TESDAT

Description

(Trend Micro) The newer loader we later found is called TESDAT. It always loads a payload file with a “.dat” extension (like “mns.dat”). Instead of using common APIs like CreateThread to execute the decoded shellcode, it always calls an API called “SwitchToFiber,” which we think is an attempt to avoid detection. Our analysis showed two variants for TESDAT loaders. It can be either an EXE file or a DLL file with an export function called “Init.”

Names

Name
TESDAT

Type

Loader

Information

https://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html

Other Information

Uuid

6eeb5092-faf7-494c-ab70-73d5451acaf8

Last Card Change

2025-06-27

Threat Intelligence Garden

Explorer

TESDAT

TESDAT

Description

Names

Category

Type

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks