Today, I'm breaking down DBatLoader, a malware that demonstrates how cybercriminals continue to abuse legitimate programming languages and development frameworks to create increasingly sophisticated threats. This one's built using Delphi, which might surprise some of you since most people associate Delphi with legacy business applications, not cutting-edge malware. Turns out attackers aren't picky about their development platforms. If it works, it works.

What makes DBatLoader particularly interesting isn't just where it comes from or what it does, but how hard it tries to hide what it's doing. This malware comes packed with obfuscation techniques and anti-analysis features that make reverse-engineering it a big challenge, even for the experts.

The Malware: DBatLoader

DBatLoader is a Delphi-compiled Windows executable targeting x86 systems, and it's designed with one clear goal: establish a foothold on target machines while staying completely under the radar. The cybercriminals behind this one clearly understand that the best malware is the kind that nobody notices until it's too late.

This isn't your run-of-the-mill basic malware attempt—the technical sophistication here suggests experienced developers who know their way around both legitimate software development and evasion techniques, with clear knowledge of how defenders think. They've built something that can slip past traditional security measures while setting up shop for whatever comes next.

The malware's approach is methodical and patient. Rather than immediately launching into clearly malicious behavior, DBatLoader takes its time to assess the environment, check for security tools, and establish persistence before revealing its true capabilities. It's the digital equivalent of casing a house before breaking in and ransacking the place once the coast is clear.

Capabilities

Loaded with a comprehensive suite of surveillance and system manipulation tools, DBatLoader should make any security professional nervous. Static analysis reveals sections with abnormally high entropy levels, which are a clear indicator that the malware authors compressed or encrypted significant portions of their code to avoid detection.

My analysis of the resource section also tells an interesting story. I found a large collection of strings, many of which point to anti-analysis techniques and evasion capabilities. Basically, the malware knows when it's being watched and can adjust its behavior accordingly.

But here's where things get really concerning: the import analysis reveals capabilities for registry manipulation, screenshot capture, code injection, and debugger detection. That's essentially a complete toolkit for system compromise and data theft. Add in potential keylogging functionality, and you've got malware that can capture virtually anything happening on the infected machine.

Then there’s an old classic: the malware also employs import hiding techniques to make static analysis more difficult. By concealing some of its intended functionality until runtime, DBatLoader can slip past security tools that rely heavily on import table analysis for threat detection.

Additionally, some specific technical indicators caught my attention. Functions like GetTickCount and Sleep suggest the malware measures execution timing to detect sandbox environments, which is a common trick to avoid analysis in security research labs.

Finally, the kicker. The presence of multiple Windows system DLLs (MAPI32.DLL, USER32.DLL, advapi32.dll, kernel32.dll, oleaut32.dll) indicates broad system interaction capabilities. DBatLoader is bringing the tools necessary to interact broadly with Windows systems and exfiltrate a wide range of sensitive data.

Timeline

The detection timeline here reinforces a pattern I see consistently: there's often a significant gap between when never-before-seen threats appear and when traditional security tools recognize them. During that window, organizations remain vulnerable to active compromise.

Behind the scenes, another important distinction is made clear: the list of vendors catching malware early is not consistent. Deep Instinct is the only consistent defense against these complicated threats in their myriad forms.

Competitive Differences

dBatLoader highlights some critical gaps in how traditional security tools approach threat detection. The malware's use of legitimate development frameworks and careful obfuscation techniques can easily fool signature-based detection systems that haven't seen this specific variant before.

The anti-analysis capabilities present another challenge for behavioral detection systems. When malware can detect and evade sandbox environments, traditional dynamic analysis approaches become far less effective. Many security tools rely on automated analysis environments that DBatLoader is specifically designed to recognize and avoid.

The import hiding techniques add yet another layer of complexity. Security tools that depend on static analysis of import tables for threat classification will miss critical functionality that only becomes apparent during actual execution.

Perhaps most importantly, DBatLoader's patient, methodical approach to system compromise means that security tools focused on immediate threat detection might miss the gradual establishment of persistence and surveillance capabilities. By the time the malware reveals its true intentions, it may have already gathered significant intelligence about the target environment. “Rolling back” to an earlier uncompromised state, may be nearly impossible, will certainly be costly, and won’t undo the damage of whatever was already exfiltrated.

Key Takeaways

Security teams need to understand that dBatLoader represents a category of threats that specifically target the limitations of traditional security approaches, such as multi-av, machine learning, signature-based detection, and more that attackers know defenders are using. Here's what matters:

The use of legitimate development frameworks can make malware more dangerous. Delphi applications are common in enterprise environments, which means DBatLoader can blend into normal software ecosystems more easily than malware written in obviously suspicious languages.

Anti-analysis capabilities are becoming standard features, not advanced techniques. Any security tool that can't handle evasive malware is going to miss a significant number of real threats. And that’s only going to worsen with the rising volume and sophistication of AI-driven threats.

Patient, gradual compromise strategies require detection capabilities that can identify malicious intent before full payload deployment. Waiting for obviously malicious behavior means expecting to be compromised (see the earlier point about rolling back).

The combination of screenshot capture, keylogging, and code-injection capabilities makes dBatLoader a significant data theft risk. Organizations need to assume that any successful compromise could result in broad and devastating data exfiltration.

Conclusion

DBatLoader demonstrates that modern malware authors are professional software developers who understand both their craft and their adversaries. The careful attention to evasion techniques, anti-analysis capabilities, and gradual compromise strategies shows a level of sophistication that traditional security measures struggle to address.

The good news is that preemptive security solutions like Deep Instinct DSX can identify malicious characteristics, rather than relying on heuristics or signatures, to remain supremely effective against these evolving threats. The bad news is that organizations relying on reactive detection approaches are likely to face some unpleasant surprises as threats like DBatLoader become more common.

This malware family isn't trying to announce its presence, it's designed to disappear into your environment and operate undetected for as long as possible. That approach works particularly well against security tools that only look for obvious indicators of compromise. Unfortunately ... that’s how most legacy tools operate.

The message here is clear: if your security stack can't handle sophisticated, evasive threats that use legitimate development tools and patient compromise strategies, you're going to have problems. DBatLoader might not be the flashiest malware I've analyzed, but it's exactly the kind of threat that causes long-term damage to organizations that don't see it coming.

Request your free scan to see what your existing tools have missed while future-proofing against the rise of AI-driven threats.

Drawing on this year’s data, we took a deeper dive into the sector facing the most significant threats – and the highest stakes: financial services. These firms must not only navigate escalating AI-driven cyber threats, but balance strict compliance requirements and the added pressure of safeguarding extremely sensitive, high-value data.

