BRUSHWORM and BRUSHLOGGER uncovered
Essential information
- Published
- 27/03/2026 09:45
- Modified
- 27/03/2026 09:58
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- brushlogger brushworm keylogger
- Tags
- 2026-03-27 brushlogger brushworm keylogger
- Related entities
- 5 indicators, 3 observables, 13 techniques (mitre), 2 malware, 3 others
Description
A South Asian financial institution was targeted with two custom malware components: BRUSHWORM, a modular backdoor, and BRUSHLOGGER, a keylogger. BRUSHWORM features anti-analysis checks, encrypted configuration, scheduled task persistence, modular payload downloading, USB worm propagation, and extensive file theft. BRUSHLOGGER uses DLL side-loading to capture system-wide keystrokes with window context tracking. The malware's low sophistication and implementation flaws suggest an inexperienced author, possibly using AI code-generation tools. Multiple testing versions were discovered on VirusTotal, indicating iterative development. The malware components combine to create a functional collection platform with modular loading, USB propagation, broad file theft, air-gap bridging, and persistent keystroke capture.