Threat Intelligence, Email security

Malware cluster bomb leveraged by novel Unfurling Hemlock threat operation

Privacy concept: pixelated words Malware on digital background, 3d render

Newly identified threat operation Unfurling Hemlock has deployed more than 50,000 malware cluster bombs as part of attacks delivering a plethora of malicious payloads since at least February 2023, more than half of which were targeted at U.S.-based systems, according to BleepingComputer.

Intrusions by Unfurling Hemlock, which is believed to be of Eastern European origin, commence with the delivery of malicious emails with the 'WEXTRACT.EXE' file, which when executed unpacks malware stored within nested compressed cabinet files across four to seven stages, an analysis from Outpost24's KrakenLabs cyber threat intelligence team revealed. Payloads distributed by the cluster bomb files include the Amadey and SmokeLoader loaders, the Redline and RisePro information-stealing malware, and Mystic Stealer, as well as the Enigma Packer for malware obfuscation, a performance checker, system information gathering tools, and the protection disabler and Healer.exe utilities for deactivating impacted devices' security features, including Windows Defender. Combating such a threat requires the use of updated anti-virus scanners for downloaded files, said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.