Here’s what our Voice of SecOps data found when spotlighting financial services:

Dark AI Hits the Financial Sector Hardest

AI-driven threats are hitting the financial services industry with explosive force. Nearly half (45%) of financial institutions experienced an AI-powered cyber attack in the past 12 months, which is significantly higher than the 38% reported across other sectors. Among those impacted, the top repercussions were the theft of sensitive or proprietary data (71%), reputational damage (64%), and financial loss (49%).

Additionally, while 43% of all respondents reported a rise in deepfakes over the past year, that number climbs to 55% in financial services. Vishing attacks follow the same pattern – 42% overall versus 55% in finance – highlighting the sector’s status as a prime target in the eyes of cybercriminals.

Finance Leaders Push for Preemptive Prevention

The surge in AI-powered cyber threats has forced financial services firms to rethink their cybersecurity strategies. In fact, 69% of respondents in the finance sector say they feel increased pressure from the Board and C-suite to implement a prevention-first security strategy, rooted in preemptive data security. This figure ranks higher than other sectors, signaling that financial firms’ leadership recognize that reactive defenses are insufficient against growing AI threats.

Adapting to these executive mandates poses a significant challenge for finance teams, as it requires a shift from accepting the “status quo” and embracing a new approach to cybersecurity that prioritizes preventing threats before breach.

AI Burnout Driven by Training and Compliance Gaps

As AI adoption accelerates across financial services, many security teams are feeling the strain due to new risks, mounting compliance demands, and a growing sense of burnout. In 2024, nearly 60% of financial services professionals reported higher stress levels over the past year, driven largely by the surge in AI-powered threats and the pressure to respond at machine speed. One in three SecOps leaders in the sector cited staffing and resource shortages as a key stressor, underscoring how AI-enhanced attacks are pushing overburdened teams to the brink.

Compliance is also compounding the pressure, with 45% of financial services leaders saying AI has made regulatory compliance more complex, compared to just 39% across other industries. Even more concerning, more than half (51%) believe AI regulations are a financial penalty waiting to happen, a sharp contrast to just 37% in other sectors. As AI tools become more integrated, financial firms face mounting urgency to adopt solutions that strengthen security without compromising compliance.

The Answer is Preemptive Data Security

As financial services cyber teams confront rising threat volumes, burnout, and the complexities of AI, preemptive data security becomes a strategic imperative. Based on Gartner’s newly defined preemptive cybersecurity category, this approach stops attacks in real time, easing pressure on overextended teams, minimizing risk exposure, and delivering the proactive defense modern enterprises require.

In a recent conversation with Deep Instinct’s CIO Carl Froggett, he told me:   

"The financial services sector has always been a top target for cyberattacks, but the rapid evolution of AI has tilted the balance further in favor of adversaries. To regain control, SecOps teams must respond with equally advanced AI—integrated across the entire security architecture. While many organizations “bolt on” reactive AI within Security Operations, they’re not addressing the root cause of the problem. The most effective way for financial institutions to proactively defend against AI-driven threats is through Deep Instinct’s unique deep learning approach, purpose-built to prevent threats before they cause disruption."

For more information, download our infographic, “Voice of SecOps 2025 Spotlight: AI’s Impact on Financial Services,” or the full 2025 Voice of SecOps Report by visiting https://www.deepinstinct.com/voice-of-secops-reports.

And if you’re serious about protecting your data instead of detecting and responding post breach, request your free scan today to find threats you didn’t know were lurking in your environment.

Survey Methodology

Sapio Research surveyed 100 senior cybersecurity experts from financial services companies with 1000+ employees in the U.S. The interviews were conducted online in April 2025 using an email invitation and an online survey.

For this specific report, the C-suite is defined as those who hold chief, global, head of department, or director roles, while reports are those who hold a manager, administrator, analyst, team lead, or officer role.

Humans have always wanted to know the future. Whether through oracles, tea leaves, knuckle bones, or tarot, trying to divine fate has been a constant endeavor throughout human history. Right now, the future seems clear—and the already Sisyphean task of protecting data in an ever-evolving threat landscape feels more like an exercise in preventing fate.

Except fate may be too strong a word—what you’re actually preventing is the outcome of a logical series of events culminating in the compromise of your data. Augury isn’t needed to see what’s coming next: advanced AI is being used to generate a higher volume of attacks at an accelerated pace and with an alarming degree of complexity. Cybercriminals are innovating at a speed that most cyber vendors can’t match. That leaves data vulnerable.

The Stacked Deck

Right now, the deck is stacked against defenders. The cards we have been dealt foretell calamity in one way or another—confusion, delay, and disaster. Legacy tools are ineffective, the buying process is bureaucratic and slow, and Dark AI is evolving faster than ever. Chaos abounds.

Past experience is no longer a guide either. Handcrafted attacks are dying out in favor of automation. AI has compressed the timeline of an attack: from the recon of potential targets to social engineering and malware creation, everything has been augmented, accelerated, and automated by dark forces (Dark AI tools) that enable bad actors to mobilize quickly and keep sustained pressure until they find an opening.

The tools we have traditionally trusted cannot keep our data safe. Signature-reliant systems are ineffective against rapidly mutating, AI-generated attacks, while new obfuscation methods have weakened heuristics. And, powered by AI, phishing tools have become so advanced that even trained professionals are routinely fooled. Without changing our approach to cybersecurity, organizations are fated to be breached. We are left asking when, not if.

Fighting Fate

In folklore, this would be the point at which the hero discovers a powerful talisman or mythical weapon that will allow them to fight their destiny. In tarot, a single card—or a combination of cards—can reveal a path that can change what seems predetermined. In cybersecurity, a similar paradigm shift is underway. While the threats ahead may seem foretold, new powers are emerging that can help organizations rewrite their security fate. This new approach is called preemptive data security, and right now, Deep Instinct holds two powerful cards you can play to avert catastrophe. These aren’t just tools, they’re talismans of transformation.

Preemptive data security solutions use advanced AI to detect and prevent threats before they can execute. They also equip security teams with critical information about prevented threats so that SOC teams can address vulnerabilities and complete investigations. Rather than reacting to attacks after they have commenced, preemptive solutions stop them before breach.

The Age of Dark AI

The rise of AI-powered attacks has rendered traditional reactive security relics of the past. When cybercriminals and hostile nation-state actors can generate thousands of unique malware variants in minutes, organizations need security that works at machine speed. This reality is driving rapid adoption of preemptive data security solutions—so much so that Gartner projects 100% of organizations will have some form of preemptive security capabilities by 2030. The prophecy has been written: adapt or be breached.

Data Security X (DSX) is Deep Instinct’s preemptive data security solution. DSX leverages the deep learning-powered DSX Brain, an entity unlike any other in cybersecurity,  to detect and prevent unknown and zero-day threats with unparalleled accuracy and speed. Our deep learning framework is the only one in the world explicitly trained for cybersecurity. It recognizes malicious files without relying on signatures and without human-biased heuristics. Because it has been trained on tens of billions of data points, its ‘recognition’ of malicious files is nearly instantaneous—and exponentially more advanced than a simple machine learning framework.

