惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Stack Overflow Blog
Stack Overflow Blog
WordPress大学
WordPress大学
小众软件
小众软件
量子位
雷峰网
雷峰网
酷 壳 – CoolShell
酷 壳 – CoolShell
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Jina AI
Jina AI
T
Threat Research - Cisco Blogs
博客园_首页
The Hacker News
The Hacker News
C
Cyber Attacks, Cyber Crime and Cyber Security
有赞技术团队
有赞技术团队
宝玉的分享
宝玉的分享
Security Latest
Security Latest
博客园 - 叶小钗
The Last Watchdog
The Last Watchdog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
IT之家
IT之家
腾讯CDC
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
L
Lohrmann on Cybersecurity
V
V2EX
P
Proofpoint News Feed
I
Intezer
云风的 BLOG
云风的 BLOG
Spread Privacy
Spread Privacy
罗磊的独立博客
H
Help Net Security
T
Tor Project blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Schneier on Security
Blog — PlanetScale
Blog — PlanetScale
L
LINUX DO - 热门话题
D
DataBreaches.Net
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
W
WeLiveSecurity
N
News and Events Feed by Topic
TaoSecurity Blog
TaoSecurity Blog
Simon Willison's Weblog
Simon Willison's Weblog
Latest news
Latest news
P
Proofpoint News Feed
NISL@THU
NISL@THU
Y
Y Combinator Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - Franky
Hugging Face - Blog
Hugging Face - Blog
P
Palo Alto Networks Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
S
Security @ Cisco Blogs

Comments for Hackread – Cybersecurity News, Data Breaches, AI and More

Study Reveals TikTok, Alibaba, Temu Collect Extensive User Data in US Study Reveals TikTok, Alibaba, Temu Collect Extensive User Data in US Pandora Cyber Attack Exposes Customer Data Via Third-Party Vendor Pandora Cyber Attack Exposes Customer Data Via Third-Party Vendor BADBOX 2.0 Found Preinstalled on Android IoT Devices Worldwide Ex US Soldier Cameron Wagenius Guilty in Telecom Hacking and Extortion FBI Warns of Health Insurance Scam Stealing Personal and Medical Data FBI Seizes Major Sites Sharing Unreleased and Pirated Video Games FBI Warns of Health Insurance Scam Stealing Personal and Medical Data Firefox Tests AI-Powered Perplexity Search Engine Directly in Browser New Malware Spotted Corrupts Its Own Headers to Block Analysis New Malware Spotted Corrupts Its Own Headers to Block Analysis Firefox Tests AI-Powered Perplexity Search Engine Directly in Browser Firefox Tests AI-Powered Perplexity Search Engine Directly in Browser
New Malware Spotted Corrupts Its Own Headers to Block Analysis
Waqas · 2025-05-29 · via Comments for Hackread – Cybersecurity News, Data Breaches, AI and More

The FortiGuard Incident Response Team has released a detailed investigation into a newly discovered malware that managed to quietly operate on a compromised Windows machine for several weeks. What makes this malware different from others is its deliberate corruption of its own DOS and PE headers, a method designed to obstruct forensic analysis and reconstruction efforts by security researchers.

Despite this challenge, Fortinet’s team successfully obtained a memory dump of the live malware process, housed in a dllhost.exe process (PID 8200), along with a complete 33GB memory dump of the compromised system.

By carefully replicating the compromised environment, Fortinet’s researchers were able to bring the dumped malware back to life in a controlled setting, allowing them to observe its operations and communication patterns.

Bringing Corrupted Malware Back Online

Without its DOS and PE headers, the malware could not be simply loaded and executed like a normal Windows binary. The research team had to manually identify the malware’s entry point, allocate memory, and resolve API addresses that differed between the compromised system and the test environment. Through repeated debugging, address relocation, and parameter adjustments, they were finally able to emulate the malware’s behaviour in a lab setting.

New Malware Spooted Corrupts Its Own Headers to Block Analysis
The image shows the DOS and PE headers have been corrupted, which makes it challenging to fully reconstruct the executable from memory (Credit: FortiGuard)

According to Fortinet’s blog post shared with Hackread.com ahead of its publishing on Thursday, once operational, the malware revealed its communication with a command-and-control (C2) server at rushpaperscom over port 443, using TLS encryption.

Fortinet analysts traced the malware’s use of Windows API functions like SealMessage() and DecryptMessage() to handle encrypted traffic. They also identified an additional layer of custom encryption that wrapped specific data packets before applying TLS, further complicating traffic inspection.

What the Malware Can Do

Fortinet’s analysis confirms that the malware operates as a Remote Access Trojan (RAT), providing the attacker with several powerful features:

  • Screen capture: The malware takes periodic screenshots, compresses them as JPEGs, and sends them to the C2 server along with the titles of active windows.
  • Remote server functionality: The malware sets up a listening TCP port, allowing attackers to connect directly and issue commands or deploy additional attacks.
  • System service control: By interfacing with the Windows Service Control Manager, the malware can enumerate, manipulate, and potentially disrupt critical system services on the infected machine.

How the Attack Works

The initial infection relied on batch scripts and PowerShell to launch the malware, embedding it into a Windows process. Once running, the malware fetched the C2 server’s domain information from encrypted memory, established a secure connection, and began exfiltrating system details.

New Malware Spooted Corrupts Its Own Headers to Block Analysis
Full memory dump of the compromised machine. The image shows detailed file information for the “fullout” dump, used to recreate a local test environment for malware analysis. (Credit: FortiGuard)

During traffic analysis, Fortinet captured decrypted WebSocket requests and responses, uncovering how the malware collects and reports system information, including OS version and architecture.

Interestingly, the malware’s encryption scheme uses a randomly generated key for XOR-based scrambling of packet data before it is handed off for TLS encryption. This extra layer adds protection against simple network-based detection, forcing researchers to rely on endpoint inspection or memory-level analysis to catch malicious activity.