Kalambur Backdoor Curl TOR SOCKS Proxy Execution

    Tuesday, February 18, 2025 In: Threat Research Print

    Date: 02/18/2025

    Severity: Medium

    Summary

    "Kalambur Backdoor Curl TOR SOCKS Proxy Execution" refers to a method used by the Kalambur backdoor malware where it executes the "curl.exe" command to connect to remote servers via TOR and SOCKS proxies. This behavior typically involves accessing ".onion" domains, often used for anonymized communication. Such activity is indicative of malicious actions, as the malware uses these techniques to hide its communication and evade detection.

    Indicators of Compromise (IOC) List

    Image

    '\curl.exe'

    CommandLine

    'socks5h://'

    'socks5://'

    'socks4a://'

    '.onion'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename in ("Windows Security") AND eventtype = "4688") AND image like "\curl.exe" AND (commandline like "socks5h://" or commandline like "socks5://" or commandline like "socks4a://") AND commandline like ".onion"

    Detection Query 2

    (technologygroup = "EDR") AND image like "\curl.exe" AND (commandline like "socks5h://" or commandline like "socks5://" or commandline like "socks4a://") AND commandline like ".onion"

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml


    Tags

    SigmaMalwareBackdoorKalamburTOR

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.