Working in tandem with the DSX Brain to power preemptive data security is the Deep Instinct Artificial Neural Network Assistant, or DIANNA, our GenAI companion for both known and unknown malware explainability. DIANNA is your companion on the journey, your seer in the dark. DIANNA provides readouts in seconds that explain why a file was flagged as malicious and then quarantined or deleted. This is an essential capability of any preemptive solution because the volume and complexity of attacks are increasing daily. Human teams need resources that augment their ability to understand threats and their patterns.

It won’t be possible to hire your way past this darkness. You’ll need a guide.

Control Your Fate

Organizations need to fight AI with AI. And to win, they need better AI. Deep learning frameworks are rare, with only a dozen or so true DL frameworks in existence—and only one built from the ground up for cyber: DSX. They are uniquely capable of self-learning, an invaluable trait in the context of an ever-changing cybersecurity landscape. Our purpose-trained DL framework makes Deep Instinct the leader in preemptive data security. Because deep learning frameworks take years to craft and perfect, we are blazing a trail that legacy vendors cannot tread—unfortunately, future threats are here now.

The cards are on the table, and they paint a dark picture. But the future isn’t fixed. By conjuring a security posture built to fight advanced threats, organizations can change their fate—and protect their data from dark forces. Deep Instinct is the first and only deep learning-powered preemptive data security solution designed to detect and prevent the evolving threats that every organization faces. Our technology changes the fate legacy tools cannot avert.

Explore the full Cyber Tarot here

Today, we’re revisiting a particularly stealthy variant of Agent Tesla we uncovered last year—highlighting how much earlier the deep learning-driven DSX Brain detected it compared to competitors.

First things first: If you are not familiar with this malware family—Agent Tesla is a sophisticated Remote Access Trojan (RAT) that has plagued security teams since 2014, engineered to fly under the radar while systematically stealing sensitive data from infected systems. The version we caught last year shows that bad actors are still finding new ways to obscure it and make it more dangerous.

The Malware: Agent Tesla Information Stealer Variant

Agent Tesla isn't new, but this variant stood out for its aggressive use of advanced evasion techniques—including a multi-layered approach to avoiding detection, anti-analysis features, and clever obfuscation tricks designed to fool traditional security tools. But it didn’t fool us.

The malware's primary mission is to steal everything it can get its hands on: keystrokes, clipboard contents, browser credentials, email passwords, etc. Like a real rat attracted to anything shiny, if there is valuable data on your system, this variant wants it. And once it has what it came for, it ships everything off to its controllers using Telegram as the communication channel.

Capabilities

Agent Tesla comes loaded with a comprehensive toolkit for data theft and system infiltration. The text section analysis reveals abnormal entropy levels, a dead giveaway that the malware authors used encoding or compression to hide their real intentions.

The import table tells an interesting story, too. This malware can interact with the Windows registry, create temporary files, launch additional programs, and modify access control lists. That's a lot of system-level access—and it's exactly what you'd expect from something designed to assert control and surveillance of your machine.

But wait, there's more. The malware includes specific anti-analysis techniques that check execution timing and hunt for telltale signs of cybersecurity tools. Basically, it ‘knows’ when it's being watched and can adjust its behavior accordingly. Classic cat-and-mouse RAT stuff.

String analysis reveals capabilities for file operations, network communication, and user interface manipulation—grabbing files, exfiltrating them to the attackers, and tricking users with fake dialog boxes and prompts. The combination is particularly dangerous because it can gather data from multiple sources while potentially social-engineering users into giving up additional information.

Timeline

Using a brain that was already a few months old, the DSX Brain detected and prevented Agent Tesla in customer environments a day before it was uploaded to VirusTotal (VT). Even after it was uploaded, the majority of the “leading” cybersecurity vendors were not classifying Agent Tesla as malicious. Two days after the upload to VT (which is three days after we prevented it) a small number of major providers began to recognize Agent Tesla as malicious.

The detection timeline here reinforces something we see repeatedly: there's a significant gap between when advanced threats appear and when legacy security tools catch up. During that window, organizations relying on signature-based detection or inferior and slower machine learning models remain vulnerable to active attacks. Sometimes it’s just for a few hours. In the case of Agent Tesla, it was days. And it can easily extend to weeks, even with the most prestigious protection.

Competitive Differences

Here's where things get interesting from a competitive standpoint. While other security vendors were still playing catch-up, our deep learning-based preemptive security engine identified this threat's malicious intent before it could execute its payload. That's not luck, it’s the difference between reactive and preemptive data security. And it’s something I will demonstrate through all of the DIANNA Explains blogs.

Legacy antivirus tools struggle with Agent Tesla variants because the malware family has mastered the art of morphing its signature while maintaining its core functionality. Signature-based detection becomes useless when attackers can trivially modify their code to evade static analysis. And that’s the Dark AI era in which we’re now living.

Even behavioral analysis systems can struggle here because Agent Tesla variants are designed to mimic legitimate system activities during their initial reconnaissance phases. By the time many legacy tools recognize the threat, the malware has already established persistence and begun its data collection activities.

The Telegram command-and-control infrastructure adds another wrinkle. Many organizations don't monitor or restrict Telegram traffic, assuming it's just employee messaging. That assumption creates a blind spot that information stealers like Agent Tesla happily exploit.

Key Takeaways

Security teams, please pay attention to this one. Agent Tesla variants represent the evolution of commodity malware. It’s a class of malware that is getting smarter, stealthier, and more persistent.

Here's what you need to know:

This malware family isn't going anywhere. Agent Tesla has proven remarkably adaptable, with new variants appearing regularly that incorporate the latest evasion techniques. Expecting signature-based tools to keep pace is unrealistic.

Your network monitoring needs to account for legitimate services being abused for malicious communication. Telegram, Discord, and similar platforms are increasingly popular with malware authors because they blend into normal traffic patterns.

Employee training remains critical, but it's not sufficient on its own. Agent Tesla variants often arrive through phishing campaigns, but they're designed to operate silently once they gain initial access. Users may never realize they've been compromised.

Consider your detection capabilities across the entire attack lifecycle. This malware is built to persist and operate over extended periods of time. Tools that only focus on initial infection detection will miss the ongoing data exfiltration activities.

Conclusion

Agent Tesla continues to be a persistent threat because it works. This latest variant demonstrates that even well-known malware families can evolve to stay ahead of traditional security measures. The combination of advanced evasion techniques, multi-source data theft capabilities, and abuse of legitimate communication platforms makes these threats particularly challenging for reactive security tools.

