Cybersecurity researchers at a cybersecurity firm have uncovered a stealthy Windows based remote access trojan (RAT) that remained active on a compromised machine for weeks thanks to tampered DOS and PE headers that disrupted detection and analysis tools.
These headers, essential to Windows executables, typically allow both legacy system compatibility and proper file execution. By corrupting them, attackers made traditional file inspection tools ineffective, forcing analysts to rely on memory dumps to uncover the malware’s behavior.
Malware Delivered via PowerShell, Operated Silently Within dllhost.exe
According to the firm’s Incident Response Team, the attacker initially gained access through remote access infrastructure. They then used PsExec to run a PowerShell script which remains unrecovered attempting to deploy the malware into the system.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
The malware was found running silently under a legitimate Windows process, dllhost.exe, avoiding suspicion. Although the actual malware file couldn’t be extracted, the firm has obtained both a process-specific and full-system memory dump, enabling offline reverse engineering.
“The malware stayed undetected for weeks until its network activity triggered suspicion,” the firm said.
Contact with C2 Server via Encrypted Channel
Once active, the malware decrypted command-and-control (C2) server details stored in memory and launched a communication thread to connect to rushpapers[.]com. During this process, the main thread entered a dormant state, waiting for instructions via the TLS-encrypted channel.
This technique, the researchers noted, is designed to both avoid raising runtime alerts and complicate dynamic behavior analysis.
Further analysis revealed that this was a full-featured remote access trojan. Its capabilities include:
- Screenshot capture
- System service enumeration and manipulation
- Client-server functionality acting as a reverse proxy for attacker sessions
The malware implements a multi-threaded socket architecture, spawning a new thread for each incoming attacker connection. This design enables real-time interaction and simultaneous control over different system functions.
“By behaving as a remote access server, the compromised system effectively becomes a launchpad for further attacks,” the firm explained.
While this specific incident was neutralized before ransomware could be deployed, the technique highlights a growing threat: stealthy malware embedded in legitimate processes, using corrupted structures to bypass defenses and establish persistent control.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing