SYMBOLCOMMON_NAMEaka. SYNONYMS
win.octowave (Back to overview)

Octowave Loader

Octowave Loader is a malware loader used to run other families of malware. This is often made up of an MSI or Inno Setup installer for a legitimate piece of software that has been trojanised to include a number of malicious DLLs which inevitably load and run malicious code often stored within a WAV file that is also delivered to an endpoint. In the wild this has been seen delivered through fake software installers and ClickFix / Fake Captcha campaigns. Families of malware deployed often include information stealers, NetSupport RAT, and potentially bots like Danabot.

References
2024-08-08Huntress LabsJai Minton
X
Octowave Loader
Yara Rules
[TLP:WHITE] win_octowave_w0 (20250411 | Detects resources embedded within Octowave Loader MSI installers)
rule win_octowave_w0 {

    meta:
        author = "Jai Minton (@CyberRaiju) - HuntressLabs"
        date = "2025-03-28"
        version = "1"
        description = "Detects resources embedded within Octowave Loader MSI installers"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        yt_reference = "https://www.youtube.com/watch?v=NiNIbkiuExU"
        reference = "https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19"
        hash1 = "05b025b8475c0acbc9a5d2cd13c15088a2fb452aa514d0636f145e1c4c93e6ee" 
        hash2 = "500462c4fb6e4d0545f04d63ef981d9611b578948e5cfd61d840ff8e2f206587" 
        hash3 = "5ee9e74605b0c26b39b111a89139d95423e54f7a54decf60c7552f45b8b60407" 
        hash4 = "76efc8c64654d8f2318cc513c0aaf0da612423b1715e867b4622712ba0b3926f" 
        hash5 = "c3e2af892b813f3dcba4d0970489652d6f195b7985dc98f08eaddca7727786f0" 
        hash6 = "d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6" 
        hash7 = "e93969a57ef2a7aee13a159cbf2015e2c8219d9153078e257b743d5cd90f05cb" 
        hash8 = "45984ae78d18332ecb33fe3371e5eb556c0db86f1d3ba8a835b72cd61a7eeecf" 
        id = "56685a0a-523d-4060-a008-aa28542cb85c" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.octowave"
        malpedia_rule_date = "20250411"
        malpedia_hash = ""
        malpedia_version = "20250411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings: 

        $string1 = "LaunchConditionsValidateProductIDProcessComponentsUnpublishFeaturesRemoveFilesRegisterUserRegisterProductInstalled OR PhysicalMemory >= 2048" ascii 
        $string2 = ".cab" ascii $string3 = ".wav" ascii 
        $string4 = ".dll" ascii $supporting1 = ".raw" ascii 
        $supporting2 = ".db" ascii 
        $supporting3 = ".pak" ascii 
        $supporting4 = ".bin" ascii 
        $supporting5 = ".bak" ascii 
        $supporting6 = ".dat" ascii 

    condition:
        (uint32(0) == 0xe011cfd0) and filesize < 200000KB and all of ($string*) and 1 of ($supporting*)
}
[TLP:WHITE] win_octowave_w1 (20250411 | Detects supporting file used by Octowave Loader containing hardcoded values)
rule win_octowave_w1 {

    meta:
        author = "Jai Minton (@CyberRaiju) - HuntressLabs"
        date = "2025-03-28"
        version = "1"
        description = "Detects supporting file used by Octowave Loader containing hardcoded values"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        yt_reference = "https://www.youtube.com/watch?v=NiNIbkiuExU"
        reference = "https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19"
        hash1 = "C4CBAA7E4521FA0ED9CC634C5E2BACBF41F46842CA4526B7904D98843A7E9DB9" 
        hash2 = "F5CFB2E634539D5DC7FFE202FFDC422EF7457100401BA1FBC21DD05558719865" 
        hash3 = "56F1967F7177C166386D864807CDF03D5BBD3F118A285CE67EA226D02E5CF58C" 
        hash4 = "11EE5AD8A81AE85E5B7DDF93ADF6EDD20DE8460C755BF0426DFCBC7F658D7E85" 
        hash5 = "D218B65493E4D9D85CBC2F7B608F4F7E501708014BC04AF27D33D995AA54A703" 
        hash6 = "0C112F9DFE27211B357C74F358D9C144EA10CC0D92D6420B8742B72A65562C5A" 
        id = "56685a0a-523d-4060-a008-aa28542cb85c" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.octowave"
        malpedia_rule_date = "20250411"
        malpedia_hash = ""
        malpedia_version = "20250411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings: 

        $unique_key = {1D 1C 1F 1E 01 01 03 02 05 04 07 06 09 D4 0E 0A 0D 0C 0F 0E 31 30 31 32 35 34 36 36 39 38 DC 3F 3D 3C 3E} // 1012546698 unknown unique identifier and surrounding bytes 
        $unique_string = "MLONqpsrutwvyx" 
        $unique_string2 = "A@CBEDGFIHKJMLONqpsrutwvyx" 

    condition:
        (uint16(0) != 0x5a4d) and filesize < 10000KB and all of them
}
Download all Yara Rules