Matryoshka

Matryoshka is a sophisticated malware that operates in a manner akin to Russian matryoshka dolls, featuring multiple layers of nested servers. This malware is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. Once inside, Matryoshka can steal personal information, disrupt operations, or even hold data hostage for ransom. Its operation style involves an IBM i server running Node.js, which may be running the plug-in called http-server. The malware was notably used in Operation Overload, also known as Matryoshka and Storm-1679, a Russia-aligned influence campaign aimed at manipulating public opinion and sowing discord. The operation demonstrated the complexity and sophistication of this malware, highlighting its potential for widespread damage and disruption. The malware's ability to nest within various servers allows it to remain hidden, making detection and removal particularly challenging. On March 29, 2023, the first Matryoshka doll-style cascading attack against 3CX, a provider of communication software, was identified. The Windows and macOS versions of 3CX's communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer using a downloader, SUDDENICON. This downloader utilized icon files hosted on GitHub to extract the server containing the stealer, further demonstrating the intricate and layered nature of the Matryoshka malware.