Select Page

Cybersecurity researchers have shed more light on a malicious loader that runs as a server and executes received modules in memory, laying bare the structure of an “advanced multi-layered virtual machine” used by the malware to fly under the radar.

Wslink, as the malicious loader is called, was first documented by Slovak cybersecurity company ESET in October 2021, with very few telemetry hits detected in the past two years spanning Central Europe, North America, and the Middle East.

Analysis of the malware samples have yielded little to no clues about the initial compromise vector used, and no code, functionality, or operational similarities have been uncovered to suggest that this is a tool from a previously identified threat actor.

Packed with a file compression utility named NsPack, Wslink makes use of what’s called a process virtual machine (VM), a mechanism to run an application in a platform-independent manner that abstracts the underlying hardware or operating system, as an obfuscation method but with a crucial difference.

 

images from Hacker News