Voldemort (Malware Family)

Voldemort

VTCollection

Voldemort is a backdoor discovered by Proofpoint in August 2024. It is being distributed via phishing E-Mails and makes use of creative techniques such as using saved search files during the infection chain for obfuscation and Google Sheets for C2. While its broad targeting looks like it is related to ecrime, Proofpoint notes that the capabilities of the malware point towards espionage/APT activity.

References

2025-07-16 ⋅ Proofpoint ⋅ Mark Kelly, Proofpoint Threat Research Team
Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting
Cobalt Strike Voldemort UNK_DropPitch UNK_FistBump UNK_SparkyCarp

2024-10-22 ⋅ Twitter (@threatinsight) ⋅ Threat Insight
Twitter Thread attributing Voldemort to TA415 (APT41, BrassTyphoon)
Voldemort

2024-08-29 ⋅ Proofpoint ⋅ Pim Trouerbach, Selena Larson, Tommy Madjar
The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort”
Voldemort

Yara Rules

[TLP:WHITE] win_voldemort_auto (20260504 | Detects win.voldemort.)

rule win_voldemort_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.voldemort."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.voldemort"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48894308 e9???????? 48895c2408 57 4883ec20 488b11 488bf9 }
            // n = 7, score = 300
            //   48894308             | mov                 ebx, eax
            //   e9????????           |                     
            //   48895c2408           | dec                 eax
            //   57                   | lea                 ecx, [0x32a78]
            //   4883ec20             | dec                 eax
            //   488b11               | lea                 ecx, [0x37457]
            //   488bf9               | dec                 eax

        $sequence_1 = { 5b c3 4c8bda 4c8bd1 450fb702 4d8d5202 }
            // n = 6, score = 300
            //   5b                   | movaps              xmmword ptr [esp + 0x50], xmm1
            //   c3                   | movsd               qword ptr [esp + 0x60], xmm0
            //   4c8bda               | movaps              xmmword ptr [esp + 0x90], xmm1
            //   4c8bd1               | movsd               qword ptr [esp + 0xa0], xmm0
            //   450fb702             | movaps              xmmword ptr [ebp + 7], xmm1
            //   4d8d5202             | movsd               qword ptr [ebp + 0x17], xmm0

        $sequence_2 = { 415e 415d 415c 5f c3 4c8bdc 49895b18 }
            // n = 7, score = 300
            //   415e                 | dec                 eax
            //   415d                 | mov                 esi, dword ptr [esp + 0x78]
            //   415c                 | dec                 eax
            //   5f                   | mov                 ecx, eax
            //   c3                   | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   4c8bdc               | dec                 eax
            //   49895b18             | mov                 eax, dword ptr [esp + 0xa0]

        $sequence_3 = { 7597 41b001 488b5c2408 418ac0 c3 488bc4 }
            // n = 6, score = 300
            //   7597                 | mov                 ebp, esi
            //   41b001               | movups              xmmword ptr [esp + 0x48], xmm0
            //   488b5c2408           | xor                 edx, edx
            //   418ac0               | dec                 eax
            //   c3                   | lea                 ecx, [esp + 0x70]
            //   488bc4               | inc                 ecx

        $sequence_4 = { 41c60700 b001 e9???????? 48895c2410 55 56 }
            // n = 6, score = 300
            //   41c60700             | jne                 0xc30
            //   b001                 | jmp                 0xc9d
            //   e9????????           |                     
            //   48895c2410           | dec                 eax
            //   55                   | lea                 ecx, [esp + 0xb0]
            //   56                   | dec                 eax

        $sequence_5 = { 4803c1 48894308 e9???????? 48895c2408 57 4883ec20 }
            // n = 6, score = 300
            //   4803c1               | inc                 cx
            //   48894308             | cmp                 dword ptr [esp], esi
            //   e9????????           |                     
            //   48895c2408           | je                  0x280
            //   57                   | nop                 
            //   4883ec20             | dec                 esp

        $sequence_6 = { 41c60700 b001 e9???????? 48895c2410 55 }
            // n = 5, score = 300
            //   41c60700             | je                  0x3d5
            //   b001                 | jne                 0x3c0
            //   e9????????           |                     
            //   48895c2410           | dec                 eax
            //   55                   | lea                 esi, [0x3706b]

        $sequence_7 = { 488b5c2408 418ac0 c3 488bc4 48895808 }
            // n = 5, score = 300
            //   488b5c2408           | je                  0x1ddc
            //   418ac0               | dec                 eax
            //   c3                   | lea                 ecx, [0x31966]
            //   488bc4               | call                eax
            //   48895808             | dec                 eax

        $sequence_8 = { 415c 5f c3 4c8bdc 49895b18 57 4883ec40 }
            // n = 7, score = 300
            //   415c                 | dec                 eax
            //   5f                   | mov                 edi, dword ptr [esp + 0x58]
            //   c3                   | dec                 eax
            //   4c8bdc               | mov                 esi, dword ptr [esp + 0x9e8]
            //   49895b18             | dec                 eax
            //   57                   | test                edi, edi
            //   4883ec40             | je                  0x1f0f

        $sequence_9 = { 4883c420 5b c3 4c8bda 4c8bd1 450fb702 }
            // n = 6, score = 300
            //   4883c420             | dec                 eax
            //   5b                   | mov                 ecx, eax
            //   c3                   | dec                 eax
            //   4c8bda               | mov                 dword ptr [ebp + 0x5f0], 0
            //   4c8bd1               | dec                 esp
            //   450fb702             | mov                 eax, edi

    condition:
        7 of them and filesize < 577536
}

Download all Yara Rules

Voldemort Propose Change

References

Yara Rules

Voldemort