Newly identified threat operation Unfurling Hemlock has deployed more than 50,000 malware cluster bombs as part of attacks delivering a plethora of malicious payloads since at least February 2023, more than half of which were targeted at U.S.-based systems, according to BleepingComputer.

Intrusions by Unfurling Hemlock, which is believed to be of Eastern European origin, commence with the delivery of malicious emails with the ‘WEXTRACT.EXE’ file, which when executed unpacks malware stored within nested compressed cabinet files across four to seven stages, an analysis from Outpost24’s KrakenLabs cyber threat intelligence team revealed. Payloads distributed by the cluster bomb files include the Amadey and SmokeLoader loaders, the Redline and RisePro information-stealing malware, and Mystic Stealer, as well as the Enigma Packer for malware obfuscation, a performance checker, system information gathering tools, and the protection disabler and Healer.exe utilities for deactivating impacted devices’ security features, including Windows Defender. Combating such a threat requires the use of updated anti-virus scanners for downloaded files, said researchers.