TechnologyTop Stories
GBO_Unfurling Hemlock

Cluster bomb malware ‘Unfurling Hemlock’: All you need to know

The researchers claim to have spotted over 50,000 cluster bomb files, all with distinct characteristics linked back to Unfurling Hemlock

Recently, cybersecurity researchers from Outpost24’s KrakenLabs discovered a unique malware campaign that prioritises quantity over quality.

Typically, when hackers compromise a device, they deploy a single piece of malware and try to stay undetected and persistent while achieving their goals.

However, this new campaign, known as Unfurling Hemlock, does the opposite. Once the victim triggers the malware executable, in this case called ‘EXTRACT.EXE’, they receive multiple types of malware, infostealers, and botnet executables.

The chance of the malware being detected by cybersecurity solutions is high. However, the attackers hope that some of the infected files will remain undetected. The malicious software dropped onto the devices includes Redline (a popular infostealer), RisePro (an upcoming infostealer), Mystic Stealer (infostealing malware-as-a-service), Amadey (a loader), SmokeLoader (another loader), Protection Disabler (a utility that disables Windows Defender and other security features), Enigma Packer (an obfuscation tool), Healer (an anti-security solution), and Performance Checker (a utility that logs the performance of malware execution).

The researchers referred to this as a “malware cluster bomb,” which they first identified in February 2024. They claim to have spotted over 50,000 cluster bomb files, all with distinct characteristics linked back to Unfurling Hemlock.

KrakenLabs cannot say with absolute certainty who the threat actors behind Unfurling Hemlock are, but they are fairly confident that they are of Eastern European origin. Some of the evidence pointing in that direction includes the use of the Russian language in some of the samples, and the use of the Autonomous System 203727, which is related to a hosting service that cybercrime groups in the region typically use.

Fortunately, the malware being distributed through this campaign is well-known, and most reputable antivirus programmes will flag it.

Related posts

PayPal plans to launch its own stablecoin backed by the US dollar

GBO Correspondent

How client-centricity will dominate corporate banking

GBO Correspondent

London real estate developers roll out offers to lure GCC buyers

GBO Correspondent