Blister is a loader that drops payloads and has evolved to support targeted deployments, environmental keying, and obfuscated first-stage loading, with a shift from Cobalt Strike to Mythic agents. The article catalogs 137 unpacked Blister samples over about two years, notes obfuscation of the loader, and introduces Mythic-based payloads and related tooling to help analysts study Blister and its Mythic agent. #Blister #CobaltStrike #Mythic #MythicPacker #SocGholish #EvilCorp
Keypoints
- Blister is a loader that embeds and drops payloads, with 137 unpacked samples analyzed and a focus on 64-bit samples.
- There is a clear shift from Cobalt Strike beacons to Mythic agents as Blister’s payloads, including a Mythic-based agent dubbed BlisterMythic and a packer called MythicPacker.
- Environmental keying via an optional domain hash became part of Blister in 2022, enabling targeted deployment by matching a machine’s DNS domain against a configured hash.
- Obfuscation of the first stage loader increased in 2023, making detection harder and requiring new YARA scripts and analysis methods.
- Persistence remains common (about 70 of 97 samples) using Startup-folder copy via DllHost.exe, indicating a specific infection lifecycle.
- Domain fronting and domain-based C2 configuration are used to conceal beacons, with some C2 domains hosted on fastly.net while pointing to legitimate domains (e.g., reddit.com, wikihow.com).
MITRE Techniques
- [T1055] Process Injection – The loader is injected into a legitimate executable for execution. Quote: “the loader that is injected into the legitimate executable.”
- [T1027] Obfuscated/Compressed Files and Information – The first-stage loader was obfuscated to hinder detection. Quote: “loader obfuscated in the same manner, with bogus instructions and excessive jump instructions.”
- [T1547.001] Boot or Logon Autostart Execution – Persistence via copying to the Startup folder. Quote: “to copy rundll32.exe and itself to the Startup folder.”
- [T1071.001] Web Protocols – C2 communications via web protocols and domain-fronting techniques. Quote: “domain fronting, which is a technique that allows malicious actors to hide the true destination of their network traffic.”
- [T1140] Deobfuscate/Decode Files or Information – The Mythic agent’s configuration is decrypted and processed in memory. Quote: “The decryption function uses RC4, but the S-Box is already initialized.”
Indicators of Compromise
- [Domain] Blister C2 domains – albertonne.com, astradamus.com
- [Domain] CDN-fronted C2 domains – backend.int.global.prod.fastly.net, python.docs.global.prod.fastly.net
- [IP Address] C2/infrastructure hosts – 37.1.215.57, 92.118.112.100
- [URI] C2 endpoints – /safebrowsing/d4alBmGBO/HafYg4QZaRhMBwuLAjVmSPc, /Collect/union/QXMY8BHNIPH7
- [SHA256] Blister sample hashes – 0a73a9ee3650821352d9c4b46814de8f73fde659cae6b82a11168468becb68d1, 0bbf1a3a8dd436fda213bc126b1ad0b8704d47fd8f14c75754694fd47a99526c
- [Domain] Mythic agent domains used in BlisterMythic – 139-177-202-78.ip.linodeusercontent.com, 23-92-30-58.ip.linodeusercontent.com