Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 2 actors

ConfuserEx

ConfuserEx is an open-source .NET obfuscator/protector rather than a standalone malware family, but it is repeatedly observed protecting malicious .NET payloads and loaders. Across the provided reporting, it is used to obfuscate control flow, apply anti-tamper protections, rename symbols, hide method references via proxy calls, and encode constants in .NET assemblies, often hindering decompilation in tools such as dnSpy. It appears in multiple intrusion chains and malware families including PureCrypter/PureLogs loaders in the SERPENTINE#CLOUD campaign, DarkCloud Stealer delivery chains, SectopRAT, HawkEye Reborn, HiddenCrypt/Hidden Tear-derived ransomware, and first-stage .NET implants used in Ukraine and Poland campaigns linked with overlap to UAC-0057/UNC1151 reporting. Reported behaviors of ConfuserEx-protected malware in the source material include 3DES-CBC decryption of embedded resources, GZip decompression, in-memory Assembly.Load(byte[]) execution with reflection, process hollowing/RunPE into RegAsm.exe, host profiling, credential and crypto theft, plugin staging from C2, ransomware payload execution, and local privilege escalation via a ConfuserEx-obfuscated BADPOTATO exploit used by APT41 for named-pipe impersonation to obtain NT AUTHORITY\SYSTEM. Targeting described in the content includes Ukraine and Poland government- or public-sector-themed lures, financial-themed phishing, and broader commodity malware delivery. High-confidence indicators directly mentioned alongside ConfuserEx-protected samples include SHA-256 values such as dcd22d338a0bc4cf615d126b84dfcda149a34cf18bc43b85f16142dfb019e608, 0ab09a4787ea9cb259cadd3f811a56f7bd0058287634bbaf0388b2cd40464505, b1c6659ee4ee35540f5ed043b611ac88a7fce9dc2f564168e7d47c43683163f6, cdf87d68885caa3e94713ded9dd5e51c39b7bc7ef9bf7d63a4ff5ab917a96b36, 046d0e83c1e6dcaf526127b81b962042e495f5ae3a748f3a9452be62f905acf8, and ba978eee90be06b1ce303bbee33c680c2779fbbc5b90c83f0674d6989564a70a.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
FrostyNeighbor

The dropped DLL, which we will later refer to as the first stage implant, is written in C# and obfuscated using ConfuserEx.

via harfanglab insidethelabharfanglab.io
UNC1151

The dropped DLL, which we will later refer to as the first stage implant, is written in C# and obfuscated using ConfuserEx.

via harfanglab insidethelabharfanglab.io
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.002ToolEvidence2
TacticResource Development

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence6
TacticStealth

The downloaded file is obfuscated through GZIP compression and header manipulation... This executable is MoonPeak malware, heavily obfuscated using ConfuserEx ... encrypts strings and code to defeat static analysis.

T1027.002Software PackingEvidence3
TacticStealth

MITRE ATT&CK Mapping Tactic Technique ID Notes Defense Evasion Software Packing T1027.002 ConfuserEx + SmartAssembly dual packing

T1027.005Indicator Removal from ToolsEvidence1
TacticStealth

String Protection : C2 host, port, mutex, installation path, and other configuration strings are encrypted ... The C2 host/port cannot be extracted statically

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
derp ca blogNews
Feb 24, 2026
Python Loader Evolution: Five Encryption Generations | Derp

A .NET obfuscator/protector used to hinder analysis of the PureLogs .NET component.

Read more
derp ca blogNews
Feb 22, 2026
PureCrypter: Reverse Engineering a .NET Loader From the PureCoder Ecosystem | Derp

.NET obfuscator used to protect the loader executables (e.g., control-flow flattening, opaque predicates, dead-code injection) to hinder static analysis and reverse engineering.

Read more
harfanglab insidethelabNews
Oct 30, 2025
UAC-0057 keeps applying pressure on Ukraine and Poland - HarfangLab

A publicly available .NET obfuscator used here to protect/obfuscate first-stage C# downloader/implant DLLs from analysis and signature-based detection.

Read more
securityaffairsNews
Aug 10, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 57

Obfuscation framework referenced as being used to obfuscate an infection chain delivering DarkCloud Stealer.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.