
Researchers at Fortinet have disclosed the discovery of an unusual piece of malware, identified during the analysis of a compromised system where it had remained operational for several weeks. The threat in question is a 64-bit Windows library featuring deliberately corrupted DOS and PE headers—an obfuscation technique that significantly hampers both automated detection and manual threat analysis. Despite these efforts to frustrate investigation, the team successfully reconstructed the malware’s behavior by replicating the original infection environment within an isolated system.
PE (Portable Executable) files, commonly used in Windows, contain vital structural information—most notably the DOS and PE headers. The DOS header ensures backward compatibility with MS-DOS, allowing the system to recognize the file as executable, while the PE header holds the data required to load and execute the application within a Windows environment. In this instance, both headers were intentionally malformed, making reverse engineering and payload extraction from memory dumps exceedingly difficult.
Although the malware sample itself could not be extracted, Fortinet specialists obtained both a memory dump of the active process and a full RAM dump from the infected device. The malicious code operated under the dllhost.exe process and was launched via a batch file and accompanying PowerShell scripts. The precise method of distribution remains undetermined, as does the full extent of the campaign.
Analysis revealed that upon execution, the malware decrypts the address of its command-and-control server from memory and establishes a connection. During the observed activity, communication was routed through the domain rushpapers[.]com using the TLS protocol. The malware’s primary thread enters a dormant state while a secondary thread manages the network connection and data transmission.
Functionally, the malware acts as a fully-fledged Remote Access Trojan (RAT), endowed with a wide array of capabilities. It can capture screenshots, manipulate system services, and operate in server mode to receive incoming connections from an attacker. To achieve this, the malware employs a multithreaded architecture: each new connection is assigned a dedicated thread, allowing for concurrent interactions with multiple clients and the execution of more complex operations.
According to Fortinet, such an architecture enables the attacker to utilize the compromised system as a robust remote access tool—capable of executing commands, launching further attacks, or maintaining persistent control over the victim’s network.