{
  "name": "BRUSHWORM and BRUSHLOGGER uncovered",
  "slug": "brushworm-and-brushlogger-uncovered",
  "description": "A South Asian financial institution was targeted with two custom malware components: BRUSHWORM, a modular backdoor, and BRUSHLOGGER, a keylogger. BRUSHWORM features anti-analysis checks, encrypted configuration, scheduled task persistence, modular payload downloading, USB worm propagation, and extensive file theft. BRUSHLOGGER uses DLL side-loading to capture system-wide keystrokes with window context tracking. The malware's low sophistication and implementation flaws suggest an inexperienced author, possibly using AI code-generation tools. Multiple testing versions were discovered on VirusTotal, indicating iterative development. The malware components combine to create a functional collection platform with modular loading, USB propagation, broad file theft, air-gap bridging, and persistent keystroke capture.",
  "published": "2026-03-27T08:45:50.675000+00:00",
  "created_at": "2026-03-27T09:58:37.523000+00:00",
  "modified_at": "2026-03-27T08:58:37+00:00",
  "created_at_opencti": "2026-03-27T09:58:37.523000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "brushlogger",
    "brushworm",
    "keylogger"
  ],
  "tags": [
    "2026-03-27",
    "brushlogger",
    "brushworm",
    "keylogger"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "54165c8f-8ba6-4eb8-9617-8537c29cd6c5",
        "name": "Windows_Trojan_BrushLogger_304ee146"
      },
      {
        "id": "cf73629b-e7cc-4027-81cc-70d14b111b8d",
        "name": "Windows_Trojan_BrushWorm_7c2098ef"
      },
      {
        "id": "8e6dbe8a-2917-4b77-a89a-a0a6e18eb4e0",
        "name": "http://resources.dawnnewsisl.com/updtdll"
      },
      {
        "id": "fb967b5d-fcca-426f-a823-9b49d7ba3dfa",
        "name": "4f1ea5ed6035e7c951e688bd9c2ec47a1e184a81e9ae783d4a0979501a1985cf"
      },
      {
        "id": "81f4ff4d-0f69-46f1-8b52-03ce855401c4",
        "name": "89891aa3867c1a57512d77e8e248d4a35dd32e99dcda0344a633be402df4a9a7"
      }
    ],
    "attack_patterns": [
      {
        "id": "8c79f5d6-60f2-4b5c-9b44-3e00ce9294d0",
        "name": "T1074.001"
      },
      {
        "id": "0cad3bc9-06c8-4bb1-b85b-cdcb64605ead",
        "name": "T1025"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "99a1fb98-1a01-485b-b90a-a9f362f41a84",
        "name": "T1091"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "8ed8c69f-39b7-445c-8efb-6d3470064374",
        "name": "T1010"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "436e795b-553f-444e-b837-65818d8f539f",
        "name": "T1119"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ],
    "malware": [
      {
        "id": "1318f508-df7a-461d-8599-3ab77178fc52",
        "name": "BRUSHWORM",
        "slug": "brushworm"
      },
      {
        "id": "a81127ef-15db-4ec9-b7ed-fd74b4330bae",
        "name": "BRUSHLOGGER",
        "slug": "brushlogger"
      }
    ],
    "observables": [
      {
        "id": "d288635d-90a3-4b9a-919c-dafc18001113",
        "name": "http://resources.dawnnewsisl.com/updtdll"
      },
      {
        "id": "",
        "name": "4f1ea5ed6035e7c951e688bd9c2ec47a1e184a81e9ae783d4a0979501a1985cf"
      },
      {
        "id": "",
        "name": "89891aa3867c1a57512d77e8e248d4a35dd32e99dcda0344a633be402df4a9a7"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Windows_Trojan_BrushLogger_304ee146"
      },
      {
        "id": "",
        "name": "Windows_Trojan_BrushWorm_7c2098ef"
      }
    ]
  },
  "external_refs": [
    {
      "id": "0839da95-c744-49a4-be05-aed58eec49cb",
      "standard_id": "external-reference--6a3cd9d6-ef11-563a-9a21-d2e44d45d2e6",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.elastic.co/security-labs/brushworm-targets-financial-services",
      "hash": null,
      "external_id": null,
      "created": "2026-03-27T09:58:35.125Z",
      "modified": "2026-03-27T09:58:35.125Z",
      "createdById": null
    },
    {
      "id": "564d9cce-ccc4-4b30-b7b7-7a92313a5172",
      "standard_id": "external-reference--f080d7f8-1727-570c-bc3a-523ed70ab64a",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/69c643be1c9656febe1f3cc6",
      "hash": null,
      "external_id": "69c643be1c9656febe1f3cc6",
      "created": "2026-03-27T09:58:35.101Z",
      "modified": "2026-03-27T09:58:35.101Z",
      "createdById": null
    }
  ]
}