In a recent discovery by Fortinet’s FortiGuard Incident Response Team, cybersecurity researchers have uncovered a stealthy Remote Access Trojan (RAT) that managed to evade detection for weeks by leveraging corrupted DOS and PE headers in its malicious payload.
The DOS (Disk Operating System) and PE (Portable Executable) headers are fundamental components of a Windows executable. The DOS header ensures backward compatibility with MS-DOS systems, while the PE header contains critical metadata required by Windows to load and run executable files. Tampering with these headers is a rare but effective evasion technique.
“We identified malware that had been silently active on a compromised system for several weeks,” said Fortinet researchers Xiaopeng Zhang and John Simmons, as reported by The Hacker News. “The threat actor utilized PowerShell scripts and batch files to execute the malicious code within a legitimate Windows process.”
Although Fortinet was unable to directly retrieve the malware file, the team successfully obtained a memory dump of the active malware process and a complete system memory image. The incident, associated with early-stage ransomware activity, was contained before any encryption or damage could occur.
The attack originated through compromised remote access infrastructure, followed by malware deployment attempts using PsExec and an undiscovered PowerShell script. The malware executed under the dllhost.exe process as a 64-bit PE file, purposefully corrupted to hinder reverse engineering and static analysis.
Despite these obstacles, Fortinet reconstructed the attack environment in a secure lab setting, enabling them to reverse-engineer the dumped malware. Once executed, the RAT decrypts its command-and-control (C2) domain from memory and establishes a secure TLS connection with its server, rushpapers[.]com.
“The malware initiates a new communication thread and puts the main thread into a sleep state until the communication completes,” explained the researchers.
This newly identified Windows RAT is equipped with advanced remote surveillance and control capabilities, including:
- Screenshot capturing
- System service enumeration and manipulation
- Multi-threaded socket-based communication
- Server-mode operation to accept attacker ‘client’ connections
By enabling multiple concurrent sessions, the malware transforms the infected host into a fully functional remote-access system, allowing threat actors to perform persistent surveillance, lateral movement, and further exploitation.
This case underscores the growing sophistication of Windows malware and highlights the critical need for proactive threat hunting and memory-based detection strategies in modern cybersecurity frameworks.
Stay informed: Follow us on LinkedIn and Instagram for more real-time cybersecurity updates, threat intelligence, and analysis on evolving ransomware tactics.
Leave a Reply