惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
T
The Blog of Author Tim Ferriss
MongoDB | Blog
MongoDB | Blog
B
Blog RSS Feed
N
News and Events Feed by Topic
GbyAI
GbyAI
I
InfoQ
P
Privacy & Cybersecurity Law Blog
AWS News Blog
AWS News Blog
Cisco Talos Blog
Cisco Talos Blog
C
Check Point Blog
Recent Announcements
Recent Announcements
D
Darknet – Hacking Tools, Hacker News & Cyber Security
D
Docker
P
Proofpoint News Feed
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Scott Helme
Scott Helme
C
CERT Recently Published Vulnerability Notes
Apple Machine Learning Research
Apple Machine Learning Research
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
N
News and Events Feed by Topic
C
CXSECURITY Database RSS Feed - CXSecurity.com
Microsoft Security Blog
Microsoft Security Blog
L
LangChain Blog
W
WeLiveSecurity
S
Securelist
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
www.infosecurity-magazine.com
www.infosecurity-magazine.com
K
Kaspersky official blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Schneier on Security
Schneier on Security
Stack Overflow Blog
Stack Overflow Blog
S
Security Affairs
NISL@THU
NISL@THU
O
OpenAI News
Vercel News
Vercel News
C
Cyber Attacks, Cyber Crime and Cyber Security
Y
Y Combinator Blog
T
Tor Project blog
G
GRAHAM CLULEY
T
Tailwind CSS Blog
博客园 - Franky
Webroot Blog
Webroot Blog
Simon Willison's Weblog
Simon Willison's Weblog
Martin Fowler
Martin Fowler
WordPress大学
WordPress大学
V2EX - 技术
V2EX - 技术
H
Help Net Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
F
Full Disclosure

Comments for Hackread – Cybersecurity News, Data Breaches, AI and More

Study Reveals TikTok, Alibaba, Temu Collect Extensive User Data in US Study Reveals TikTok, Alibaba, Temu Collect Extensive User Data in US Pandora Cyber Attack Exposes Customer Data Via Third-Party Vendor Pandora Cyber Attack Exposes Customer Data Via Third-Party Vendor BADBOX 2.0 Found Preinstalled on Android IoT Devices Worldwide Ex US Soldier Cameron Wagenius Guilty in Telecom Hacking and Extortion FBI Warns of Health Insurance Scam Stealing Personal and Medical Data FBI Seizes Major Sites Sharing Unreleased and Pirated Video Games FBI Warns of Health Insurance Scam Stealing Personal and Medical Data Firefox Tests AI-Powered Perplexity Search Engine Directly in Browser New Malware Spotted Corrupts Its Own Headers to Block Analysis New Malware Spotted Corrupts Its Own Headers to Block Analysis Firefox Tests AI-Powered Perplexity Search Engine Directly in Browser Firefox Tests AI-Powered Perplexity Search Engine Directly in Browser
New Malware Spotted Corrupts Its Own Headers to Block Analysis
Waqas · 2025-05-29 · via Comments for Hackread – Cybersecurity News, Data Breaches, AI and More

The FortiGuard Incident Response Team has released a detailed investigation into a newly discovered malware that managed to quietly operate on a compromised Windows machine for several weeks. What makes this malware different from others is its deliberate corruption of its own DOS and PE headers, a method designed to obstruct forensic analysis and reconstruction efforts by security researchers.

Despite this challenge, Fortinet’s team successfully obtained a memory dump of the live malware process, housed in a dllhost.exe process (PID 8200), along with a complete 33GB memory dump of the compromised system.

By carefully replicating the compromised environment, Fortinet’s researchers were able to bring the dumped malware back to life in a controlled setting, allowing them to observe its operations and communication patterns.

Bringing Corrupted Malware Back Online

Without its DOS and PE headers, the malware could not be simply loaded and executed like a normal Windows binary. The research team had to manually identify the malware’s entry point, allocate memory, and resolve API addresses that differed between the compromised system and the test environment. Through repeated debugging, address relocation, and parameter adjustments, they were finally able to emulate the malware’s behaviour in a lab setting.

New Malware Spooted Corrupts Its Own Headers to Block Analysis
The image shows the DOS and PE headers have been corrupted, which makes it challenging to fully reconstruct the executable from memory (Credit: FortiGuard)

According to Fortinet’s blog post shared with Hackread.com ahead of its publishing on Thursday, once operational, the malware revealed its communication with a command-and-control (C2) server at rushpaperscom over port 443, using TLS encryption.

Fortinet analysts traced the malware’s use of Windows API functions like SealMessage() and DecryptMessage() to handle encrypted traffic. They also identified an additional layer of custom encryption that wrapped specific data packets before applying TLS, further complicating traffic inspection.

What the Malware Can Do

Fortinet’s analysis confirms that the malware operates as a Remote Access Trojan (RAT), providing the attacker with several powerful features:

  • Screen capture: The malware takes periodic screenshots, compresses them as JPEGs, and sends them to the C2 server along with the titles of active windows.
  • Remote server functionality: The malware sets up a listening TCP port, allowing attackers to connect directly and issue commands or deploy additional attacks.
  • System service control: By interfacing with the Windows Service Control Manager, the malware can enumerate, manipulate, and potentially disrupt critical system services on the infected machine.

How the Attack Works

The initial infection relied on batch scripts and PowerShell to launch the malware, embedding it into a Windows process. Once running, the malware fetched the C2 server’s domain information from encrypted memory, established a secure connection, and began exfiltrating system details.

New Malware Spooted Corrupts Its Own Headers to Block Analysis
Full memory dump of the compromised machine. The image shows detailed file information for the “fullout” dump, used to recreate a local test environment for malware analysis. (Credit: FortiGuard)

During traffic analysis, Fortinet captured decrypted WebSocket requests and responses, uncovering how the malware collects and reports system information, including OS version and architecture.

Interestingly, the malware’s encryption scheme uses a randomly generated key for XOR-based scrambling of packet data before it is handed off for TLS encryption. This extra layer adds protection against simple network-based detection, forcing researchers to rely on endpoint inspection or memory-level analysis to catch malicious activity.