e39868b9d1892a681ff553c1da8df4bd0405e7374e`
File name	`file`
File type	exe
Size	99.5 KB
Origin (first observed)	US
First seen	2026-05-04 17:46:19
Family	XoriumStealer
Tags	dropped-by-GCleaner, exe, G, US.file, XoriumStealer
VirusTotal detection	17/74 engines flagged malicious

What XoriumStealer Does

XoriumStealer is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. XoriumStealer samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': 'connectwise', 'verdict': 'Malicious activity', 'file_name': '_5c799922f4e11ec30bbb60e39868b9d1892a681ff553c1da8df4bd0405e7374e.exe', 'date': '2026-05-04 17:48:01', 'analysis_url': 'https://app.any.run/tasks/a68d45fb-bb22-4140-b4d7-f134c930dcde', 'tags': ['github', 'screenconnect', 'remote', 'loader', 'rmm-tool', 'uac', 'tool', 'auto-sch', 'connectwise', 'pulsar', 'rat', 'stealer']}]
vxCube: malware2
Intezer: unknown
Triage: xorium_stealer
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': '5c799922f4e11ec30bbb60e39868b9d1892a681ff553c1da8df4bd0405e7374e', 'md5_hash': 'bdbe6fe4acf7401e4f5807dda77a58e9', 'sha1_hash': '752f4292e6ab01836034ce7f80df53cf7bc12d64', 'detections': [], 'link': 'https://www.unpac.me/results/ae360181-323c-4943-86f4-8d0791fb4f93/'}]
VMRay: ScreenConnect,QuasarRAT,ReflectiveLoader,XoriumStealer
FileScan-IO: LIKELY_MALICIOUS
Kaspersky: NotCategorized

Indicators of Compromise

If you're hunting for this sample or related XoriumStealer activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 5c799922f4e11ec30bbb60e39868b9d1892a681ff553c1da8df4bd0405e7374e
Filename pattern: file
File type: exe
Behavioral tags: dropped-by-GCleaner, exe, G, US.file, XoriumStealer
YARA rules matched: detect_powershell, Detect_PowerShell_Obfuscation, NETexecutableMicrosoft, pe_imphash, Skystars_Malware_Imphash

How to Check If You're Affected

Search your endpoint logs for the SHA-256 5c799922f4e11ec30bbb60e39868b9d1892a681ff553c1da8df4bd0405e7374e. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename file in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — XoriumStealer typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. XoriumStealer frequently targets these.
Check for secondary payloads. XoriumStealer is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.

GuLoader Sample Detected: Purchase Order.exe

THREAT CHAIN — Mon, 04 May 2026 11:15:25 +0000

Your security tools might have missed this one. GuLoader is actively targeting networks right now — here's what you need to know before it hits yours.

A new GuLoader sample was identified by threat intelligence feeds on 2026-05-04 08:39:59. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.

The Sample at a Glance

Field	Value
SHA-256	`8f4a618be0b59f1156fb4b17347182412e54fc962360aab89e6e8b2e86f6605a`
File name	`Purchase Order.exe`
File type	exe
Size	773.3 KB
Origin (first observed)	DE
First seen	2026-05-04 08:39:59
Family	GuLoader
Tags	exe, exe-in-archive, GuLoader, spamtrap
VirusTotal detection	26/74 engines flagged malicious

What GuLoader Does

GuLoader is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.

Seeing this family on your network — or finding a file matching this hash — is a red flag. GuLoader samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.

Detection Landscape

Multiple security vendors have weighed in on this specific sample:

ANY.RUN: [{'malware_family': 'remcos', 'verdict': 'Malicious activity', 'file_name': 'exe', 'date': '2026-05-04 08:42:21', 'analysis_url': 'https://app.any.run/tasks/f76d591d-0c99-4a9b-8c4f-601d0b054a3b', 'tags': ['rat', 'remcos', 'auto-reg', 'remote', 'stealer']}]
vxCube: clean2
Intezer: unknown
CAPE: Guloader
Triage: remcos
Spamhaus_HBL: [{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}]
UnpacMe: [{'sha256_hash': '8f4a618be0b59f1156fb4b17347182412e54fc962360aab89e6e8b2e86f6605a', 'md5_hash': '7d36e3d651081068f10b68870a46ce91', 'sha1_hash': '948acc5852f6a437bbba030e0c970756d340974b', 'detections': [], 'link': 'https://www.unpac.me/results/28aee1a5-25fc-4d63-96a5-13d2103350f7/'}, {'sha256_hash': '8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c', 'md5_hash': '9b38a1b07a0ebc5c7e59e63346ecc2db', 'sha1_hash': '97332a2ffcf12a3e3f27e7c05213b5d7faa13735', 'detections': [], 'link': 'https://www.unpac.me/results/28aee1a5-25fc-4d63-96a5-13d2103350f7/'}]
VMRay: GuLoader
FileScan-IO: MALICIOUS
Kaspersky: Malware

Indicators of Compromise

If you're hunting for this sample or related GuLoader activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:

SHA-256 hash: 8f4a618be0b59f1156fb4b17347182412e54fc962360aab89e6e8b2e86f6605a
Filename pattern: Purchase Order.exe
File type: exe
Behavioral tags: exe, exe-in-archive, GuLoader, spamtrap
YARA rules matched: Detect_NSIS_Nullsoft_Installer, VECT_Ransomware

How to Check If You're Affected

Search your endpoint logs for the SHA-256 8f4a618be0b59f1156fb4b17347182412e54fc962360aab89e6e8b2e86f6605a. Most EDR platforms support historical hash searches across all monitored hosts.
Check for the filename Purchase Order.exe in recently downloaded files, email attachments, and installer bundles.
Look for outbound connections to uncommon TLDs or newly registered domains — GuLoader typically beacons to command-and-control infrastructure shortly after execution.
Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.

What to Do If You Find It

If you find evidence of this sample or related activity on your systems:

Isolate the affected host from the network immediately to prevent lateral movement.
Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. GuLoader frequently targets these.
Check for secondary payloads. GuLoader is often a stepping stone for additional malware including ransomware or banking trojans.
Report the incident to your security team. For larger organizations, consider notifying your regional CERT.

Free Threat Lookups

For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.