Protect Your Data and Boost Compliance: DPDP Act and Cybersecurity for Indian Manufacturers

Register Today


The Blister malware campaign is a sophisticated and ongoing cyber threat that employs advanced techniques to evade detection and compromise Windows systems. This analysis aims to provide a detailed examination of its operation and offer insights into how organizations can better defend against it.

Malware overview:

  • Blister is a multi-stage malware campaign known for leveraging valid code-signing certificates issued by Sectigo to "Blist LLC," linked to a email address.
  • It disguises malicious components as legitimate executable files, thereby achieving a remarkably low detection rate.
  • The malware consists of a loader that deploys a Remote Access Trojan (RAT) as its second-stage payload.
  • Blister employs techniques such as directory creation, working directory manipulation, and embedded payload execution to avoid detection.

Upgrade and new threat vector:

  • Blister's most recent version incorporates code-signing certificates validated in August 2021, suggesting continuous development.
  • Threat actors use code-signing certificates to bypass basic static security checks and compromise target systems.
  • The second-stage payload executes the encoded RAT or CobaltStrike beacon via a benign-looking .dll file, which has minimal traces, contributing to its low detection on platforms like VirusTotal.

SIEM rules refinement:

  • To enhance SIEM (Security Information and Event Management) rules to detect Blister-related activities, organizations should focus on monitoring processes like Rundll32.exe initiating suspicious .dll files.
  • SIEM rules should flag directory creation and manipulation within user Temp folders.
  • Anomalous certificate validation dates, particularly those linked to Sectigo and Blist LLC, should trigger alerts.
  • Establishing baselines for normal system behaviour can aid in identifying deviations that may indicate Blister-related activities.

Indicators of Compromise (IOCs):

File Hashes (MD5):

  • e6404260b4e42b7aa75bb0a96627ed3a
  • db8827d0d7b2addc05719e407216da14
  • 755f50457416aeb7fee95a67abfea9fe
  • 6f76505a91c91c29238f0ed70b369417
  • 5a7dea7aa86ccd600f5a97e3b53f7338
  • 3efcd76417a185e48da71e22d230c547

File Hashes (SHA1):

  • f8fa1ba14df6f8ab2b307ee0ce04054ea9d538c0
  • f534e15bbc104cafab80f954ba30f12de87b0f48
  • d58e06727c551756cbee1fc6539929553a09878b
  • c039362e891b01040c20e75e16b02169c512aebd
  • bb69d5da32164813be5af29d31edc951a8f1f088

File Hashes (SHA256):

  • fe7357d48906b68f094a81d19cc0ff93f56cc40454ac5f00e2e2d9c8ccdbc388
  • f5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76d
  • ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
  • d54dfedda0efa36ed445d501845b61ab73c2102786be710ac19f697fc8d4ca5c
  • cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028



IPv4 addresses:


Signed loaders (File Hashes):

  • ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
  • cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926
  • 7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f
  • 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74
  • cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028

DLL (SHA256):

  • BE7E259D5992180EADFE3F4F3AB1A5DECC6A394DF60C7170550B3D222FCE5F19

These IOCs may evolve over time, so it's crucial to continuously update and adapt security measures to stay protected against emerging threats.

Preventive measures:

  • Organizations must maintain robust endpoint security solutions that include behaviour-based anomaly detection to catch Blister's evasion techniques.
  • Regularly update and patch systems to minimize vulnerabilities.
  • Monitor certificate usage, especially those issued by reputable CAs like Sectigo, and investigate suspicious or expired certificates.
  • Implement strict access controls and least privilege principles to limit potential attack vectors.
  • Educate employees about social engineering and phishing tactics, as these are common entry points for Blister and similar threats.


  • The Blister malware campaign demonstrates a high level of sophistication and adaptability in evading detection.
  • Organizations need to remain vigilant, continually update their security measures, and refine SIEM rules to detect and respond to evolving threats.
  • By understanding the technical intricacies of Blister and implementing proactive security measures, organizations can mitigate the risks associated with this malware and safeguard their systems and data.


Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at