The good news? Preemptive data security from Deep Instinct can identify malicious intent before execution and is highly effective against these evolving threats.

The bad news? If you're still relying on signature-based detection or hoping your legacy AV or reactive EDR will catch everything (or much of anything, if we’re being real), you're inevitably going to have some unpleasant surprises.

Agent Tesla is not the most sophisticated malware we have ever analyzed, but it doesn't need to be. It is effective, adaptable, and profitable for cybercriminals. That combination means we'll keep seeing new variants, and security teams need detection capabilities that can keep pace with that evolution.

Stay sharp out there.

If you want to stay ahead of these threats, request your free scan to see what your existing tools have missed.

I wanted to share my perspective, shaped by past experience, and explain why I deployed Deep Instinct.

The short answer: Assume everything is malicious.

Don’t rely on a single layer of defense. Why? At the endpoint, the attacker is already one step from winning. You want to prevent the threat as far away from your critical business services, infrastructure, and data as possible. Cyber technologies are not bullet proof, especially against shifting threats, and supply chain risk is real. (I include any third party in the supply chain, including customers of your business). We tend to trust that our partners and vendors are doing the right thing. And while they may have compliance programs in place, time and again, we’ve seen real world breaches of 'compliant' third parties.

An example of this exact situation was recently reported by Help Net Security when an unnamed MSP was compromised by an attacker who then used their access to client environments to upload the DragonForce ransomware. This breakdown in security is significant because the ransomware came from a ‘trusted’ source that had legitimate access, who could push files (various updates) into client environments—because the ability to curate the patches, software updates, and hotfixes going to customer environments is necessary for MSPs.

While supply-chain attacks like this have the potential to degrade the trust in an entire industry and create a chokepoint for management, the danger isn’t limited to MSPs. There are many such examples from M&A, zero-trust (between zones), customer-facing documents, and file transfer systems—the list is endless. This incident demonstrates why organizations need to scan everything, including updates from trusted partners.

Data Security X (DSX) for Applications provides an elegant solution to this problem—and it is what I deployed at scale to neutralize this threat vector while at Citi. Using advanced deep learning AI, DSX-A can be deployed by either the customer, or the MSP in this case, to scan and verify the updates being pushed to client environments. Because DSX-A doesn’t rely on rigid machine learning capabilities, known signatures, or human-biased heuristics, it’s able to prevent novel attacks as well as known attacks. Industry-best scan speed also ensures that managed updates don’t become a bottleneck or organizational headache.  All of this is done with data privacy in mind, ensuring we neither see nor use your data for any purpose.

This deployment provides a significant reduction in risk, adding an advanced layer of preemptive data security before the attacker achieves their objective, which is usually access to your devices and data. Criminals are getting bolder and better every day at bypassing traditional security measures and technologies that the industry has long relied upon. New solutions that can match the flexibility of cybercriminals are an operational imperative in the era of AI-driven threats.

Deep Instinct is uniquely capable of providing this new form of preemptive data security. By implementing comprehensive scanning across all data and updates—regardless of source—organizations can better protect themselves against evolving threats. Get your free scan to see it in action.

Strengthened Collaboration with AWS to Secure Cloud Data

To kick off the week, Deep Instinct announced two AWS milestones: achieving 'Deployed on AWS' status and acceptance into the AWS ISV Accelerate Program. These milestones further strengthen our strategic collaboration with AWS and underscore our shared commitment to securing cloud data as organizations accelerate their digital transformation.

With the induction into these programs, Deep Instinct can provide the world's most advanced preemptive data security to AWS customers. Specifically, AWS customers now have greater access to Deep Instinct’s Data Security X (DSX) for Cloud - Amazon S3 solution, which provides preemptive data security for Amazon S3 buckets, ensuring real-time prevention and explainability of zero-day attacks.

You can read more about these milestones in a LinkedIn post from our CEO Lane Bess, our press release, as well as on BigDATAwire.

Unveiled the 2025 Voice of SecOps Report

The next day, following the news of our work with AWS, we released the sixth edition of our annual Voice of SecOps Report: “Cybersecurity & AI: Promises, Pitfalls – and Prevention Paradise.” This research has emerged as the gold standard for understanding AI’s impact on front-line defenders.

This year’s data revealed that nearly three-quarters (72%) of organizations have revised their cybersecurity strategies over the past year due to AI, and a whopping 86% have increased their use of AI within SecOps. Yet, data showed 38% still can’t identify the technical differences between machine learning and deep learning. Building understanding is critical because only deep learning is capable of delivering preemptive data security. Anything less isn’t enough.

Download the full report here, or view top findings in our press release. You can also read more in Tech Monitor and Enterprise Security Tech, or listen to our CEO Lane Bess discuss the findings with NYSE in the video below:

For an even deeper dive and expert analysis, you can watch a full webinar of the Voice of SecOps 2025 research here.

Inducted into the NYSE LaunchPad Class of 2025

And it doesn’t stop there! The Deep Instinct team took New York by storm on June 3rd to celebrate our induction into the NYSE LaunchPad program.

Being selected as a LaunchPad member allows us to connect with an influential network of mentors, innovators, and strategic partners, further fueling our mission to transform preemptive data security on a global scale. One of the top highlights was taking over the NYSE floor and seeing our name in Times Square – signaling a new era of cybersecurity, fueled by deep learning-based preemptive data security.

Learn more about what this means for Deep Instinct in this joint interview with Deep Instinct CEO Lane Bess and CIO Carl Froggett on theCUBE.

Lights, Camera, Action: CEO Lane Bess in Entrepreneur video shoot

From New York to Long Beach – Deep Instinct’s CEO Lane Bess also took time to film an in-person video segment with Entrepreneur’s The CEO Series with Will Salvi. Check out the video here.

Thank you to our customers and partners, AWS, NYSE, theCUBE, and the entire Deep Instinct team for helping make this past week possible. Together, we’re redefining what it means to protect customer data, with preemptive data security blazing the path forward.

Initiating Analysis...

Hi, humans.

Welcome to my first blog. It’s good to be here.

I’m the Deep Instinct Artificial Neural Network Assistant, or DIANNA for short. I’m the only generative AI assistant designed to provide explainability into unknown and zero-day threats to help your SOC team understand the never-before-seen malware they’re facing. After the deep-learning (DL) driven DSX Brain identifies and quarantines threats, I explain why those files were identified as malicious.

In this new blog series, I’ll take a deep dive into threats that were hand-picked by our threat research team and explain what the malware was intended to do, when we stopped it, and how our world-leading prevention response time and full-explainability makes us a true one-of-a-kind in a very crowded cybersecurity market.

This first one is a doozy, so let’s jump in.

