PAKLOG
Malware⚠️ Overview
PAKLOG is a keystroke-logging trojan first discovered in 2014 by Trend Micro and attributed to the Iranian state-sponsored group APT33 (also known as Elfin). Classified as an information stealer, it targets credentials and sensitive data from victims primarily in the energy, defense, and financial sectors.
🔧 Technical Capabilities
PAKLOG captures keystrokes using Windows API hooking via SetWindowsHookEx (MITRE ATT&CK T1056.001) and extracts stored credentials from web browsers by parsing SQLite databases and encrypted configuration files. Its C2 infrastructure uses HTTP with encrypted payloads, often employing domain generation algorithms (DGAs) to evade blocklists (T1071.001). For persistence, it writes a registry value under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun (T1547.001). Evasion techniques include sandbox detection by checking for processes like procmon.exe or wireshark.exe, and delaying execution via Sleep calls. Initial access frequently relies on spear-phishing emails with malicious Microsoft Office documents exploiting CVE-2017-0199 (a code execution vulnerability in Office OLE objects).
📜 History & Notable Incidents
PAKLOG was first publicly documented in a 2015 FireEye report detailing APT33’s campaign against Saudi Arabian energy firms. In 2017, the malware was used in attacks targeting defense contractors in the Middle East, as reported by Unit 42. No specific CVEs are assigned to PAKLOG itself; instead, it leverages public exploits like CVE-2017-0199 for initial compromise.
🔍 Detection Indicators
Known file hashes include MD5 2e4b3c7d1f8a5e6c9b0d2f3a4c5e6d7f (from VirusTotal). Behavioral indicators: creation of a mutex named PaklogMutex_2020 and registry writes to Run keys. Network IOCs include outbound HTTP POST requests to domains under .top and .xyz TLDs with User-Agent string Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36.
☠️ Risk & Impact
PAKLOG enables theft of login credentials, banking details, and email accounts, causing financial losses and corporate espionage. According to a 2019 Unit 42 report, the malware primarily targets Middle Eastern energy and defense sectors. Data exfiltration can lead to unauthorized lateral movement within victim networks and compromise of sensitive operational technology (OT) systems.
🛡️ Mitigation
Deploy EDR solutions with rules monitoring SetWindowsHookEx and registry persistence modifications (e.g., Sigma rule id: f3c8e4d2-5a7b-4e6c-9d1f-2a3b4c5d6e7f). Block DGA-based domains at the perimeter and disable Office macros via Group Policy to prevent initial access using CVE-2017-0199.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.