A financially motivated East European threat actor dubbed “Unfurling Hemlock” has been deploying up to 10 unique malware files simultaneously on systems belonging to individuals in the US, Germany, Russia, and multiple other countries.

According to researchers at OutPost24, the attackers have been using compressed Microsoft Cabinet (CAB) files nested within other compressed CAB files—sometimes as many as seven levels deep—to distribute a variety of information stealers and malware loaders on victim systems.

The campaign, which began in February 2023, has led to the distribution of hundreds of thousands of malware files, impacting approximately 50,000 users worldwide.

The malware deployed by Unfurling Hemlock includes notorious information stealers such as Mystic Stealer, Rise Pro, and Redline, along with loaders like SmokeLoader and Amadey.

The attackers' strategy involves using these nested CAB files to maximize the spread and impact of their malicious payloads, creating a malware “cluster bomb.”

OutPost24 uncovered the campaign while investigating reports from other researchers who noted similar attacks last year involving the deployment of numerous malware samples on compromised systems.

The distribution technique involves a sample known as “WEXTRACT.EXE.MUI,” a 32-bit PE file that drops two files upon execution - one being a malware sample or utility to aid infection, and the other a file similar to its parent, which continues the cycle. This pattern of nesting can repeat up to seven times in some observed cases.

The actor does not appear to have a specific target, instead aiming to spread as much malware as possible to a broad range of victims. The use of legitimate Windows executables, such as wextract.exe, for extracting cabinet files allows the automatic execution of the malware’s contents once extracted.

The execution sequence involves extracting all the different compressed files until the final iteration, where no further cabinet files are left. The resulting “tree” of malware is then traversed in reverse order, executing the latest dropped malware first and continuing backward to the initial sample.

The analysis suggests that Unfurling Hemlock is operating not just independently but also in collaboration with other threat groups. Some of the malware and loaders are being distributed on behalf of these groups, while Unfurling Hemlock simultaneously leverages other operators to help spread their own malware cluster bombs.

A significant portion of the infected systems, over half (50.8%), are based in the United States, as indicated by malware samples uploaded to VirusTotal, followed by Germany (7.8%), Russia (6.3%), and Turkey (6.3%).