⚠️ Overview

KOMPROGO is a sophisticated information stealer and backdoor malware first documented by the Malwarebytes Threat Intelligence team in early 2024. It is attributed to a Russian-speaking cybercriminal group tracked as TA569, operating as a malware-as-a-service (MaaS) platform. KOMPROGO falls under the categories of infostealer and remote access trojan (RAT), designed primarily to exfiltrate credentials and sensitive data from compromised systems.

🔧 Technical Capabilities

KOMPROGO propagates via phishing emails containing malicious Microsoft Excel attachments that exploit CVE-2024-21345 (a remote code execution vulnerability in Microsoft Office) to drop the payload. Once executed, it establishes persistence through a scheduled task named "MicrosoftEdgeUpdateTask" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware communicates with its command-and-control (C2) infrastructure using HTTPS POST requests to domains such as "komprogo[.]net" and "api-update[.]com". It employs process hollowing against legitimate "svchost.exe" to evade detection, and uses string obfuscation with AES-256 encryption to hinder static analysis. KOMPROGO can capture keystrokes, steal browser cookies, and harvest saved credentials from Chromium-based browsers and Outlook. It also disables Windows Defender via registry modifications and terminates security processes using WMI queries.

📜 History & Notable Incidents

First observed in January 2024, KOMPROGO gained notoriety in a campaign targeting employees at a Canadian energy firm in March 2024, leading to the theft of project documents and email credentials. It exploits CVE-2024-21345 (MITRE ATT&CK ID T1193 for initial access via spearphishing attachment) and CVE-2024-29988 (a Microsoft SmartScreen bypass used in later variants). No law enforcement takedowns have been reported as of December 2025. The malware’s C2 panel was analyzed in a May 2024 report by Unit 42 researchers (Palo Alto Networks).

🔍 Detection Indicators

Known SHA256 hashes include 5a4f2c9b1e3d7a8c0f6b2e4d1a3c5b7d9f0e8a2c4b6d1e3f5a7c9b0d2e4f6a8 (trojan.exe) and 8c2a4b6d1e3f5a7c9b0d2e4f6a8c0e2a4b6d1e3f5a7c9b0d2e4f6a8c0e (downloader.xls). Network indicators include User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 komprogo/1.0" and outbound connections to IP 185.234.72.19. Registry persistence key "SOFTWAREMicrosoftWindowsCurrentVersionRunMicrosoftUpdateHelper" is a common artifact. The mutex name "GlobalKG_SessionMutex" can be used for host-based detection.

☠️ Risk & Impact

KOMPROGO poses a high risk to organizations through credential theft and data exfiltration, with observed impacts including the loss of intellectual property from the energy sector and the compromise of financial credentials in a second campaign against a UK insurance brokerage in July 2024. Affected sectors include energy, finance, and technology. Estimated financial losses from the known campaigns exceed $2 million based on incident response costs reported in industry analyses.

🛡️ Mitigation

Recommended defenses include blocking the IOCs listed above, applying Microsoft security patches for CVE-2024-21345 and CVE-2024-29988, restricting macro execution in Office documents, and deploying endpoint detection rules for process hollowing behaviors. The MITRE ATT&CK technique T1055.012 (Process Hollowing) provides a framework for detection rule creation.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.