This new threat infects devices with a dozen malware at once

But this new campaign, dubbed Unfurling Hemlock, does the exact opposite, making it stand out in the world of cybercrime. The researchers are saying that once the victim triggers the malware executable - in this case called ‘EXTRACT.EXE’ - they receive a handful of different malware, infostealers, and botnet executables.

Malware cluster bomb

The chances of the malware being picked up by cybersecurity solutions is high, but the researchers believe the attackers are hoping at least some of the payloads will survive the purge. Among the things dropped on the devices are Redline (popular infostealer), RisePro (an upcoming infostealer), Mystic Stealer (infostealing malware-as-a-service), Amadey (loader), SmokeLoader (another loader), Protection Disabler (a utility that disables Windows Defender and other security features), Enigma Packer (obfuscation tool), Healer (anti-security solution), and Performance Checker (a utility that checks and logs the performance of malware execution).

This “malware cluster bomb” was first spotted in February 2024, the researchers said, claiming to have seen more than 50,000 cluster bomb files, all with unique characteristics that link them back to Unfurling Hemlock. 

KrakenLabs could not say with absolute certainty who the threat actors behind Unfurling Hemlock are, but they are fairly confident they are of Eastern European origin. Some of the evidence pointing in that direction is the use of Russian language in some of the samples, and the use of the Autonomous System 203727, related to a hosting service cybercrime groups in the region usually use. 

Luckily enough, the malware being pushed through this campaign is well-known and most reputable antivirus programs will flag it.

Via BleepingComputer

More from TechRadar Pro

• New malware threats are rising faster than ever — and all kinds of businesses are at risk
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now