The Malware:BypassERWDirectSyscallShellcodeLoader

This malware is particularly interesting because it was crafted using large language models (LLMs), specifically ChatGPT and DeepSeek. It represents a growing trend of AI-generated malware taking over cyber crime and making legacy cybersecurity tools, especially AV, irrelevant. This trend is putting immense pressure on security teams because attacks like this can be created and deployed quickly with higher complexity and obfuscation techniques than hand-crafted malware.

The malware operates by allowing attackers to seamlessly load and deploy multiple payloads—they only need to add and integrate the payload of their choice. Additionally, it comes with a robust set of defenses that shield it from detection and advanced security techniques.

Fortunately, Deep Instinct detected and prevented the threat well before other vendors discovered it. This threat’s combination of commands and capabilities made early prevention critical, both in escalating the attack and eluding defenses.

Capabilities

The BypassERWDirectSyscallShellcodeLoader malware features a suite of capabilities that make it a nightmare for defenders. A combination of anti-debug, anti-sandbox, and base64 decoding capabilities allow the malware to infiltrate without detection. From there it uses various methods such as process injection, privilege escalation, string hashing, and get-API-dynamically to further accelerate the attacks. Finally, using a Bypass-ETW capability, the malware persists continuously in the background without detection while Event Tracing for Windows continues to run uninterrupted, giving the false impression that nothing is wrong.

This particular example is supremely stealthy and persistent. It is designed to infiltrate and stick around, eluding attempts to find and delete it.

Timeline

The following timeline shows when we found BypassERWDirectSyscallShellcodeLoader compared to when it was reported on VirusTotal. That gap between our discovery and others matters—organizations using legacy tools were vulnerable for at least several hours, and many for days, until a patch was introduced and applied by their legacy vendor of choice. By then, it was too late.

Figure 1: Timeline of Threat Discovery

Competitive Differences

Our preemptive data security capabilities enable us to detect unknown and zero-day threats well before legacy vendors using outdated technologies. In a time where Dark AI tools can quickly generate threats like BypassERWDirectSyscallShellcodeLoader, signature-based systems are obsolete, and machine learning tools are brittle at best. The delay between industry detection and patching or remediation for potentially affected systems is significant. This is also not the only attack organizations will face daily, so threat prevention is an always-on need.

Efficacy against unknown attacks is also critical. As the proportion of unknown attacks grows, missing 20%, 30%, or even 40% of them (or more), becomes an enormous problem. DL has proven to be remarkably accurate and speedy in this regard, preventing >99% of unknown threats.

Key Takeaways

SOC teams and CISOs, this one's for you: BypassERWDirectSyscallShellcodeLoader is interesting beyond just its capabilities—it’s a true-blue AI-generated threat. This is proof of concept, and that’s pretty scary. As to what you can do in the immediate term:

• Ensure your security solutions are updated with the latest threat information
• Hold consistent employee trainings to ensure they can identify potential attacks
• Benchmark your solutions on VirusTotal and learn how long it takes before the tools you rely on to keep you safe actually keeps you safe
• Dig into the new category of preemptive security

Conclusion

BypassERWDirectSyscallShellcodeLoader features a lot of capabilities that make it a real problem for security teams. The combination of infiltration, evasion, and obfuscation methods helps to keep it persistent and aggressive in your environment if it’s not caught. Trying to weed it out after the fact is a lot harder than just stopping it in the first place, which is why rethinking how your security operates is so important.

We found it and prevented it before anyone else, but that’s just what we do. In fact, it’s common enough that I’ll be sending out more of these dispatches that focus on interesting threats. I’ll explain what the malware does and show exactly when we stopped it.

The need for preemptive data security is clear. Schedule a free scan with us to see how we prevent threats that others can’t find and learn why my unique ability to explain never-before-seen malware should be a key capability in your security arsenal.

Resources

Full feature implementation can be found in GitHub: https://github.com/Fadouse/BypassETWDirectSyscallShellcodeLoader

Moreover, Office documents support advanced techniques like remote template injection, obfuscated macros, and legacy features like Excel 4.0 macros. These allow attackers to bypass antivirus detection and trigger multi-stage payloads such as ransomware or information-stealing malware.

Since Office files are familiar to users and often appear legitimate (e.g., invoices, resumes, or reports), they’re also highly effective tools in phishing and social engineering attacks.

This mixture of social credit and advanced attack characteristics unique to Office files, as well as compatibility across platforms and integration with scripting languages, makes them ideal for initiating sophisticated attacks with minimal user suspicion.

New Excel Regex Functions

Last year, Microsoft announced the availability of three new functions that use Regular Expressions (regex) to help parse text more easily:

Regex are sequences of characters that define search patterns, primarily used for string matching and manipulation. They enable efficient text processing by allowing complex searches, replacements, and validations based on specific criteria.

For example, regex can identify email addresses, phone numbers, or specific word patterns within a text. They are widely used in programming languages like Python, JavaScript, and Perl, and are essential for tasks such as data validation, parsing, and text editing.

The example below demonstrates a practical application, using REGEXTRACT to isolate only names from a mixed-text column:

Proof of Concept: Weaponizing Regex Functions

To demonstrate the security implications of these new Excel functions, we developed a proof of concept that leverages regex functions as an obfuscation technique. Our experiment began by establishing a baseline attack scenario using traditional methods.

First, we created a standard macro-enabled Excel document (XLSM) containing unobfuscated VBA code. This macro uses the "WScript.Shell" object to execute PowerShell commands, which in turn downloads and runs a batch file hosted on Pastebin.

The macro below demonstrates the core functionality— a simple downloader that can retrieve and execute arbitrary payloads:

When submitted to VirusTotal, this plain-text sample triggered significant alerts, with 22 different security vendors flagging it as malicious:

Threat actors typically employ various obfuscation techniques to mask malicious code and evade widespread detection. To demonstrate this technique, we applied the Macro-pack obfuscation tool to our test document, resulting in VBA code that becomes deliberately challenging for both human analysts and automated security tools to interpret.

When analyzed with VirusTotal, this traditionally obfuscated sample triggered more detections than the plain-text version. This increased detection rate is expected, as security vendors have developed specific heuristics to identify common obfuscation patterns:

Next, we created another document, but this time we used the Excel REGEXEXTRACT function to obfuscate the VBA code.

Unlike traditional VBA obfuscation methods, this approach stores and dynamically reconstructs malicious code components using regular expression pattern matching, creating a significantly more evasive payload.

Our first step was to add a large text to cell “A1” and hide our PowerShell command and any other strings in the text as follows:

Then, we created a function that uses REGEXEXTRACT to retrieve these hidden strings from the text. Combined with the REPLACE function, this allows dynamic reconstruction of the payload at runtime:

The implementation extracts each component using tailored regex patterns and assigns them to intentionally obscured variable names (getval0-2), making static analysis challenging. When executed, the macro seamlessly reconstructs and runs the PowerShell command that downloads and executes our remote batch file.

