惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
月光博客
月光博客
T
Threat Research - Cisco Blogs
小众软件
小众软件
有赞技术团队
有赞技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
Apple Machine Learning Research
Apple Machine Learning Research
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Tailwind CSS Blog
Cisco Talos Blog
Cisco Talos Blog
V
V2EX
博客园 - 【当耐特】
C
Cybersecurity and Infrastructure Security Agency CISA
Hugging Face - Blog
Hugging Face - Blog
The Cloudflare Blog
The Last Watchdog
The Last Watchdog
Simon Willison's Weblog
Simon Willison's Weblog
T
Threatpost
S
Secure Thoughts
O
OpenAI News
P
Proofpoint News Feed
S
SegmentFault 最新的问题
Forbes - Security
Forbes - Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Application and Cybersecurity Blog
Application and Cybersecurity Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Last Week in AI
Last Week in AI
宝玉的分享
宝玉的分享
Scott Helme
Scott Helme
T
Tenable Blog
A
Arctic Wolf
L
LINUX DO - 热门话题
爱范儿
爱范儿
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
www.infosecurity-magazine.com
www.infosecurity-magazine.com
V
Visual Studio Blog
Hacker News: Ask HN
Hacker News: Ask HN
Hacker News - Newest:
Hacker News - Newest: "LLM"
腾讯CDC
博客园 - Franky
WordPress大学
WordPress大学
Know Your Adversary
Know Your Adversary
博客园_首页
雷峰网
雷峰网
IT之家
IT之家
PCI Perspectives
PCI Perspectives
L
LINUX DO - 最新话题
H
Heimdal Security Blog

Comments for Hackread – Cybersecurity News, Data Breaches, AI and More

Study Reveals TikTok, Alibaba, Temu Collect Extensive User Data in US Study Reveals TikTok, Alibaba, Temu Collect Extensive User Data in US Pandora Cyber Attack Exposes Customer Data Via Third-Party Vendor Pandora Cyber Attack Exposes Customer Data Via Third-Party Vendor BADBOX 2.0 Found Preinstalled on Android IoT Devices Worldwide Ex US Soldier Cameron Wagenius Guilty in Telecom Hacking and Extortion FBI Warns of Health Insurance Scam Stealing Personal and Medical Data FBI Seizes Major Sites Sharing Unreleased and Pirated Video Games FBI Warns of Health Insurance Scam Stealing Personal and Medical Data Firefox Tests AI-Powered Perplexity Search Engine Directly in Browser New Malware Spotted Corrupts Its Own Headers to Block Analysis New Malware Spotted Corrupts Its Own Headers to Block Analysis Firefox Tests AI-Powered Perplexity Search Engine Directly in Browser Firefox Tests AI-Powered Perplexity Search Engine Directly in Browser
New Malware Spotted Corrupts Its Own Headers to Block Analysis
Waqas · 2025-05-29 · via Comments for Hackread – Cybersecurity News, Data Breaches, AI and More

The FortiGuard Incident Response Team has released a detailed investigation into a newly discovered malware that managed to quietly operate on a compromised Windows machine for several weeks. What makes this malware different from others is its deliberate corruption of its own DOS and PE headers, a method designed to obstruct forensic analysis and reconstruction efforts by security researchers.

Despite this challenge, Fortinet’s team successfully obtained a memory dump of the live malware process, housed in a dllhost.exe process (PID 8200), along with a complete 33GB memory dump of the compromised system.

By carefully replicating the compromised environment, Fortinet’s researchers were able to bring the dumped malware back to life in a controlled setting, allowing them to observe its operations and communication patterns.

Bringing Corrupted Malware Back Online

Without its DOS and PE headers, the malware could not be simply loaded and executed like a normal Windows binary. The research team had to manually identify the malware’s entry point, allocate memory, and resolve API addresses that differed between the compromised system and the test environment. Through repeated debugging, address relocation, and parameter adjustments, they were finally able to emulate the malware’s behaviour in a lab setting.

New Malware Spooted Corrupts Its Own Headers to Block Analysis
The image shows the DOS and PE headers have been corrupted, which makes it challenging to fully reconstruct the executable from memory (Credit: FortiGuard)

According to Fortinet’s blog post shared with Hackread.com ahead of its publishing on Thursday, once operational, the malware revealed its communication with a command-and-control (C2) server at rushpaperscom over port 443, using TLS encryption.

Fortinet analysts traced the malware’s use of Windows API functions like SealMessage() and DecryptMessage() to handle encrypted traffic. They also identified an additional layer of custom encryption that wrapped specific data packets before applying TLS, further complicating traffic inspection.

What the Malware Can Do

Fortinet’s analysis confirms that the malware operates as a Remote Access Trojan (RAT), providing the attacker with several powerful features:

  • Screen capture: The malware takes periodic screenshots, compresses them as JPEGs, and sends them to the C2 server along with the titles of active windows.
  • Remote server functionality: The malware sets up a listening TCP port, allowing attackers to connect directly and issue commands or deploy additional attacks.
  • System service control: By interfacing with the Windows Service Control Manager, the malware can enumerate, manipulate, and potentially disrupt critical system services on the infected machine.

How the Attack Works

The initial infection relied on batch scripts and PowerShell to launch the malware, embedding it into a Windows process. Once running, the malware fetched the C2 server’s domain information from encrypted memory, established a secure connection, and began exfiltrating system details.

New Malware Spooted Corrupts Its Own Headers to Block Analysis
Full memory dump of the compromised machine. The image shows detailed file information for the “fullout” dump, used to recreate a local test environment for malware analysis. (Credit: FortiGuard)

During traffic analysis, Fortinet captured decrypted WebSocket requests and responses, uncovering how the malware collects and reports system information, including OS version and architecture.

Interestingly, the malware’s encryption scheme uses a randomly generated key for XOR-based scrambling of packet data before it is handed off for TLS encryption. This extra layer adds protection against simple network-based detection, forcing researchers to rely on endpoint inspection or memory-level analysis to catch malicious activity.