Malware in Event Logs?

Share This Post

Researchers at Kaspersky have uncovered a new-ish attack mechanism that’s very interesting to those of us in the DFIR world. This hasn’t been discussed a lot, and even though the referenced article is extensive, it’s still a bit unclear as to how often this is being used in the wild.

Many of the exploitation activities are common (Cobalt Strike, Remote Access Trojans, Anti-Malware Scan Interface manipulation, etc.) but the really interesting one is that these attackers are utilizing shellcode that’s stashed in Windows Event Logs. Another interesting evasion technique is the removal of the MZ header for executables, which for DFIR folks is a well known indicator that the file you’re looking at is some sort of executable even when it’s not using the .exe file extension.

The article is extensive and fairly technical, if you’re a DFIR person or just interested in the space, it’s a great read.

We’ll be keeping an eye on these techniques to see how attackers use them for shiny new attacks.

Source: https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/



Reach out to our incident response team for help

More To Explore

Information Security News – 6/23/2025

Law Enforcement Takedowns Disrupt Cybercrimes Across the Globe Article Link: https://cyberscoop.com/cybercrime-crackdown-operation-endgame-operation-secure/   Microsoft 365 to Block File Access Via Legacy Auth by Default Article link:

Information Security News – 6/16/2025

Grocery Wholesale Giant United Natural Foods Hit by Cyberattack Article Link: https://www.bleepingcomputer.com/news/security/grocery-wholesale-giant-united-natural-foods-hit-by-cyberattack/ The Worsening Landscape of Educational Cybersecurity Article Link: https://blog.knowbe4.com/the-worsening-landscape-of-educational-cybersecurity Gov. Abbott Signs Texas

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.