Trojanized Trust: Inside the Symbiote Loader and Its Phosphoric PE Infector (Part 1)

Zenyard Threat Research

Zenyard

•

min read

•

April 9, 2026

Key Judgments

Defenders should pivot away from import-table triage and toward wrapper structure, memory capture, and section-based hunting. The sample hides Phosphoric.dll inside a custom .PAK0 / .PAK1 / .PAK2 wrapper, decrypts it with an in-file 8-byte XOR key, and loads it from memory rather than through the normal Windows loader path.
The payload is modular rather than monolithic. Separate embedded PEs handle orchestration, PE infection, process injection, and networking. Partial detections will not necessarily break the full kill chain, and defenders need independent coverage across each module boundary.
The malware spreads by modifying trusted executables with Windows resource-update APIs and then reusing those hosts as new carriers. This turns ordinary file discovery across endpoints, shared drives, and removable media into an infection surface rather than just an execution surface.
The implant establishes durable execution through a Windows service named WinInitServ, a SYSTEM logon task, privilege escalation through token duplication, and thread-context hijacking into explorer.exe. These behaviors create multiple high-signal host pivots even when C2 infrastructure remains hidden until runtime.
The wrapper uses an 8-byte repeating XOR scheme to protect the staged payload. This is sufficient to defeat casual static inspection, but once the wrapper format is recognized, analysts can decrypt and recover embedded payloads offline without recovering any external key material.

Overview

This sample is a trojanized Adobe Acrobat or Reader executable that has been backdoored with a custom multi-stage loader and a modular payload family that identifies itself as Symbiote, with a core module named Phosphoric .

Zenyard Agent produced this analysis from a structured reverse engineering extract of a PE32 Windows binary, with no prior context or labeling and no human analyst involvement. The recovered metadata confirms a 32-bit Windows target and a payload compile timestamp of 0x6980F54F, corresponding to 2026-02-02 19:04:47 UTC. The original file size and SHA-256 were not preserved in the supplied materials, so this report focuses on structural, behavioral, and module-level indicators.

The wrapper is built around three non-standard PE sections. .PAK0 contains the loader stub and in-memory PE loader. .PAK1 contains an encrypted DLL container. .PAK2 stores the first-stage XOR key material. After decryption, the payload exposes multiple embedded PE files, including Phosphoric.dll, PEStub.dll, a networking module, a process injector, and PsPInjector.dll, which implements the file infection logic.

This architecture matters because a trojanized Adobe binary is a credible entry point on enterprise endpoints, while the infection logic expands the blast radius beyond the initial host by contaminating executables on local disks, shared folders, and potentially removable media. The result is not a disposable loader but a propagation-capable backdoor that uses trusted software as both disguise and transport.

Filename: 2026-03-15_c90add033e312f2b8e5aa3adec11c9b7_akira_cobalt-strike_glassworm_hijackloader_icedid_njrat_satacom_stealc_vidar

Field	Value
Publisher	Zenyard Threat Research
Analysis Generated by	Zenyard Agent
Date	March 21, 2026
Classification	`TLP:WHITE`
Target Platform	Windows x86
Malware Category	PE infector / Loader / Backdoor

Unpacking and Execution Flow

Execution begins in .PAK0 rather than in the legitimate host program logic. The loader walks the Process Environment Block to identify its own loaded image, then locates the .PAK2, .PAK1, and .text sections by name.

API resolution is performed dynamically using FNV-1a hashing. The analysis identifies constants associated with:

lstrcmpA
malloc
memcpy

These are resolved through hashed export lookups rather than static imports.

The section layout itself provides an early triage signal. .PAK1 presents as a high-entropy data region consistent with encrypted or compressed content, while .PAK2 is a large read-only section whose first bytes are used as key material rather than executable logic. This separation of ciphertext and key material is unusual in legitimate software.

