(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Have a SUGGESTED PIVOT (from last newsletter) like this:

What specific new evasion techniques, such as fileless malware execution, living-off-the-land binaries (LOLBins), or advanced certificate abuse methods, has Dark Partners adopted following the revocation of their stolen code signing certificates, and how can detection strategies be enhanced using targeted YARA rules and behavioral analytics to identify these evolving tactics?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

TL;DR

Key Points

1. • Newly developed YARA rules target PSLoramyra’s unique obfuscation, fileless execution, and persistence mechanisms, including HEX-encoded payloads, environment-variable-based XOR, stealth script flags, and process injection into RegSvcs.exe.
   • Integrate these rules into EDR, SIEM, and SOAR platforms for early, accurate detection and rapid response.
2. • Enhanced behavioral analytics and memory forensics (e.g., Volatility) are critical for identifying in-memory payloads, stealth execution, and injected code, especially as PSLoramyra evades traditional file-based detection.
   • Operationalize memory scanning and behavioral rules in incident response and threat hunting workflows.
3. • Cross-platform adaptations are necessary as fileless malware techniques migrate to Linux and macOS, leveraging analogous process injection (ptrace, DYLD_INSERT_LIBRARIES) and persistence (cron jobs).
   • Expand detection frameworks and analyst training to cover non-Windows environments.

Executive Summary

PSLoramyra represents a sophisticated fileless malware loader employing advanced obfuscation and stealth techniques to evade detection and maintain persistence. The latest detection strategies center on a suite of YARA rules designed to identify HEX-encoded payload fragments (notably with %&% delimiters), special character removal, environment-variable-based XOR encoding, stealth script execution flags, and process injection targeting RegSvcs.exe. These rules are intended for integration with EDR, SIEM, and SOAR platforms, enabling automated alerting and response.

Behavioral analytics and memory forensics are emphasized as essential for uncovering PSLoramyra’s in-memory artifacts and stealthy execution patterns. Tools like Volatility and Rekall are recommended for scanning memory for obfuscated payloads and injected code, while behavioral rules should monitor for stealth script flags and suspicious scheduled task creation.

The threat landscape is evolving, with evidence suggesting that PSLoramyra-like tactics are likely to appear on Linux and macOS, utilizing platform-specific injection and persistence methods. Detection frameworks must adapt by monitoring for analogous behaviors (e.g., ptrace, DYLD_INSERT_LIBRARIES, cron jobs) and leveraging cross-platform memory forensics.

Short-term forecasts predict a significant increase in PSLoramyra detection rates following the deployment of these rules and analytics, but adversaries are expected to rapidly iterate obfuscation techniques. Long-term, fileless malware will likely become more cross-platform and AI-assisted, necessitating continuous innovation in detection and response. Security teams should prioritize operationalizing these detection strategies, expanding cross-platform coverage, and tuning rules to balance detection efficacy with manageable false positive rates.

6 YARA Rules and Detection Strategies for PSLoramyra Fileless Malware Loader

YARA Rules

1. HEX-Encoded Payload Fragments with %&% Delimiters

rule PSLoramyra_HexEncodedPayloadFragments
{
    meta:
        description = "Detects HEX-encoded payload fragments separated by %&% delimiter used by PSLoramyra"
        author = "GTI Analyst"
        date = "2025-07-14"
        reference = "https://any.run/cybersecurity-blog/psloramyra-malware-technical-analysis/"

    strings:
        $delimiter = "%&%" ascii nocase
        $hex_pattern = /(?:[0-9a-fA-F]{2}){10,}/
    condition:
        $delimiter and $hex_pattern
}

2. Obfuscation via Removal of Special Characters (e.g., #)

rule PSLoramyra_SpecialCharRemoval
{
    meta:
        description = "Detects script obfuscation by removal of special characters such as #"
        author = "GTI Analyst"
        date = "2025-07-14"
        reference = "https://www.secureblink.com/threat-research/rev-c2-more-eggs-lite-and-ps-loramyra-insights-into-advanced-fileless-malware"

    strings:
        $pattern1 = /[a-zA-Z0-9]{5,}[^#]{0,3}[a-zA-Z0-9]{5,}/ ascii nocase
        $pattern2 = /remove.*#.*character/ ascii nocase
    condition:
        $pattern1 and $pattern2
}

3. Environment-Variable-Based XOR Encoding (e.g., %computername%)

(Hit the Subscribe button to see more!)