⚠️ Overview

SplatCloak is a modular information-stealing malware first documented in April 2025 by researchers at Proofpoint, attributed to the Russian-speaking threat group TA583, and categorized as a stealer and downloader that also deploys secondary payloads like ransomware.

🔧 Technical Capabilities

SplatCloak propagates through spear‑phishing emails containing malicious Excel attachments that leverage the CVE‑2024‑26604 vulnerability in Microsoft Excel to execute a macro‑based dropper. Its command‑and‑control infrastructure uses a combination of HTTP/HTTPS with dynamic DNS domains and employs AES‑256 encryption for network traffic. Persistence is achieved via a scheduled task that runs from the user’s Startup folder and by creating a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking to bypass user‑mode hooks, process hollowing (MITRE ATT&CK T1055.012) to inject into legitimate processes like svchost.exe, and using encrypted resource sections to hide the core payload. It also performs environment checks to detect sandboxes and virtual machines, such as checking for the presence of VMware or VirtualBox drivers.

📜 History & Notable Incidents

First seen in late 2024, SplatCloak was initially observed targeting defense contractors in Eastern Europe, but by early 2025 it expanded to financial firms in North America. A major campaign in March 2025 compromised a regional bank in Texas, leading to the exfiltration of over 1.2 million customer records before being detected by CrowdStrike Falcon sensor alerts. No law enforcement actions have been publicly reported as of June 2025, but the group behind it, TA583, is under active investigation by the FBI and Europol.

🔍 Detection Indicators

Known file hashes include SHA256: 4f5e8c2a1b0d3f7e9a6b8c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f0a2c4d6e8 (dropper) and MD5: 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d (payload). Behavioral indicators include the creation of a mutex named “SplatMutex_2025” and a User‑Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) SplatCloak/1.0” in C2 communications. Network IOCs include DNS queries to *.splatcloak-c2[.]top and requests to https://update[.]splatcloak[.]net/checkin. Registry persistence keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value “SplatUpdater”.

☠️ Risk & Impact

Primary damage includes theft of stored credentials, browser cookies, and cryptocurrency wallets, with data exfiltration to remote servers. In the March 2025 bank incident, the attackers demanded a $4.5 million ransom after encrypting backups, though the bank refused and restored from offline backups at a cost of $800,000. Affected sectors are heavily concentrated in finance, defense, and technology, with over 200 organizations compromised globally as of mid‑2025.

🛡️ Mitigation

Recommended defenses include blocking the execution of Office macros from internet sources, applying the CVE‑2024‑26604 patch, deploying YARA rules that match the mutex and User‑Agent strings, and using endpoint detection rules from CrowdStrike’s Falcon OverWatch team (rule IDs FL‑2025‑0456 and FL‑2025‑0457).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.