Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques

July 16, 2025, 7:45 p.m.

Description

In late 2024, a new variant of the SLOW#TEMPEST malware campaign was discovered, employing sophisticated obfuscation techniques. The malware is distributed as an ISO file containing multiple files, including a malicious loader DLL and a payload embedded in another DLL. The loader uses DLL side-loading and advanced anti-analysis methods such as Control Flow Graph (CFG) obfuscation with dynamic jumps and obfuscated function calls. These techniques make static and dynamic analysis challenging, hindering the creation of effective detection rules. The article details the process of de-obfuscating the code using emulation and patching techniques, revealing the malware's core functionality, including an anti-sandbox check based on system memory.

External References

https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation
https://otx.alienvault.com/pulse/6877cefc216ca8bfd071f73c
Tags
obfuscation
anti-analysis
emulation
dll sideloading
dll side-loading
anti-sandbox
2025-07-11
dynamic jumps
obfuscated function calls
slow#tempest
cfg obfuscation
2025-07-16
cfg

Date

  • Created: July 16, 2025, 4:10 p.m.
  • Published: July 16, 2025, 4:10 p.m.
  • Modified: July 16, 2025, 7:45 p.m.

Attack Patterns

  • SLOW#TEMPEST