Cybersecurity experts from Outpost24’s KrakenLabs have unearthed a distinctive new malware campaign dubbed Unfurling Hemlock, which flips the script on traditional cyber threats by embracing a “quantity over quality” approach.
In a typical cyber attack, hackers deploy a single, stealthy malware to compromise devices and achieve their goals discreetly. However, Unfurling Hemlock breaks this mold. Once triggered by the victim via an executable named ‘EXTRACT.EXE’, this campaign unleashes a barrage of malware variants, infostealers, and botnet executables onto the infected system.
This strategy, described as a “malware cluster bomb,” increases the likelihood that at least some of the deployed payloads will evade detection and remain operational. Among the arsenal unleashed are well-known threats such as Redline and RisePro infostealers, Mystic Stealer malware-as-a-service, loaders like Amadey and SmokeLoader, and utilities such as Protection Disabler, Enigma Packer for obfuscation, Healer as an anti-security tool, and Performance Checker for monitoring malware performance.
Initially observed in February 2024, the Unfurling Hemlock campaign has already spawned over 50,000 unique cluster bomb files, each distinct yet linked to the same malicious operation. While the exact identities of the threat actors remain unconfirmed, KrakenLabs suggests strong indicators point to Eastern European origins. These include the use of Russian language in samples and association with the Autonomous System 203727, commonly utilized by hosting services favored by cybercrime groups in the region.
Fortunately, the broad recognition of these malware components means they are widely detected by reputable antivirus programs, offering some reassurance against the potency of Unfurling Hemlock. Nevertheless, the campaign underscores the evolving tactics in cyber warfare, where quantity seeks to outmaneuver the quality defenses of cybersecurity systems.