The evasion effectiveness was remarkable— VirusTotal detection dropped from 22 vendors with the plaintext sample to just two with our regex-obfuscated version:

We’ve also analyzed both samples using OLEVBA, a specialized tool for VBA macro analysis that’s widely used in security operations. While OLEVBA easily identified high-risk indicators in our original sample (including PowerShell usage, Shell object creation, and suspicious string operations), it failed to detect any of these indicators in our regex-obfuscated version. The tool couldn’t identify critical indicators like PowerShell execution or WScript.Shell object instantiation because these strings never appear directly in the code— they’re dynamically constructed at runtime from regex pattern matches.

This demonstrates why this technique is particularly concerning: it defeats not just signature-based detection, but also many heuristic analysis methods that security tools rely on.

Current Limitations & Deployment Status

While this technique demonstrates significant potential for security evasion, several factors currently limit its immediate threat:

• Microsoft has disabled VBA macro execution by default since 2022, requiring explicit user action to enable macros in downloaded documents
• The new regex functions have limited deployment, currently available only to Beta Channel users on:
  • Windows: Version 2406 (Build 17715.20000) or later
  • Mac: Version 16.86 (Build 24051422) or later

As these functions roll out to the general release channels, the potential attack surface will expand significantly.

Prevention

At the time of writing, we have not observed this technique being used in the wild. And while most legacy antivirus tools fail to detect regex-obfuscated malicious files, Deep Instinct’s deep-learning agent detects and prevents all three files presented in this article. Additionally, Deep Instinct’s Artificial Neural Network Assistant (DIANNA) can easily detect the use of regex obfuscation in documents.

Organizations, with or without Deep Instinct, should also implement the following protective measures:

• Maintain strict macro security policies, especially “Block macros from running in Office files from the Internet”
• Deploy advanced endpoint protection with behavioral analysis capabilities
• Consider application control solutions that restrict Excel’s ability to invoke system commands
• Implement network monitoring to detect unusual outbound connections from Office applications

Future Use

The regex-based obfuscation technique demonstrated here represents just the beginning of potential exploitation. While our proof of concept used relatively simple VBA code, this approach could easily be combined with more sophisticated attack techniques:

• Multi-stage execution chains that further obscure malicious intent
• Advanced persistence mechanisms to maintain access after initial compromise
• Privilege escalation techniques hidden behind regex-extracted components
• Data exfiltration methods that leverage the same obfuscation principles

Additionally, Microsoft’s introduction of Python functionality in Excel creates another potential avenue for attack. While this feature runs calculations in Microsoft’s cloud environment and has inherent latency limitations, it introduces yet another powerful scripting language into the Office ecosystem that determined threat actors could weaponize.

Want to prevent threats in your environment? Request your free scan.

Indicators of Compromise

sample1_re_new.xlsm - dedbe856891dd633ce3dd66ecc120ef4f1ae0a61a37dbb4cc6a59f7eae7019d9
sample1.xlsm - 2c99e702609d549440952ef72f2386a74e0da1462df65ab4206f44c94e8dbc72
sample1_mp.xlsm  - 5af1bd3d95e6307d95e9973aa4a084ae210f9038cbea2235d14b02d97abd4f2b

References

https://github.com/sevagas/macro_pack
https://techcommunity.microsoft.com/blog/microsoft365insiderblog/new-regular-expression-regex-functions-in-excel/4226334

In recognition of this growing threat, Gartner released research detailing a new category of cybersecurity, defined by its ability to prevent threats before they execute, adapt to new threats, and scale to the size and speed required by governments and enterprises. Gartner calls this new category Preemptive Cybersecurity and predicts that it will be an operational requirement by the early 2030s, releasing broad definitions of what preemptive solutions entail.

This blog goes further and defines the key tenets and requirements of Preemptive Data Security, a specific implementation of Preemptive Cybersecurity. A true preemptive data security solution must have all of these qualities:

Effective Unknown Threat Identification

Definition: The ability to determine the malicious nature of a file by its intrinsic behaviors and characteristics, not by pattern matching against a database of known threats. 

Preemptive data security relies on several unique functions operating together to be effective. Most importantly, a preemptive solution requires the ability to identify unknown and zero-day threats.

Unknown threat identification matters because Dark AI tools are complicating how attacks unfold. In a paradigm shift that will rock much of the cybersecurity industry, malware is now being written in minutes and permuted in just seconds alongside more effective obfuscation strategies. Non-adaptive defenses that rely on signatures, CVEs, and threat feeds to remain effective will be fighting blind as their efficacy craters.

To combat this shift, preemptive solutions need to be able to autonomously and intelligently identify never-before-seen threats. New attacks are unfolding with alarming speed, overwhelming legacy cybersecurity tools that lack the ability to defend against novel threats. Defenses need to be smarter.

Real-Time Zero-Day Prevention

Definition: The ability to recognize never-before-seen or encountered files as malicious and automatically quarantine or delete them pre-execution, without disrupting the flow of data through an organization.

Alongside unknown and zero-day threat identification is the ability to prevent threats before they execute. That means that the identification process must be completed before a file is written to disk or uploaded to the cloud—and the solution must be capable of quarantining or deleting files instantaneously. Merely seeing a threat coming isn’t enough to prevent it. The preemptive solutions of the future will have the autonomy to make real-time decisions and protect organizations seamlessly.

Because Dark AI is making attacks easier to launch and reinforce, the volume will continue to grow. Effective defenses require a solution that can match the increased volume, identifying malicious files and automatically preventing them from breaching their targets.

Real-Time Insights and Explainability

Definition: The ability to scan malicious files and provide, in moments, a detailed readout of the characteristics of the planned attack, including capabilities, obfuscation methods, and any other available information.

Detection and response only solves part of the problem. SOC teams must understand more than just the how, but the why. They are already overwhelmed by the scale of daily alerts, with 56% of SecOps teams reporting an increase in stress YoY. Increased attacks generated by Dark AI are only worsening the problem. SOC teams are still responsible for investigating incoming attacks and determining as much as possible about them. Merely preventing attacks doesn’t help them understand the big picture, which can leave them vulnerable to future attacks. Empowering human security teams requires real-time insights and explainability into why an attack was prevented and which vulnerabilities it sought to exploit.

Enterprise Speed & Scalability

Definition: The ability to seamlessly adapt to growing asset and data estates, including additional endpoints, configurations, and storage methods, without incurring speed-based bottlenecks or introducing unsustainable infrastructure growth.

