Off the Beaten Path: Recent Unusual Malware

March 17, 2025, 10:03 a.m.

Description

The article examines three unusual malware samples: a C++/CLI IIS backdoor enabling stealthy remote command execution, a bootkit leveraging the GRUB 2 bootloader to gain early system control and persistence, and a cross-platform post-exploitation framework developed in C++. These cases highlight evolving attacker techniques that prioritize stealth, persistence, and unconventional execution methods to evade detection.

External References

https://otx.alienvault.com/pulse/67d7ee24c094f5f32b058b48
https://unit42.paloaltonetworks.com/unusual-malware/
Tags
backdoor
apt
post-exploitation
bootkit
2025-03-14
iis backdoor
c++/cli
projectgeass
dixie-playing bootkit
grub
2025-03-17

Date

  • Created: March 17, 2025, 9:40 a.m.
  • Published: March 17, 2025, 9:40 a.m.
  • Modified: March 17, 2025, 10:03 a.m.

Indicators

  • cca5df85920dd2bdaaa2abc152383c9a1391a3e1c4217382a9b0fce5a83d6e0b
  • aa2d46665ea230e856689c614edcd9d932d9edad0083bf89c903299d148634a2
  • a28d0550524996ca63f26cb19f4b4d82019a1be24490343e9b916d2750162cda
  • 950243a133db44e93b764e03c8d06b99310686d010b52b67f4effa57f0d72e04
  • 94017628658035206820723763a2a698a4fd7be98fc2c541aad6aa0281ef090e
  • 8571a354b5cdd9ec3735b84fa207e72c7aea1ab82ea2e4ffea1373335b3e88f4
  • 15db49717a9e9c1e26f5b1745870b028e0133d430ec14d52884cec28ccd3c8ab
Download all indicators here!

Attack Patterns

  • T1542.003
  • T1505.003
  • T1574.005
  • T1106
  • T1027