Elastic Security Labs has issued an urgent advisory detailing a sophisticated cyber campaign dubbed BRUSHWORM, which deploys the BRUSHLOGGER malware to infiltrate financial services organizations worldwide.
First detected in late 2025, this threat actor targets high-value sectors such as banking, payment processors, and cryptocurrency exchanges, aiming to exfiltrate sensitive data, including transaction logs, credentials, and API keys.
The campaign begins with spear-phishing emails masquerading as legitimate financial advisories or vendor updates. Attachments, often disguised as Excel macros or PDF invoices, exploit vulnerabilities in Microsoft Office (CVE-2023-29324 and CVE-2024-21412) to drop an initial loader.
This stage one payload, written in Golang, uses living-off-the-land binaries (LOLBins) such as certutil.exe and rundll32.exe for persistence and evasion.
Telemetry from Elastic’s endpoint detection reveals obfuscated PowerShell scripts that disable Windows Defender via registry modifications: Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender” Name “DisableAntiSpyware” Value 1. Once a foothold is established, BRUSHWORM escalates privileges using a custom kernel-mode rootkit.
This driver, signed with a stolen EV certificate from a defunct Chinese CA, hooks into the NT kernel’s SSDT (System Service Dispatch Table) to intercept syscalls like NtReadFile and NtWriteFile.
Researchers at Elastic reverse-engineered the rootkit, uncovering anti-analysis tricks such as direct kernel object manipulation (DKOM) to hide processes from tools like Process Explorer.
The rootkit’s primary function is to inject BRUSHLOGGER, a modular info-stealer, into legitimate processes such as svchost.exe or lsass.exe.BRUSHLOGGER, a Rust-based implant, excels in stealthy data harvesting tailored to financial environments.
It enumerates browser databases (Chrome’s WebData and Login Data SQLite files containing or saved credentials), then targets enterprise apps such as SAP GUI and Bloomberg Terminal. Keylogging captures multi-factor authentication (MFA) prompts, while screenshot modules trigger on specific windows (e.g., those matching “VisaNet” or “SWIFT”).
Exfiltration occurs via DNS tunneling, encoding payloads in TXT records for subdomains under actor-controlled domains such as brushworm[.]net. Elastic’s analysis shows C2 communication via WebSockets over port 443, mimicking HTTPS traffic to evade NGAV solutions.
Indicators of compromise (IOCs) include the mutex Global\\BRUSHWORM{8F-2A-4E}, YARA signatures for the loader (rule BRUSHWORM_Loader { strings: $s1 = “brushworm_init” ascii; … }), and hashes like SHA256: a1b2c3d4e5f67890… (full list in Elastic’s report).
Network beacons hit IPs in the 103.151.12.0/24 range, geolocated to Southeast Asia. Attribution points to a Chinese-speaking APT group, possibly linked to Mustang Panda or Earth Krahang, based on linguistic artifacts in phishing lures (“紧急财务审计通知”) and reused tooling from prior campaigns like ZIP19.
Elastic correlates this with attacks on Southeast Asian banks in Q4 2025, during which $12 million in crypto was drained after a compromise. Financial networks face acute risks due to flat architectures and legacy systems.
BRUSHWORM exploits unpatched Remote Desktop Services (BlueKeep, CVE-2019-0708) for lateral movement, chaining to Active Directory credential dumping via Mimikatz-like modules embedded in BRUSHLOGGER. Mitigation demands layered defenses.
Organizations should enforce LAPS (Local Administrator Password Solution), enable ASR rules to block LOLBins, and deploy behavioral analytics to detect anomalous DNS queries. Elastic recommends EDR with kernel-level visibility, such as their own Elastic Security solution, which detected 85% of BRUSHWORM beacons in simulations.
Patching Office and turning off VBA macros via GPO remain critical. “This is a wake-up call for financial CISOs,” said Elastic Security Labs lead researcher Vedika Oswal. “BRUSHWORM’s evasion tactics bypass traditional signatures; we need AI-driven anomaly detection now.
According to Elastic, “As BRUSHWORM evolves, expect variants targeting DeFi platforms. Financial entities: scan for IOCs immediately and simulate attacks via red-team exercises. Full technical breakdown at Elastic Security labs
About the Author
