The persistent Adwind, a cross-platform malware-as-a-service offering, is back. Many of the Zombie Trojan's phishes in this latest upsurge used "Subject:" lines and social engineering schemes centered on finance-related business documents.
Tampa Bay, Fla. cybersecurity firm KnowBe4 spotted the resurgence in mid-October. Adwind, which has been around since 2012, uses items such as invoices, purchase orders, payment instructions, contracts, and requests for quotations to embed malware.
KnowBe4 CEO, Stu Sjowerman, noted in a blog, "Almost two years ago we took note of two different write-ups on the Adwind (aka AlienSpy) remote access trojan (RAT), one by McAfee and the other by Fidelis Security." He added those pieces caught their attention because one particular Adwind variant, Jsocket, had popped on their own radar following the release of their Phish Alert Button, which enabled KnowBe4 customers' employees to report suspected phishing emails directly from Outlook.
Sjowerman explained JSocket uses advanced features that allow it to shut down and defeat anti-malware applications. JSocket disables most anti-virus on a box, leaving external, malicious actors with complete control of a machine inside the network.
"This phishing campaign is particularly alarming since it indicates that one or more malicious actors is actively deploying malware designed to support a sustained presence inside corporate networks," Sjowerman said. He added, those malicious actors still enjoy a wealth of opportunities to exploit inasmuch as Java remains a popular tool inside business organizations, even two decades after its original release and years of mounting reports of security problems stemming from its continued use.
"Although Jsocket and other Adwind variants never really disappeared over the intervening two years, we were nonetheless surprised to see what appeared to be a significant resurgence in Adwind-infested phishing emails starting early to mid-October of this year," Sjowerman said.
Intrigued, they took a closer look and found the Adwind remote access trojan remained a potent, dangerous foe, continuously developed for commercial offering. KnowBe4 communicated the Adwind variants encountered two years ago ranged from 120 kb to 200 kb in size. The most recent batch of Adwind .JARs range from 500-600 kb in size, with most coming in around 550 kb.
Adwind also retained a daunting collection of advanced functionality, including:
- Sandbox detection.
- Detection, disabling and killing of various antivirus and security tools.
- TLS protected command-and-control.
- Anti-reverse engineering/debugging protection.
It also contained a wide array of data gathering features:
- Collection of system information (e.g. IP, OS version, memory RAM information, Java version, Computer Name, etc.)
- Upload and execute additional malware.
- Capture webcam and microphone without user notification.
- Remote desktop to watch user activity.
- File manager to allow access to files in the context of the current user.
- Browser password theft.
- Keylogging to capture passwords otherwise obscured from viewing.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
