ETW Archives

Winsage

January 29, 2026

Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence

Praetorian Inc. has launched Swarmer, a tool that enables low-privilege attackers to maintain stealthy persistence in the Windows registry while avoiding detection by Endpoint Detection and Response (EDR) systems. Swarmer uses mandatory user profiles and the Offline Registry API to modify the NTUSER hive without triggering standard registry hooks. It operates by creating an NTUSER.MAN file that replaces the NTUSER.DAT hive upon user login, allowing low-privilege users to manipulate registry settings without alerting EDR tools. Swarmer employs functions from Microsoft’s Offline Registry Library, enabling it to perform operations without invoking Reg* API calls, thus evading detection mechanisms. Swarmer's workflow involves exporting the HKCU registry, modifying it, and executing the tool with specific commands to place the modified NTUSER.MAN file into the user profile. It can be used as an executable or a PowerShell module. While it presents a novel method for persistence, Swarmer has limitations, such as being unable to update without admin access and requiring user login to activate. Detection strategies include monitoring for NTUSER.MAN file creation and Offreg.dll usage in non-standard processes.

Tech Optimizer

October 10, 2025

From infostealer to full RAT: dissecting the PureRAT attack chain

An investigation revealed that a Python-based infostealer campaign led to the deployment of PureRAT, a sophisticated remote access trojan (RAT). The campaign began with a phishing email containing a ZIP archive that included a legitimate PDF reader executable and a malicious DLL. The DLL executed a series of payloads, including a Python info-stealer that harvested sensitive data and exfiltrated it via the Telegram API. The attack progressed to a .NET executable, which employed techniques like process hollowing and evasion tactics to load additional payloads. The final payload, Mhgljosy.dll, was identified as PureRAT, which established an encrypted command-and-control (C2) channel and allowed for extensive control over the compromised host. The C2 server was traced to Vietnam, suggesting a connection to the PXA group. The malware's functionality included host fingerprinting, command execution, and potential access to sensitive information and resources. Indicators of compromise included specific file hashes, registry keys, and IP addresses associated with the C2 server.

Winsage

September 26, 2025

LNK Malware Leverages Legit Windows Files to Slip Past Defenses

Threat actors from Israel have reintroduced the use of Windows shortcut (.LNK) files to deliver a Remote Access Trojan (RAT). Victims are lured to download a file named “cyber security.lnk” from a Discord channel, which opens a decoy PDF while executing a PowerShell script in the background. The script uses odbcconf.exe to register and execute a malicious DLL (Moq.dll) and its supporting libraries. The RAT can collect system metrics, capture screenshots, upload files via the Dropbox API, and execute commands from a command-and-control (C2) server. It ensures persistence by modifying a registry key to launch on user login. Mitigation strategies include monitoring the execution of legitimate binaries, enforcing application whitelisting, and educating users about the risks of downloading files from untrusted sources.

Tech Optimizer

September 25, 2025

LNK Malware Leverages Windows Binaries to Evade Security Tools and Run Malicious Code

Cybersecurity researchers have identified a malware campaign utilizing Windows shortcut (.LNK) files distributed via Discord to deploy a Remote Access Trojan (RAT). The malicious file, named “cyber security.lnk,” lures users with a fake job offer PDF while executing PowerShell commands in the background. It displays a decoy document titled “Cyber Security.pdf” to distract victims during the infection process. The malware exploits the legitimate Windows utility odbcconf.exe to execute a malicious DLL named Moq.dll without triggering security alerts. A PowerShell script extracts a ZIP file containing the payload and runs it using the command: odbcconf.exe /a {regsvr "C:UsersPublicNugetmoq.dll"}. This approach bypasses standard security measures by utilizing trusted binaries. Moq.dll employs advanced evasion techniques, including modifying the AmsiScanBuffer function to disable the Anti-Malware Scan Interface (AMSI) and altering the EtwEventWrite function in ntdll.dll to prevent monitoring through event logs. The malware ensures persistence by modifying the Windows registry to run with explorer.exe at user login and communicates with its command and control server at hotchickenfly.info. The RAT can capture screenshots, gather system information, and exfiltrate data via Dropbox’s API, using AES encryption for its communications. This threat was first observed in Israel and highlights the trend of malware authors leveraging legitimate Windows tools to evade detection. Security researchers from K7 Labs have identified the malware and recommend application whitelisting and monitoring of LOLBin usage as countermeasures. Indicators of Compromise (IOCs) include specific hash values associated with the Trojan.

Tech Optimizer

July 7, 2025

XWorm RAT Deploys New Stagers and Loaders to Bypass Defenses

The XWorm Remote Access Trojan (RAT) has evolved its attack strategies by incorporating advanced stagers and loaders to evade detection. It is known for its capabilities, including keylogging, remote desktop access, data exfiltration, and command execution, and is particularly targeted at the software supply chain and gaming sectors. Recent campaigns have paired XWorm with AsyncRAT for initial access before deploying ransomware using the leaked LockBit Black builder. XWorm utilizes various file formats and scripting languages for payload delivery, often through phishing campaigns with deceptive lures like invoices and shipping notifications. It employs obfuscation techniques, including Base64 encoding and AES encryption, and manipulates Windows security features to avoid detection. Persistence mechanisms such as registry run keys and scheduled tasks ensure sustained access. XWorm conducts system reconnaissance, queries for antivirus software, and attempts to disable Microsoft Defender. It can propagate via removable media and execute commands from command-and-control servers. The Splunk Threat Research Team has developed detections for suspicious activities related to XWorm infections. Indicators of compromise include various file hashes for different scripts and loaders associated with XWorm.

Tech Optimizer

November 15, 2024

JPCert Details on Event Tracing Over EventLog for Windows Forensics

EventLogs are essential for Windows operating system forensics but have limitations in identifying suspicious activities, necessitating additional audit logs or tools like Sysmon. Event Tracing for Windows (ETW) is a significant feature that enhances Windows forensics by collecting and managing EventLogs. ETW consists of four components: Providers (which generate events), Consumers (which process events), Sessions (which relay events), and Controllers (which manage sessions). ETW logs a wide range of operating system behaviors, making it valuable for forensic investigators. Notable ETW providers for incident investigation include Microsoft-Windows-Threat-Intelligence, Microsoft-Windows-DNS-Client, Microsoft-Antimalware-AMFilter, Microsoft-Windows-Shell-Core, Microsoft-Windows-Kernel-Process, and Microsoft-Windows-Kernel-File. Some ETW events are saved as files, while others are accessed in real-time from buffers, allowing for the recovery of information even if ETL files are deleted. JPCert has developed an ETW Scanner plugin for Volatility to extract ETW events from memory images, aiding incident response. The LwtNetLog ETW session collects network-related data, helping investigators identify malware communication and other activities. ETW's detailed logging capabilities and tools like the ETW Scanner enhance the ability to detect threats that traditional logging methods may miss.