Lorem Ipsum Propose Change

According to BlueVoyant, Lorem Ipsum is a multi-stage malware family written in PowerShell for its loader components, with later stages transitioning to shellcode and DLL-based payloads. The loader chains multiple PowerShell stages that use AES decryption for embedded payloads, followed by gzip decompression and reflective memory loading, with newer versions employing substitution cipher decoding and XOR-encrypted shellcode stubs. The malware achieves persistence via Windows registry Run keys and evolved to use DLL sideloading, where a legitimate executable sideloads a malicious DLL that decodes embedded ciphertext to launch the core loader. Communication with C2 servers is conducted through JFIF image files where additional data is appended beyond image boundaries, allowing bidirectional exchange disguised as image traffic.

References

There is no Yara-Signature yet.