The key unpacking step is straightforward. The loader reads the first eight bytes of .PAK2, obtains the value 0x80DA36201C4B18B8, and applies it as a repeating XOR key across .PAK1. The decrypted output is a PE payload identified as Phosphoric.dll, which is then mapped into memory by a custom routine described as load_pe_image. This avoids both the normal Windows loader path and a conventional static import table.

A simplified abstraction of the wrapper behavior is:

image = find_self_via_peb();
pak1  = find_section(image, ".PAK1");
pak2  = find_section(image, ".PAK2");

key64 = *(uint64_t*)pak2.base;   // 0x80DA36201C4B18B8

buf = malloc(pak1.size);
for (i = 0; i < pak1.size; i++) {
    buf[i] = pak1.base[i] ^ ((uint8_t*)&key64)[i % 8];
}

payload = load_pe_image(buf);
resolve_imports_by_fnv1a(payload);
call_export(payload, "CallPhosphoricMain");

The legitimate Adobe .text section is present in the wrapped file, but the available material does not establish whether execution returns to the host application after staging the malware. If execution resumes, user-visible behavior is minimized. If not, the wrapper becomes more observable and dependent on one-time execution.

The FNV-1a constants become useful when combined into a detection pattern. A practical approach is to search for at least two of the little-endian DWORD values 3B 6E 7D 2C, F6 CB B6 CE, and FB 34 FA 6D in the same PE that also contains .PAK0, .PAK1, or .PAK2.

Infection, Injection, and Persistence Chain

The decrypted payload is a container for multiple embedded PE files with distinct roles. Phosphoric.dll exposes CallPhosphoricMain and acts as the orchestrator. PEStub.dll functions as a reusable PE loader component. Additional modules handle networking, process injection, and file infection.

The infection path is explicit. The malware enumerates logical drives, walks the file system, identifies PE executables, and modifies them using BeginUpdateResourceW, UpdateResourceW, and EndUpdateResourceW. This is the propagation mechanism rather than a secondary feature.

The analysis also shows the use of BCryptGenRandom inside the infector, although the exact randomized element is not resolved. This introduces uncertainty for detection, as per-infection variation may affect wrapper or payload characteristics.

The injector module targets explorer.exe. It enumerates threads, suspends a target thread, modifies thread context, allocates executable memory, and resumes execution. This provides a process-context pivot into a trusted Windows process.

Persistence is implemented through multiple mechanisms. The sample installs a service named WinInitServ, creates a scheduled task with a SYSTEM logon trigger, acquires SeDebugPrivilege, and performs token manipulation through DuplicateTokenEx and CreateProcessWithTokenW. The UAC bypass uses the CMSTPLUA COM class and the ICMLuaUtil interface.

Anti-Analysis Techniques

The sample uses several anti-analysis techniques that are functional rather than decorative. The most important is full runtime API resolution through FNV-1a hashing, which removes readable imports and forces analysis toward memory inspection.

The malware also encrypts staged payloads and avoids storing C2 details in plaintext. This is sufficient to defeat simple string extraction and many automated triage pipelines.

Environment checks are performed using NtQuerySystemInformation and IsDebuggerPresent. The available material confirms the presence of these checks but does not fully resolve how execution changes under detection conditions.

The embedded strings are not technically significant on their own, but they confirm intent. Messages such as "I'm Symbiote~ nice to meet you analyst! >.<" align with the broader design of camouflage within legitimate binaries, propagation through infection, and resistance to superficial analysis.

Conclusion

This sample combines a trusted Adobe host, a custom section-based wrapper, and a modular payload architecture within a single execution chain. The result is a loader that is both covert and capable of propagation through modification of legitimate executables.

The use of .PAK-based staging, runtime decryption, and modular payload separation reduces the effectiveness of static analysis and shifts focus toward wrapper structure, memory inspection, and behavioral signals.

Part 2 examines how this design extends into cryptographic routines, network behavior, and detection strategies.