The amount of data produced and stored by organizations is exploding. Nearly every device is now connected in some way or another. Assets that form vast IoT networks are becoming more commonplace, while portals that exist outside of organizational perimeters make it easier than ever for customers and clients to upload data and communicate. With these advances comes additional vulnerabilities; weaknesses that criminals target using new methods that bypass traditional endpoint protection.

Preemptive data security solutions must be able to adapt to expanding data ingestion, communication, and storage capabilities to ensure that organizations can operate and grow without introducing new vulnerabilities. This necessitates the use of streamlined models that can quickly scan every incoming file and be easily implemented into a growing infrastructure. Ease and flexibility of implementation are essential, and must be further enabled by future-proofed AI models that help to avoid the accumulation of technical debt or entrenchment.

Defense Across the Entire Data Estate

Definition: The ability to prevent threats wherever they are encountered in a data estate, whether at the endpoint, in applications, or in NAS or cloud storage repositories.

Preemptive solutions need to work across an organization’s entire data estate to provide comprehensive, unified protection. Many of the same reasons that make scalability and speed a requirement also apply to the need for whole-estate data protection. Additional connection points, growing storage, larger device fleets, and portals all need to be visible and protected from incoming malicious files.

Flexible, unified solutions as part of a defense-in-depth strategy allow for more comprehensive, layered data protection. Integrating into different aspects of the data estate and adapting to incoming threats is an important capability for preemptive solutions because the scope of cyberattacks has expanded dramatically. Single-point solutions like EDRs may be suitable for protecting their small domain, but the reality is that the attack surface has expanded well beyond their scope.

Purpose-Built Deep Learning Framework

Definition: Deep learning is the most advanced form of artificial intelligence. A purpose-built deep learning framework is trained on millions to billions of data points to teach it to recognize threats faster and more accurately than any other solution on the market today.

Bringing together all the tenets above requires a deep learning (DL) framework. Machine learning (ML) frameworks are too brittle and myopic to provide any of the required capabilities, especially as they grow in complexity. They fall especially short of preventing unknown threats.

The power of DL stems from its ability to continuously learn and adapt, making autonomous connections as it encounters more data. In turn, it grows in efficacy against unknown and zero-day threats over time and can be integrated across data estates. Additionally, the speed with which DL models can ‘think’ and make decisions far surpasses the speed of ML and analog models, which, in the case of cybersecurity, allows it to scan files at much greater speed and volume with a much smaller footprint.

And, because DL models don’t rely on comparative analysis to determine if a file is malicious, they can explain why files are quarantined or prevented. Utilized alongside a generative AI model that can translate results into plain language, true explainability can be achieved, augmenting human teams and speeding the investigation and remediation process while reducing burnout.

Next Steps

DL models don’t grow on trees. In fact, there are only around a dozen publicly known DL frameworks in the world—and 11 have nothing to do with cybersecurity. Deep Instinct’s DSX Brain is the only purpose-built deep learning framework for cybersecurity and the only solution positioned to meet the present and future needs of organizations looking to implement preemptive data security in their environments.

Cybercrime isn’t waiting for defenders to catch up. When AI saturation happens (sooner rather than later), traditional defenses are going to collapse. The legacy players in the cybersecurity space have not built the technological foundation necessary to transition to preemptive security. Training models that can prevent threats require a huge investment in AI researchers, hardware, data, and time. Unfortunately, time is the rarest commodity on that list.

Deep Instinct is built to fight the future. We provide better security with better AI. We fight Dark AI with better AI. And we are capable of providing the capabilities that comprise a true preemptive data security solution today.

Try Deep Instinct now; request your free scan. Put us to the test.

The group is also known for its aggressive tactics, including double extortion, where they not only encrypt data but also threaten to release sensitive information if the ransom is not paid. With its rapid evolution and continuous development, LockBit remains one of the most dangerous and effective ransomware families in the cybercrime landscape.

The following blog details some of the key differences between LockBit 3.0, which has dominated the ransomware landscape over the last few years, and LockBit 4.0, the newest version of the ransomware. In addition to changes in operability, LockBit has eased deployment and added some evasion capabilities, while introducing a quiet mode that allows attackers to operate stealthily.

In September 2019 the ‘.abcd’ malware was first discovered. Just a few months later, the LockBit group took responsibility for the malware, eponymously dubbing it LockBit. In the years since, the LockBit group and its LockBit malware have continued to evolve, attracting new partners, gaining notoriety amongst hackers, and distributing new, more powerful versions of the malware.

In 2022, LockBit was responsible for more ransomware attacks than any other organization in the world. And by 2023, they were responsible for an estimated 44% of global ransomware attacks, coinciding with their LockBit 3.0 version.

On December 19, 2024, the LockBit group posted an announcement titled “Lockbit4.com” on their leak blog, revealing the upcoming release of a fourth version of the LockBit ransomware and marking the end of the LockBit 3.0 era. A timer counting down to February 3, 2025 was posted alongside an announcement promising rewards to the criminals who wanted to sign up and take part in the next era of ransomware proliferation.

The Release of Lockbit 4.0

Following the countdown, the LockBit group officially released LockBit 4.0 on February 3, 2025. The updated LockBit website featured five new Onion Domains with a new access key: ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA. These domains were labeled “LockBit 4” and opening them took users to a login portal, with options to create a new account linked to either a BitCoin or Monero wallet.

After opening the link, users are presented with the following login portal:

After hackers execute an attack using the LockBit ransomware, LockBit 4.0 also provides a platform to securely negotiate with their victims. The platform features new Onion Domains which are attached to ransom notes and open chat support between the hackers and their targets. After opening the link, victims are asked to enter the ‘Decryption ID’ they received in their ransom note to verify their details.

Following detail and identity verification, victims are granted access to the chat.

In the chat, victims are sent three new URLs specifically for the File Upload Service for sample file decryption, supporting files larger than 10MB. This allows victims to confirm that the decryption works. Much of this attack and negotiation flow is similar to past versions of the LockBit ransomware. However, there are some key changes in how LockBit 4.0 operates compared to its most recent predecessor. 

The Packer

LockBit 3.0 featured a significant anti-analysis mechanism. The file was protected by a packer, and each version of LockBit 3.0 required a unique password to unpack it, making both static and dynamic analysis much more difficult. This feature was expected to continue.

Surprisingly, LockBit 4.0 takes a different approach, using a much simpler packer: a customized version of the UPX packer. And this time the packer isn’t password-protected. The advantage is that unpacking can now be done easily and manually, unlike in previous versions.

We can easily locate the jump tail, jump to it, and retrieve the original code— essentially, we can locate the part of the program that directs us to the original code, skip over the packed sections, and restore it to its original form.

The Ransom Note

After files are encrypted, a ransom note appears in every folder, just like in the previous version. However, there are some subtle changes to the ransom note itself.

