In this article, we will cover the following points:

• analysis of LotusLite 2026 (May) and links to previous versions
• affectionate messages from the malware author

Under the Hood - The new series where We share stories from our daily life as a malware hunter 🔎

We’re kicking things off with a recent implant featuring “BelievemeIamMustang-Panda” and “Hi,Mustang_Panda” hardcoded in its .data section! A C2 over forms.microsoft.com:443 that deliberately bypasses all TLS validation. That’s unusual, and that means it’s interesting!

Read more...

Key takeaways

• Analysis of ~90 PixyNetLoader samples and grouping them into 4 sub-families using code similarities sharing
• Enabling unified detection through a single YARA rule
• Exposing the latest steganography mechanisms used in the 2026 March-April versions
• Provinding PNG payload extraction script, IOCs, detection guidance and samples list

In this article, we will examine the evolutions of the APT28 PixyNetLoader code family, and how, by analyzing approximately 90 samples and studying the shared code between them, we can identify 4 major different sub-families that we will briefly detail, and produce a single YARA rule to match all of these codes.

Read more...

The sample analyzed in this article was not identified through EDR alerts or pre-existing YARA rules. It emerged during a threat hunting campaign conducted by our CTI teams, triggered by several telemetry anomalies: a PE64 DLL submitted from China, claiming to be a legitimate Microsoft binary without respecting their standard PDB path schema, lacking a digital signature, and exhibiting significant malicious characteristics.

What makes this sample particularly interesting is the tension between its three technical identities: the low detection rate of the backdoor, the magic header used and the PDB path, which links it to DaemonicLogistics, a Chinese espionage actor documented by ESET in January 2025. Far from being a mere classification artifact, this dual signal is technically explained, and that is precisely what this article documents.

Read more...

As we step into the New Year, the team at ExaTrack wanted to look back at the insights we’ve shared over the past few months. To read them each week follow us on Linkedin ;)

In our daily work, conducting large-scale forensic collections across thousands of endpoints and analyzing complex malware on our Exalyze platform, we encounter patterns that go beyond simple IOCs. We believe that an attacker is, by definition, an anomaly on a system. To help you start the year with a stronger defensive posture, here is a compilation of our last 12 Threat Hunting tips, uniformized and all translated into English. Whether you are investigating Windows, Linux, or Active Directory, these “gold nuggets” are designed to help you find the needle in the haystack.

Read more...

During a joint incident response with Login Sécurité on an APT attack, we faced an attacker that was especially good at hiding their traces on compromised systems, making our investigation a bit more difficult than usual.

To alleviate any risk of us missing something, we decided to perform a Threat Hunting on all computers to identify any potential traces linking to this specific APT and to check if another attacker was present.

Read more...

Exalyze.io is a malware analysis platform we developped to help us as well as our fellow malware analysts and reversers during their hunting! Our goal is also to speed-up and streamline the firsts step of a sample analysis.

In this post we will showcase some of its features by analyzing a new strain of malware we dubbed Sentel Agent.

Read more...

During an incident response for one of our clients, we stumbled upon a server compromised by the now relatively documented ¹²³⁴ perfctl malware.

While it’s not uncommon to find documented threats during incident responses, we discovered that the attacker used new initial access and persistence methods. In this blogpost we will share the newly uncovered knowledge about the threat actor Tools Tactics and Procedures.

Read more...

In the last years, the Local RPC (LRPC) & ALPC have been the subject of scrutiny by some Windows internal enthusiasts and vulnerability researchers.

In this article, we will go a step further to explore what can be done about LocalServer DCOM objects, how to instantiate them and directly connect to their interfaces without using the COM proxy clients normally rely on!

This will give us an excuse to explore some COM internals, understand part of the combase DLL & write more fun python code !

Read more...

We recently discovered an novel undetected implant family targeting Linux servers, which we dubbed Mélofée.

We linked with high confidence this malware to chinese state sponsored APT groups, in particular the notorious Winnti group.

In this blogpost we will first analyze the capabilities offered by this malware family, which include a kernel mode rootkit, and then deep dive in an infrastructure pivot maze to discover related adversary toolsets.

Read more...

We recently found a new passive backdoor targeting Linux and Solaris servers, wich can use TCP, UDP or ICMP packets as it’s triggers.

In this article we will dive into BPF in order to assess it’s capabilities :D

Read more...