A financially motivated East European threat actor, dubbed “Unfurling Hemlock,” is distributing malware using a unique approach that involves compressing multiple files into a single Microsoft Cabinet (CAB) file. This file can contain up to 10 different types of malware, including information stealers and loaders.
The attacker has distributed hundreds of thousands of these CAB files on systems belonging to over 50,000 users worldwide since at least February 2023. The majority of the infected systems appear to be based in the US (50.8%).
The malware used includes known tools such as Mystic Stealer, Rise Pro, and Redline, as well as loaders like SmokeLoader and Amadey. The attacker is also using other groups to help distribute its own cluster bombs.
The approach allows for maximum cyber damage, as a single initial file can steal information, load further malware, and get paid for the infection using the malware of another group, all at the same time or in combination.
This tactic can make it challenging for defenders to handle, as it facilitates defense evasion and makes malware eradication harder to achieve and confirm.