Pisloader

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Pisloader is a malware family that has been identified and named by Palo Alto Networks. The malware is delivered via HTTP, with the payload contained within an executable file named lsm.exe. Once this file is written and executed, it activates the pisloader payload, which then starts to infect the system. A Pisloader AutoFocus tag has been created by Palo Alto Networks to track the activity of this malicious software. The pisloader malware employs various innovative techniques such as using DNS as a C2 protocol, return-oriented programming, and other anti-analysis tactics. These methods make it particularly challenging to detect and analyze. The malware also expects specific aspects of the DNS responses to be set in a particular way; otherwise, pisloader will ignore the DNS reply. This further complicates efforts to mitigate its effects. Further investigation has revealed similarities between pisloader and a known HTTPBrowser sample. This similarity in metadata adds credibility to the theory that pisloader is likely a variant of the HTTPBrowser malware family. The ongoing monitoring and analysis of pisloader are crucial for developing effective countermeasures against this evolving threat.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
DNS
Payload
Beacon
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
HTTPBrowserUnspecified
1
HTTPBrowser is a potent form of malware, or malicious software, used to exploit and damage computer systems. It has been deployed by groups such as BRONZE UNION and Wekby to execute tools like PlugX and HTTPBrowser itself, making it difficult for network defenders to detect. The malware can infiltra
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Pisloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
New Wekby Attacks Use DNS Requests As Command and Control Mechanism