article featured image


The discovery shows that hackers are looking for new and improved methods to compromise Windows machines, and most likely are focusing their attention on WSL in an attempt to evade detection.

The first samples that were showing the fact that the attackers were targeting the WSL environment were discovered in May and since then appeared every two to three weeks until August.

How Does the Malware Work?

Lumen’s Black Lotus Labs security experts believe that the payload is incorporated in the malicious files or that it is acquired from a remote server.

The next step is to inject the virus into a running process using Windows API calls, which isn’t a particularly creative or novel approach.

Only one of the few copies found used to have a publicly routable IP address, implying that threat actors are dabbling with just using WSL to install malware on Windows.

The malicious files are packaged as an ELF executable for Debian using PyInstaller and rely mostly on Python 3 to carry out their tasks.

As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality.


Only one antivirus engine on VirusTotal detected one of the malicious Linux files less than a month ago. Refreshing the scan on another sample revealed that it would have gone completely undetectable by the scanning service’s engines.

One of the variants, written entirely in Python 3, seems to be the first effort at a WSL loader, as it does not use any Windows API. It is compatible with both Windows and Linux since it uses common Python libraries.

The researcher spotted “Hello Sanya” written in Russian in a test sample code. Except for one file, all of the files linked with this sample had local IP addresses, whereas the public IP was 185.63.90[.]137, which was already unavailable when the researchers attempted to download the payload.

Another version of the “ELF to Windows” loader used PowerShell to inject and run the shellcode.

The researchers think the code could still be a work in progress, despite being in the final stages, based on inconsistencies found when examining numerous samples.

The public IP address’s limited visibility reveals that activity was confined in Ecuador and France between late June and early July.

A threat actor testing the method through a VPN or proxy node appears to be behind the WSL malware loaders.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *