Introduction
In Part 1, we examined how this sample operates as a trojanized Adobe executable that stages a modular payload set through a custom .PAK0, .PAK1, and .PAK2 wrapper. Execution begins outside the legitimate host logic, with payload recovery handled through an in-memory loader and runtime API resolution.
That analysis also showed that the payload is modular rather than monolithic. Separate embedded PE files handle orchestration, infection, injection, and networking, while the propagation mechanism modifies trusted executables through resource-update APIs, extending the infection surface beyond the initial host.
The current part focuses on how that architecture is supported by lightweight cryptography, runtime-dependent configuration, and a network design that suppresses static indicators while preserving consistent behavioral signals.
Cryptography and Key Derivation
The wrapper uses an 8-byte repeating XOR key stored directly in .PAK2. This is not strong cryptography. It is operational concealment designed to block casual inspection and force understanding of the wrapper structure before payload recovery.
The value identified in the analysis, B8 18 4B 1C 20 36 DA 80, is sufficient to decrypt the .PAK1 stage for this specimen. Because the key resides within the same file, defenders do not need traffic capture, memory scraping, or external configuration to extract the second stage. Once the wrapper structure is recognized, the payload can be recovered offline.
PsPInjector.dll also uses BCryptGenRandom. This serves a different purpose from the wrapper XOR scheme. The XOR key protects the staged payload, while the random generation inside the infector most likely introduces per-infection variability. The supplied material does not resolve which exact field is randomized, so the observed key should be treated as sample-specific unless reuse is confirmed.
C2 Protocol Design and Network Characteristics
The networking module uses raw TCP sockets and exposes no HTTP or HTTPS layer in the supplied material. The imported operations include:
- socket, connect, send, recv
- bind, WSASend, WSASendTo
These are resolved from WS2_32.dll by ordinal rather than by name, which reduces static visibility and aligns with the broader design of suppressing observable indicators.
No plaintext domains, IP addresses, or preferred ports were recovered. The most likely interpretation is that infrastructure is stored in obfuscated form, assembled at runtime, or delivered by a later stage. The namespace Mystic::Obfuscation::StdBloat appears in the sample but does not correspond to a confirmed external framework and is treated as an internal component label.
This design has two direct implications. Static extraction of infrastructure is intentionally limited, and defenders should avoid over-reliance on recovered domains or IP addresses. The more stable signal is the combination of process context and protocol behavior. Trusted processes such as Adobe or explorer.exe generating outbound raw TCP sessions without normal application-layer framing provide a more reliable detection pivot.
Attribution Considerations
The sample self-identifies as Symbiote, with a core module named Phosphoric. The architecture is consistent with bespoke tooling rather than a disposable loader.
The combination of capabilities includes:
- PE infection and resource-based propagation
- process injection and persistence mechanisms
- privilege manipulation and token handling
- a separate networking module using raw TCP
This reflects deliberate engineering effort rather than commodity deployment.
At the same time, the available evidence is not sufficient for attribution. The current analysis supports family-level naming based on embedded strings and module structure, but it does not support a reliable claim about operator identity, geographic origin, or campaign linkage.
The embedded taunts confirm that reverse engineering was anticipated and incorporated into the design, but they do not materially strengthen attribution.
Detection Opportunities
The supplied static extract does not expose stable packet-level constants or message structures that would support a reliable content signature on the wire. Detection therefore needs to focus on context rather than payload content.
On the network side, defenders should prioritize:
- outbound raw TCP sessions initiated by Adobe Acrobat or Reader processes
- activity from explorer.exe or the WinInitServ service
- connections that do not begin with HTTP methods or TLS negotiation
Where flow analytics are available, repeated raw TCP connections from document-handling processes should be treated as suspicious by default.
On the host, the highest-confidence single pivot is the PE resource modification chain:
- BeginUpdateResourceW
- UpdateResourceW
- EndUpdateResourceW
This directly reflects the propagation mechanism and has limited legitimate use at scale.
Structural hunting is also effective. Executables containing the section triplet .PAK0, .PAK1, and .PAK2, especially when combined with writable or executable non-standard sections, should be treated as high-risk artifacts. This can be paired with hunting for:
- Phosphoric.dll, PsPInjector.dll, PEStub.dll
- CallPhosphoricMain, IF_InfectPE, IF_SpreadInfection, IF_CopyDlls, StubMain
A complementary approach is to search for FNV resolver operands associated with dynamic API resolution, specifically:
- 3B 6E 7D 2C
- F6 CB B6 CE
- FB 34 FA 6D
in combination with the .PAK section structure. This is not a standalone signature, but it provides a practical clustering technique.
Additional behavioral signals include thread-context hijacking into explorer.exe, token manipulation and privilege escalation through DuplicateTokenEx and CreateProcessWithTokenW, and suspicious dllhost.exe executions associated with ICMLuaUtil.
For analysis workflows, minimally instrumented execution with early memory capture is preferable to debugger-first approaches. The sample probes IsDebuggerPresent and NtQuerySystemInformation, and the failure path is not fully resolved. Over-instrumentation may suppress relevant behavior.
On confirmed infection, response should prioritize depth over speed. Memory should be preserved before remediation, accessible shares and removable media should be scanned, and selective cleanup should be treated with caution. The propagation model means that multiple executables may have been modified.
Conclusion
This sample is architecturally significant because it combines a trusted Adobe host, a custom wrapper structure, and a propagation-capable payload within a single execution chain. The malware does not depend on a single dropped file, a single persistence point, or a single network indicator.
The wrapper conceals the payload using a simple XOR scheme, while the infector extends the reach of the implant by modifying additional executables. The networking component delays exposure of infrastructure until runtime, reducing the value of static indicators.
From a defensive perspective, the most reliable signals are those that persist across executions. Wrapper structure, resource modification activity, process injection patterns, and protocol behavior provide stronger detection anchors than static extraction alone.
Annex A: Indicators of Compromise
Annex B: YARA Hunting Rules
The first rule targets the wrapper structure rather than the final payload. It is scoped conservatively around the .PAK0 / .PAK1 / .PAK2 section layout plus recovered module or export markers. The analyst-taunt string is allowed to strengthen a match, but not to satisfy the rule by itself.
The second rule is a clustering aid for loader stubs that preserve the same FNV-resolved API operands. It should be used for hunting related wrappers, not as a stand-alone attribution signature.
.webp)
.webp)