Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/BRUSHWORM and BRUSHLOGGER Malware Targets South Asian Financial Firm
Threats

BRUSHWORM and BRUSHLOGGER Malware Targets South Asian Financial Firm

Key Takeaways A South Asian financial institution fell victim to a sophisticated cyberattack involving two custom malware strains: BRUSHWORM and BRUSHLOGGER. BRUSHWORM, a modular backdoor,...

Marcus Rodriguez
Marcus Rodriguez
March 27, 2026 4 Min Read
57 0

Key Takeaways

  • A South Asian financial institution fell victim to a sophisticated cyberattack involving two custom malware strains: BRUSHWORM and BRUSHLOGGER.
  • BRUSHWORM, a modular backdoor, facilitated document theft, C2 communication, and USB-based propagation, while BRUSHLOGGER acted as a keylogger.
  • The attack combined data exfiltration, persistent access, and real-time credential harvesting, posing a significant threat to financial sector entities in the region.
  • Researchers from Elastic Security Labs identified developmental flaws in the malware, suggesting the threat actor may be relatively inexperienced and possibly used AI code generation tools.
  • Organizations are advised to implement strict execution policies for unsigned binaries, monitor scheduled tasks, and deploy endpoint detection with USB activity monitoring.

A financial institution in South Asia has recently been targeted in a cyberattack employing two distinct, purpose-built malware tools: BRUSHWORM, a versatile backdoor, and BRUSHLOGGER, a keylogger designed to mimic legitimate system files. This incident underscores the escalating cyber risks confronting financial organizations throughout the South Asian region, with attackers increasingly deploying tailored intrusions.

Table Of Content

  • Key Takeaways
  • Discovery and Analysis
  • Impact and Propagation
  • BRUSHWORM’s Infection Mechanism and Persistence
  • What You Should Do

The operation meticulously orchestrated file exfiltration, established enduring system access, and captured keystrokes in real-time. This multi-pronged approach highlights the advanced capabilities and strategic intent behind modern cyber campaigns targeting critical financial infrastructure. Further details on the malware’s capabilities and the attack’s scope were published in a report.

The two malware components were deployed as distinct binaries, indicating a carefully planned attack sequence. BRUSHWORM, posing as paint.exe, functioned as the primary implant. Its responsibilities included establishing persistence, communicating with a remote command-and-control (C2) server, downloading additional malicious payloads, propagating via removable USB drives, and extracting sensitive documents from compromised systems.

BRUSHLOGGER, on the other hand, cunningly disguised itself as libcurl.dll, a common Windows library, leveraging a technique known as DLL side-loading. Its singular objective was to covertly record every keystroke entered on the infected machine, alongside logging the title of the active window for each session. This allowed for the surreptitious collection of sensitive information without user detection.

Discovery and Analysis

The sophisticated malware campaign came to light through the diligent efforts of Elastic Security Labs researchers during an investigation into the targeted financial institution’s network infrastructure. At the time of the incident, the victim environment’s visibility was limited to SIEM-level telemetry, which significantly hampered a comprehensive forensic reconstruction of post-exploitation activities.

Further analysis, including pivoting through VirusTotal, revealed what appeared to be earlier development iterations of the BRUSHWORM backdoor. These versions were uploaded under generic filenames such as V1.exe, V2.exe, and V4.exe. This discovery suggests that the threat actor was actively refining their toolset before launching the final deployment. Despite the targeted nature of the attack, the binaries surprisingly lacked significant code obfuscation, packing, or advanced protective measures. The overall quality of the code was notably poor.

For instance, BRUSHWORM exhibited a critical development flaw: it would write its decrypted configuration to disk in cleartext before creating an encrypted copy and subsequently deleting the original. This error-prone sequence betrays a lack of robust development practices. Coupled with the use of free dynamic DNS infrastructure in testing versions and the absence of a kill switch, researchers concluded with moderate confidence that the malware author possesses limited experience and might have utilized AI code-generation tools without thorough review of the output.

Impact and Propagation

The repercussions of this attack extended far beyond mere data theft. BRUSHWORM was engineered to self-replicate across connected USB drives, employing socially engineered filenames such as Salary Slips.exe, Documents.exe, and Dont Delete.exe. These names were specifically chosen to entice employees within a corporate financial environment into executing them, facilitating the malware’s spread.

Concurrently, BRUSHLOGGER silently captured every keystroke, harvesting critical information like login credentials, financial transaction inputs, and internal communications throughout the infection period, posing a severe risk of data breaches and financial fraud.

BRUSHWORM’s Infection Mechanism and Persistence

A key aspect of this attack is BRUSHWORM’s methodical approach to embedding itself within a system and ensuring its continued presence. Upon initial execution, the malware establishes several hidden directories using hardcoded paths. For example, the primary backdoor binary is stored in C:ProgramDataPhotoesPics, while downloaded modules reside in C:UsersPublicLibraries. Notably, the consistent misspelling of “Photoes” is believed to be an genuine oversight by the developer, possibly intended to make the directory blend in with legitimate user media folders.

To achieve persistence across system reboots, BRUSHWORM leverages the COM Task Scheduler interface to register a Windows scheduled task named MSGraphics. This task is configured to execute the backdoor every time a user logs in. Following this, it retrieves a DLL payload from its C2 server, located at resources.dawnnewsisl[.]com/updtdll, via a WinHTTP GET request. This payload is then saved as Recorder.dll and launched through a secondary scheduled task, MSRecorder, using rundll32.exe.

In scenarios where an infected environment lacks internet connectivity, BRUSHWORM is designed to switch to a physical exfiltration method. It automatically copies all stolen files directly to any connected USB drive, enabling it to bridge air-gapped networks and exfiltrate data offline.

What You Should Do

  • Restrict Unsigned Binaries: Implement strict policies to prevent the execution of unsigned binaries across all endpoints.
  • Monitor Scheduled Tasks: Proactively monitor and audit the creation of new scheduled tasks, especially those named MSGraphics or MSRecorder, for any suspicious activity.
  • Deploy EDR with USB Monitoring: Utilize Endpoint Detection and Response (EDR) solutions equipped with robust USB activity monitoring capabilities to detect and block BRUSHWORM’s propagation attempts via removable media.
  • Audit DLL Loading Behavior: Regularly audit and analyze DLL loading behaviors on endpoints to identify and mitigate DLL side-loading attempts, such as those employed by BRUSHLOGGER.
  • Implement YARA Rules: Deploy the provided YARA rules to identify and detect BRUSHWORM and BRUSHLOGGER across your network and endpoint environments.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Phishing ZIP Files Deploy PXA Stealer Against Financial Firms

Next Post

Silver Fox Targets Japanese Businesses with Tax-Themed Phishing

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us