Connect with us

Hi, what are you looking for?



DoD, DHS Warn of Attacks Involving SLOTHFULMEDIA Malware

The U.S. Department of Defense’s Cyber National Mission Force (CNMF) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) last week published a malware analysis report for what they described as a new malware variant named SLOTHFULMEDIA.

The U.S. Department of Defense’s Cyber National Mission Force (CNMF) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) last week published a malware analysis report for what they described as a new malware variant named SLOTHFULMEDIA.

SLOTHFULMEDIA is described as a dropper that deploys two files when executed, including a RAT designed to allow hackers to control compromised devices, and a component that removes the dropper once the RAT achieves persistence on the targeted computer.

The RAT is capable of running arbitrary commands, terminating processes, taking screenshots, modifying the registry, and making changes to files.

The U.S. government’s malware analysis report includes technical details about how the malware works, indicators of compromise (IoC) and recommendations for securing systems against such threats.

“Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation,” the agencies said.

It’s not uncommon for these types of malware analysis reports made public by U.S. agencies to include information about the threat actor believed to be behind the attacks, including if it’s a nation-state actor. However, the report on SLOTHFULMEDIA doesn’t provide any information on the possible origin of the attackers.

CISA and CNMF say the malware has been used in attacks launched by a sophisticated threat actor against entities in India, Kazakhstan, Kyrgyzstan, Malaysia, Russia, and Ukraine.

Advertisement. Scroll to continue reading.

A sample of the malware was also made available on VirusTotal by the U.S Cyber Command, which regularly posts samples of malware linked to foreign threat actors. A majority of the samples shared by USCYBERCOM have been linked to North Korea, and some have been attributed to Russia and Iran, but this summer it also started sharing Chinese samples.

ESET last week published a report on XDSpy, a previously unknown threat actor that has been active for at least 9 years and which has also targeted Russia and Ukraine, as well as Belarus, Moldova and Russia. This group has mainly targeted government organizations, and its main goal appears to be the theft of sensitive documents.

SecurityWeek has asked ESET if it has found any links between XDSpy and SLOTHFULMEDIA given the timing of the reports and the fact that they both target Russia and Ukraine. However, the cybersecurity firm says SLOTHFULMEDIA is actually related to PowerPool, a threat actor whose activities were detailed by the company back in 2018 after it was spotted exploiting a Windows zero-day vulnerability.

ESET at the time reported seeing attacks against a relatively small number of users located in the US, UK, Germany, Ukraine, Chile, India, Russia, Poland and the Philippines.

Related: U.S. Details North Korean Malware Used in Attacks on Defense Organizations

Related: Iran-Linked Malware Shared by USCYBERCOM First Seen in December 2016

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...