Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Kaspersky Warns of Fileless Malware Hidden in Windows Event Logs

Threat hunters at Kaspersky are publicly documenting a malicious campaign that abuses Windows event logs to store fileless last stage Trojans and keep them hidden in the file system.

Threat hunters at Kaspersky are publicly documenting a malicious campaign that abuses Windows event logs to store fileless last stage Trojans and keep them hidden in the file system.

In a research report published Wednesday, Kaspersky said the first phase of the campaign started around September 2021, with the threat actor luring victims into downloading a digitally-signed Cobalt Strike module.

The use of event logs for malware stashing is a technique that Kaspersky’s security researchers say they have not seen before in live malware attacks.

The researchers haven not attributed the attacks to a known threat actor, but say that the group stands out because it patches Windows native API functions associated with event tracking and the anti-malware scan interface to ensure the infection remains stealthy.

In fact, the attackers are clearly invested in avoiding detection: they use domains with names that mimic legitimate ones, use virtual private servers for hosting, and employ a variety of anti-detection decryptors – observed compilers range from Microsoft’s cl.exe to a recent version of Go.

[ READ: Chinese Hackers Abuse Security Products for Malware Execution ]

According to Kaspersky, the attackers also sign some of the malicious files with digital certificates that appear to be issued by the threat actor themselves. In terms of tooling, the group was seen employing Cobalt Strike, NetSPI (part of SilentBreak’s framework), various custom modules, and additional third-party code.

The threat actor’s anti-detection portfolio includes MSVC, GCC under MinGW, and Go compiler 1.17.2; whitelisted launchers, digital certificates, Go droppers to patch logging-related API functions, and the storing of the last stage malware in the binary part of event logs, broken down in 8 KB blocks.

Furthermore, Kaspersky discovered that the function names in the main package have been obfuscated.

The last stage Trojans communicate with the command and control (C&C) server either using HTTP with RC4 encryption, or by employing unencrypted communication with named pipes.

“The latter way is technically able to communicate with any network visible external host, but under Windows named pipes are built upon the SMB protocol, which would barely open for external networks. So these modules most probably serve for lateral movement,” Kaspersky says.

Upon execution, the HTTP Trojan fingerprints the infected system and sends the data to the server if an initial ping to the server is successful.

The malware supports commands to fingerprint the system, execute received commands, download and save payloads, list processes, inject code into target processes, sleep for a specified period of time, and terminate the session with the C&C.

Related: Chinese Hackers Abuse Cybersecurity Products for Malware Execution

Related: Cyberespionage Group Targeting M&A, Corporate Transactions Personnel

Related: Chinese Cyberspies Targeting Russian Military

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

M&A Tracker

The SecurityWeek editorial team huddled over the holidays to look back at the stories that shaped 2022 and, more importantly, to stare into a...