Damaged Headers Help Malware Slip Past Defenses

Fortinet’s incident-response specialists have come across a Windows program that bends the rules of how executable files are supposed to look, and that twist lets it avoid quick detection. Instead of carrying normal Disk Operating System (DOS) and Portable Executable (PE) headers—the short chunks of data that tell Windows, “I’m an app, here’s how to load me”—the file’s headers are scrambled. Antivirus scanners rely heavily on those headers for fast checks, so corrupting them gives the attacker a head start

Weeks of Undetected Activity Before Discovery

The Windows Trojan was first spotted only after it had already lived on one victim machine for several weeks. During that time the intruder ran a small batch script and some PowerShell commands that quietly launched the malware in the background, hiding it inside a legitimate-sounding Windows process called dllhost.exe. Fortinet’s team could not pull the file directly from disk—the broken headers made that nearly impossible—but a full memory dump captured the code that was running in RAM, giving investigators the clues they needed.

Re-Creating the Crime Scene in the Lab

To see exactly what the program did, the researchers built a test system that matched the victim’s environment and replayed the memory snapshot over and over, fixing one crash after another until the file finally ran. That patient approach paid off: the analysts proved the binary is a 64-bit remote-access Trojan (RAT) designed for hands-on control of a compromised computer. Even with the headers mangled, the rest of the file was intact enough to execute once the proper conditions were recreated.

Contact Made Through Encrypted Tunnels

As soon as the RAT starts, it pulls an encrypted string from memory, decrypts it and reveals its command-and-control address: rushpapers[.]com. A new worker thread then opens a connection to that server over Transport Layer Security (TLS), giving the attacker an encrypted channel that blends in with everyday web traffic. The main thread of the malware simply goes to sleep and waits while the communication thread handles all future orders

Multi-Threaded Design Enables Many Sessions

The program is built with a multi-threaded socket framework. Each time an outside “client”—in reality the attacker—connects, the Trojan spins up another thread dedicated to that session. That design means the same compromised computer can juggle several attacker sessions at once, allowing different tasks or even multiple operators to work in parallel without stepping on each other’s toes.

Capabilities Go Beyond Simple Spying

Once the backdoor is open, the RAT can snap screen captures, list and change Windows services, and even flip roles to become a server that sits and waits for fresh attacker connections. Those features let a malicious actor move laterally inside a network, install more tools, or run commands as though sitting at the keyboard. Because everything funnels through an encrypted link, defenders watching network traffic see only harmless-looking TLS packets

Distribution Still a Mystery, but Precautions Are Clear

Fortinet has not yet figured out how the Trojan spreads or how many organizations have been hit. What is clear is that attackers keep refining header-tampering tricks to stay ahead of scanners. Security teams can lower the risk by turning on memory-based threat hunting, blocking outbound traffic to unknown domains, and keeping PowerShell logging enabled so unusual script activity cannot hide for weeks again. As Fortinet’s researchers note, the key lesson is simple: when malware breaks the usual file format rules, defenders have to look past the file itself and pay closer attention to what actually runs in memory.