Annex A: Indicators of Compromise

Indicator Type	Value	Description
Malware family strings	`Symbiote`, `Phosphoric`	Self-identified family and core payload naming recovered from embedded strings
Service name	`WinInitServ`	Service-based persistence used by the implant
Non-standard PE sections	`.PAK0`, `.PAK1`, `.PAK2`	Custom wrapper layout used to stage and decrypt the payload
Embedded DLL names	`Phosphoric.dll`, `PsPInjector.dll`, `PEStub.dll`	Recovered internal module names
Exported functions	`CallPhosphoricMain`, `IF_InfectPE`, `IF_SpreadInfection`, `IF_CopyDlls`, `StubMain`	High-confidence pivots for memory or corpus hunting
COM CLSIDs	`{3E5FC7F9-9A51-4367-9063-A120244FBEC7}`, `{6EDD6D74-C007-4E75-B76A-E5740995E24C}`	Observed COM elevation pair used in the UAC bypass chain
Infection behavior	`BeginUpdateResourceW` → `UpdateResourceW` → `EndUpdateResourceW`	Resource-based executable infection chain
Injection target	`explorer.exe`	Target process for thread-context hijacking
Wrapper XOR key	`B8 18 4B 1C 20 36 DA 80`	First-stage decryption key recovered from .PAK2 for this sample
Compile timestamp	`0x6980F54F` (2026-02-02 19:04:47 UTC)	Payload PE timestamp; analytically useful but not inherently trustworthy
Obfuscation namespace	`Mystic::Obfuscation::StdBloat`	Unresolved internal namespace tied to the networking component

Annex B: YARA Hunting Rules

The first rule targets the wrapper structure rather than the final payload. It is scoped conservatively around the .PAK0 / .PAK1 / .PAK2 section layout plus recovered module or export markers. The analyst-taunt string is allowed to strengthen a match, but not to satisfy the rule by itself.

rule Zenyard_Symbiote_PAK_Wrapper
{
    meta:
        description = "Detects the Symbiote/Phosphoric wrapper structure and embedded module markers"
        author = "Zenyard Agent"
        date = "2026-03-21"
        sample_sha256 = "unavailable_from_supplied_analysis_materials"

    strings:
        $sec1 = ".PAK0" ascii
        $sec2 = ".PAK1" ascii
        $sec3 = ".PAK2" ascii
        $dll1 = "Phosphoric.dll" ascii wide
        $dll2 = "PsPInjector.dll" ascii wide
        $dll3 = "PEStub.dll" ascii wide
        $exp1 = "CallPhosphoricMain" ascii
        $svc1 = "WinInitServ" ascii wide
        $taunt1 = "nice to meet you analyst! >.<" ascii wide

    condition:
        uint16(0) == 0x5A4D and
        3 of ($sec*) and
        (
            2 of ($dll*, $exp1, $svc1) or
            ($taunt1 and 1 of ($dll*, $exp1, $svc1))
        )
}

The second rule is a clustering aid for loader stubs that preserve the same FNV-resolved API operands. It should be used for hunting related wrappers, not as a stand-alone attribution signature.

rule Zenyard_Symbiote_Loader_FNV_Cluster
{
    meta:
        description = "Hunts for Symbiote-like loader stubs using PAK section names and FNV resolver operands"
        author = "Zenyard Agent"
        date = "2026-03-21"

    strings:
        $sec1 = ".PAK0" ascii
        $sec2 = ".PAK1" ascii
        $sec3 = ".PAK2" ascii
        $h1 = { 3B 6E 7D 2C }  // 0x2c7d6e3b
        $h2 = { F6 CB B6 CE }  // 0xceb6cbf6
        $h3 = { FB 34 FA 6D }  // 0x6dfa34fb

    condition:
        uint16(0) == 0x5A4D and
        3 of ($sec*) and
        2 of ($h*)
}

Join Our Newsletter

By subscribing to our newsletter, you consent to the collection and use of your information as described in this Privacy Policy.