Malware in Event Logs?

Share This Post

Researchers at Kaspersky have uncovered a new-ish attack mechanism that’s very interesting to those of us in the DFIR world. This hasn’t been discussed a lot, and even though the referenced article is extensive, it’s still a bit unclear as to how often this is being used in the wild.

Many of the exploitation activities are common (Cobalt Strike, Remote Access Trojans, Anti-Malware Scan Interface manipulation, etc.) but the really interesting one is that these attackers are utilizing shellcode that’s stashed in Windows Event Logs. Another interesting evasion technique is the removal of the MZ header for executables, which for DFIR folks is a well known indicator that the file you’re looking at is some sort of executable even when it’s not using the .exe file extension.

The article is extensive and fairly technical, if you’re a DFIR person or just interested in the space, it’s a great read.

We’ll be keeping an eye on these techniques to see how attackers use them for shiny new attacks.

Source: https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/



Reach out to our incident response team for help

More To Explore

Information Security News – 07/06/26

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation Article Link: https://thehackernews.com/2026/07/sharepoint-rce-cve-2026-45659-added-to.html ‘Djinn’ Stealer Targets Cloud, AI Credentials Article Link: https://www.darkreading.com/cyberattacks-data-breaches/djinn-stealer-targets-cloud-ai-credentials ChocoPoC Malware Targets

Information Security News – 6/29/26

SimpleHelp Bug Lets Hackers Create Rogue Remote Support Accounts Article Link: https://www.bleepingcomputer.com/news/security/simplehelp-bug-lets-hackers-create-rogue-remote-support-accounts/ New macOS ClickFix Attack Silently Mounts DMGs to Push Infostealer Article Link: https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.