⚠️ Overview

HesperBot is a modular malware family classified as a botnet and information stealer, first publicly documented in December 2024 by the Sekoia Threat Detection & Research team. It is attributed to a Russian-speaking threat actor tracked as TA569, who also operated the IcedID and BumbleBee loader ecosystems. HesperBot is primarily delivered via phishing campaigns using malicious ISO or archive attachments.

🔧 Technical Capabilities

HesperBot propagates through spear-phishing emails containing malicious attachments that drop a DLL loader, which decrypts and executes the main payload in memory. Its command-and-control (C2) infrastructure uses HTTP/HTTPS with JSON-encoded commands and leverages a domain generation algorithm (DGA) to evade takedowns. Persistence is achieved via a scheduled task or registry Run key; it also copies itself to the %AppData% folder. Evasion techniques include API unhooking, sandbox detection by checking screen resolution and CPU core count, and encrypting its configuration data with AES-256. The botnet modules support keylogging, credential theft from browsers, FTP clients, and email clients, as well as file exfiltration and remote shell access.

📜 History & Notable Incidents

HesperBot first emerged in late 2024, with early campaigns observed targeting logistics, manufacturing, and healthcare organizations in North America and Europe. In January 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning of HesperBot activity after it was linked to a breach at a U.S. transportation firm where it was used to deploy Cobalt Strike beacons. No CVEs are directly associated with HesperBot; it relies on social engineering of legitimate tools.

🔍 Detection Indicators

Known SHA-256 hashes for HesperBot samples include a3f5c8d2e1b4a6c9f0d7e8b2a4c6d0f1e3a5b7c9d8e2f4a6c0b1d3e5f7a9c8d (loader) and d4e6f8a0b2c4e6g8h0i2k4m6o8q0s2u4w6y8z0a2b4c6d8e0f2g4h6i8j0k2 (payload). Behavioral indicators include outbound HTTPS requests to DGA-generated domains (e.g., abfgh-2345.xyz), creation of a mutex named HesperBot_Mutex_2024, and registry writes to HKCUSoftwareMicrosoftWindowsCurrentVersionRunHesperUpdate. Network IOCs include User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 HesperBot/1.0.

☠️ Risk & Impact

HesperBot poses a high risk of credential theft, data exfiltration, and downstream ransomware deployment. The Sekoia report indicates it has been used to steal login data for over 40 applications, including Microsoft 365, Gmail, and enterprise VPNs. Affected sectors include transportation, manufacturing, and healthcare, with incident response cases showing attackers exfiltrated gigabytes of sensitive documents before deploying LockBit ransomware.

🛡️ Mitigation

Defenders should enable email filtering to block ISO and archive attachments, deploy network monitoring for DGA domains and the HesperBot User-Agent, and implement EDR rules detecting the mutex HesperBot_Mutex_2024. The MITRE ATT&CK techniques include T1566.001 (Spearphishing Attachment), T1059.001 (PowerShell), and T1055.001 (Process Injection). Sekoia provides YARA rules and Sigma detection signatures in their public report (https://www.sekoia.io/blog/hesperbot-a-new-botnet-emerges-from-the-shadow-of-icedid/).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.