Deadglyph

Description

(ESET) Deadglyph’s loading chain consists of multiple components, as illustrated in Figure 3. The initial component is a registry shellcode loader, which loads shellcode from the registry. This extracted shellcode, in turn, loads the native x64 part of the backdoor – the Executor. The Executor subsequently loads the .NET part of the backdoor – the Orchestrator. Notably, the only component on system’s disk as a file is the initial component, which is in the form of a Dynamic Link Library (DLL). The remaining components are encrypted and stored within a binary registry value.

Names

Name
Deadglyph

Type

Backdoor

Information

https://www.welivesecurity.com/en/eset-research/stealth-falcon-preying-middle-eastern-skies-deadglyph/

Other Information

Uuid

5bb497f8-66c2-4b65-9783-c28f685cfca5

Last Card Change

2023-10-12

Threat Intelligence Garden

Explorer

Deadglyph

Deadglyph

Description

Names

Category

Type

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks