Unfurling Hemlock is an Eastern European threat actor campaign that uses nested cabinet files to distribute multiple malware samples at once, effectively acting like a malware “cluster bomb.” KrakenLabs/WETP researchers documented tens of thousands of WEXTRACT-based distributions dropping loaders and stealers such as Amadey, SmokeLoader, Mystic Stealer, Redline, and RisePro across global victims. #UnfurlingHemlock #WEXTRACT #CabinetFiles #MysticStealer #Redline #Amadey #SmokeLoader
Keypoints
- The campaign distributes via cabinet (CAB) files named “WEXTRACT.EXE … .MUI,” with nesting up to seven levels and a tree-like execution order.
- The actor, named “Unfurling Hemlock,” appears to be an Eastern European group using multiple distribution channels and loaders to maximize reach.
- Malware dropped includes stealers (Redline, Mystic Stealer, RisePro) and loaders (Amadey, SmokeLoader), often with tools to defeat defenses.
- Distribution often starts with email-based delivery, supplemented by external sites and loaders, suggesting a pay-for-infection ecosystem.
- Defenses are routinely bypassed using tools like Healer and Enigma packers to obfuscate payloads and disable security features.
- Indicators show extensive use of C2 infrastructure and data exfiltration, with credentials and system information collected by various components.
- KrakenLabs expects this “cluster bomb” approach to influence future campaigns and notes similar activity seen in CrackedCantil by ANY.RUN researchers.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – Distribution samples were detected being sent via email to different companies (‘most of the first stages were detected being sent via email to different companies…’).
- [T1105] Ingress Tool Transfer – Initial distribution samples and components were downloaded from external hosts (e.g., ‘The distribution sample is downloaded from hxxp://185.46.46.146/none/vah50.exe’).
- [T1027.002] Obfuscated/Compressed Files and Information (Software Packing) – Use of cabinet files and Enigma packer to obfuscate payloads (‘cabinet files… allow the automatic execution of its contents once extracted’).
- [T1562.001] Impair Defenses – Utilities to disable Windows Defender and other protections were included (‘to disable Windows Defender and other protection systems’).
- [T1047] Windows Management Instrumentation – Utilities like wmiadap.exe and wmiprvse.exe used to execute native Windows tools and gather victim data (‘to collect statistical information about victims…’).
- [T1071.001] Web Protocols – C2 communications over web protocols via multiple URLs/hosts used by various samples (‘The C2 is hxxp://77.91.124.1/theme/index.php…’).
- [T1041] Exfiltration Over C2 Channel – Stolen data exfiltrated to C2 endpoints (e.g., ‘sends the stolen information to tcp[:]//77.91.124.86:19084’).
Indicators of Compromise
- [URL] Distribution/download URLs – examples: hxxp://185.46.46.146/none/vah50.exe, hxxp://globalsystemperu.com/forms/gate4.exe, and other related sites
- [IP] Command and control / distribution IPs – examples: 176.113.115.145:4125, 176.123.7.190:32927
- [Domain] Hosting domains used for downloads – examples: host-file-host6.com, host-file-host8.com
- [Hash] Sample/file hashes – examples: 229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2, 5697652d0fd5b4a05ac00f6ec028fd3dc3e34ed7b112c4b8c6048eae72a8d326
- [File name] Executable names involved – examples: WEXTRACT.EXE, healer.exe
- [URL] Additional C2/loader URLs – examples: hxxp://77.91.124.1/theme/index.php, hxxp://77.91.68.29/fks/
Read more: https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/