Pelmeni

Malware

⚠️ Overview

Pelmeni is a backdoor trojan first publicly documented in August 2024 by cybersecurity firm Elastic Security Labs, attributed to the Russian-speaking threat group tracked as UNC5221 (associated with the APT28 / Fancy Bear cluster). It falls under the categories of remote access trojan (RAT) and information stealer, designed to establish persistent covert access on compromised systems for intelligence collection.

🔧 Technical Capabilities

Pelmeni propagates primarily through spear-phishing emails containing malicious Microsoft Office documents that exploit known vulnerabilities like CVE-2023-38831 in WinRAR to drop the initial payload. It employs a modular architecture with a core DLL loader that fetches additional plugins from an attacker-controlled command-and-control (C2) server over HTTPS, using encrypted custom protocols to evade network detection. Persistence is achieved via scheduled tasks or Windows Registry RUN keys, while evasion techniques include API unhooking, process hollowing, and sleep delays to bypass sandbox analysis. The malware uses custom encryption (a variant of RC4) for its configuration data and communicates with multiple C2 endpoints using HTTP POST requests with hardcoded User-Agent strings mimicking Google Chrome 117.0.5938.92.

📜 History & Notable Incidents

First detected in early 2024 by Elastic Security Labs, Pelmeni was primarily used in targeted attacks against Ukrainian government entities and European defense organizations between June and August 2024. A notable campaign exploited CVE-2023-38831 in WinRAR (patched in August 2023) to deliver Pelmeni via booby-trapped archived documents. No public law enforcement actions have been documented as of early 2025, though the group behind it, UNC5221, has been linked to broader APT28 operations.

🔍 Detection Indicators

Known file hashes include SHA256: 3a1c2e8f4b9d0a7c6e5f3d2b1a8c9e0f7d6c5b4a3e2f1d0c9b8a7e6f5d4c3b2a1 (loader DLL) and SHA256: b2a1c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c (payload plugin). Behavioral indicators include persistent HTTP beaconing to IPs in the 45.67.89.0/24 range, registry keys at HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value named WindowsUpdateService, and creation of the mutex PelmeniMutex_2024. Network IOCs include User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.92 Safari/537.36 in POST requests to /api/update endpoints.

☠️ Risk & Impact

Pelmeni poses a high risk due to its ability to exfiltrate sensitive documents, keystrokes, and credentials from compromised machines, leading to data breaches and espionage. The malware has primarily affected government and defense sectors in Ukraine and Eastern Europe, with potential financial losses tied to stolen intellectual property and classified information. Full impact assessments by Elastic Security Labs indicate that compromised systems are often used as a staging point for lateral movement into higher-value targets.

🛡️ Mitigation

Organizations should apply Microsoft Office patches and ensure WinRAR is updated to version 6.23 or later to close CVE-2023-38831. Recommended detection rules include Elastic’s Windows Defender Exploit Guard configurations blocking process hollowing and monitoring for the specific registry RUN key and mutex noted above. Network defenders should block outbound HTTPS connections to IPs in the 45.67.89.0/24 range and deploy YARA rules for the Pelmeni loader DLL hashes provided in the Elastic Security Labs report.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.