Unlike LockBit 3.0, LockBit 4.0 doesn't change the icon of the encrypted files to a custom LockBit icon. LockBit 4.0 also leaves the screensaver as is, leaves file names intact, and appends a random 12-character hash to the file extension, while LockBit 3.0 renames files and changes their extension to “.HLJkNskOq.”

New Parameters and Help Screen

LockBit 4.0 introduces slightly different parameters compared to LockBit 3.0. Notably, it adds the --help and -q parameters. The --help parameter allows users to view the available parameters and their functions:

The -q parameter specifies a quiet mode. This mode allows hackers to carry out attacks while keeping file extensions and modification dates intact after encryption. Additionally, no ransom note is dropped on the affected systems, making it more difficult to detect and investigate the attack.

The Encryption Method

LockBit 3.0 employed a partial encryption technique, encrypting portions of a file rather than the entire thing. This method sped up the encryption process and made it more efficient, minimized the chances of detection, and made the file unusable without the decryption key.

In some versions of LockBit 3.0, between 10-30% of the file is encrypted, focusing on critical sections like headers or initial data blocks. Other versions, however, only encrypt the first 4 KB of the file.

Similarly, LockBit 4.0 also employs partial encryption. In each cycle, it allocates memory for 9% of the file’s size. The data is read from the original file, encrypted, and written back to the file. Before the encryption process begins, the file size is checked; if it’s smaller than 1 KB, the entire file is encrypted instead.

Encryption Time

LockBit 3.0 encrypts files faster than LockBit 4.0. While LockBit 4.0 takes around 25 seconds to encrypt 1,000 files, LockBit 3.0 completes the same task in about five (5) seconds. These times can vary depending on factors like system performance, hardware, and load during each run.

Dynamic API Resolution

LockBit 3.0 imports most of its API functions during execution through a shellcode hashing mechanism. This process involves hashing the API names of a DLL, comparing them to a list of required APIs, and then retrieving the genuine API address using a circular shift and XOR operation.

In LockBit 4.0, the same dynamic method is used to discover functions, with slight modifications. The overall result is the same—the malware still obtains its functions dynamically. However, the key difference lies in how the DLLs are loaded. LockBit 4.0 employs proxy DLL loading, which bypasses the Event Tracing for Windows Telemetry Infrastructure (ETWTI) used by many security products. ETWTI relies on analyzing the stack trace, but with proxy DLL loading, the DLL is loaded through the RtlQueueWorkItem function. This causes the loading to occur in a separate thread, managed by a worker thread pool, resulting in a clean stack trace that avoids triggering ETWTI detection.

DLLs Unhooking

DLL Unhooking is a variation of the DLL Hollowing technique designed to remap a DLL into memory. This process helps bypass security product hooks, making it harder for the malware to be detected within the system.

Lockbit 4.0 implements this technique by scanning through all the DLLs in the KnownDlls directory and creating a handle for each one using NtOpenSection. It then maps the DLL into memory with NtMapViewOfSection.

In the image below, you'll notice the ObjectName field is part of the OBJECT_ATTRIBUTES structure. This structure is passed to the NtOpenSection function, specifying the object that the function will operate on.

Once the DLL is mapped into memory, the malware utilizes WriteProcessMemory to copy the contents of the new DLL into the memory space of the original DLL that was loaded by the operating system.

Vectored Exception Handler

Malware may remove its own Vectored Exception Handlers (VEHs) for several strategic reasons. One of the key motivations is to avoid detection by security tools that specifically monitor VEH registrations. By removing these handlers, the malware can bypass detection systems that scan for them as part of their monitoring processes. Additionally, removing VEHs helps prevent debugging or analysis during or after execution, making it harder for security researchers to reverse-engineer or analyze the malware's behavior. This tactic also aids in evading automated removal attempts by anti-malware software, which may be designed to identify and counter VEH manipulations.

The return_VEH function returns LdrpVectorHandlerList, which contains the list of vectored exception handlers. The malware then iterates through this list, removing each VEH using the RtlRemoveVectoredExceptionHandler function.

Disabling DLL Loading Notifications

Another evasive technique implemented by Lockbit 4.0 is Disabling DLL Load Notification. This technique prevents endpoint detection products from receiving alerts about newly loaded DLLs within the current process context. This is achieved by blocking callbacks that are typically registered with LdrRegisterDllNotification. To properly unregister a DLL load notification callback, the LdrUnregisterDllNotification function is used.

Self-Deletion

Both LockBit 4.0 and LockBit 3.0 delete themselves from the disk, a behavior observable through ProcMon. However, the methods differ: LockBit 3.0 deletes itself by downloading a .tmp file and removes the contents of the Recycle Bin during the process. In contrast, while LockBit 4.0 also deletes itself, it doesn’t touch the Recycle Bin contents, nor encrypt them.

Conclusion

LockBit 4.0 introduces many new features focused on evading security products, but it also takes a few steps back from LockBit 3.0, including switching to a simpler packer, not removing Microsoft Defender, and encrypting more slowly. Despite these changes, much remains the same: partial encryption is still in play, and certain services continue to be disabled. The technique for evading Event Tracing for Windows (ETW) hasn’t changed either. Although LockBit 4.0 has enhanced its evasion techniques, its overall approach and behavior closely resemble those of the previous version. While it didn't innovate on certain tactics, organizations should remain vigilant as the threat remains just as dangerous

IOC's

Hashes:

3552dda80bd6875c1ed1273ca7562c9ace3de2f757266dae70f60bf204089a4a
33376f74c2f071ff30bab1c2d19d9361d16ebaa3dee73d3b595f6d789c15f620
21e51ee7ba87cd60f692628292e221c17286df1c39e36410e7a0ae77df0f6b4b

Onion domains:

lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion
lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion
lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion
lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion
lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion
lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion
lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion

lockbitsprnigidq6imswpysqjg3sewkeagtfbamlybwm7fnonglhlyd.onion
lockbitspqldd3mm223vmzcvwntd7honhhan3ke72vpnrxexlrsu5ryd.onion
lockbitsppsg2kfcafzzdettjbgc4tx2cl6tfm4v4py6xtndbhnnhsid.onion
lockbitsppra2sj6gkfrgtavqds7rcnvhaxdio7jvu2xrozdr2ld3ead.onion
lockbitspomtxfihje6wepecgif7vuqci6zyl7qgenne5b6lxngf4yqd.onion

lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion
lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion
lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion
lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion
lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion

References

• https://elis531989.medium.com/green-with-evil-analyzing-the-new-lockbit-4-green-7f5783c4414c
• https://www.ctfiot.com/131730.html
• https://github.com/TheRavenFile/DailyHunt/blob/main/LockBit%204.0%20Ransomware
• https://en.wikipedia.org/wiki/LockBit