Ddos 
In a covert campaign targeting the UK Ministry of Defence, a sophisticated malware dubbed DAMASCENED PEACOCK has been unearthed by the UK’s National Cyber Security Centre (NCSC). This staged downloader—small in size, yet formidable in function—demonstrates the continued evolution of state-aligned cyber espionage toolkits.
According to the NCSC’s findings, DAMASCENED PEACOCK is a “lightweight, staged downloader targeting Windows,” primarily delivered through spear-phishing campaigns. These campaigns, observed in late 2024, targeted the UK Ministry of Defence (MOD), showcasing the malware’s potential for high-profile attacks. The initial spear-phishing attempts used journalistic themes and later shifted to financial lures, demonstrating the attackers’ adaptability.
The infection unfolded in three stages:
-
Initial Dropper (Signed Executable): A Rust-based, code-signed .exe disguised as a PDF file downloads and opens a decoy PDF while silently launching the second stage.
-
DAMASCENED PEACOCK (The Downloader): This 32-bit DLL executes in memory, downloads the final stage, and installs it using a COM Hijack.
-
Final Payload: Delivered to and executed from %LOCALAPPDATA%\KeyStore\KeyProv.dll by hijacking explorer.exe.
The report highlights that “DAMASCENED PEACOCK is the second of 3 stages and is responsible for downloading the final stage and executing it via a COM Hijack“. This staged methodology adds complexity to the attack, making it harder to detect and analyze.
DAMASCENED PEACOCK incorporates several “Defence Evasion techniques” to stay under the radar. One of the key methods is “XOR based string obfuscation,” which conceals critical information like Win32 API function names, the command and control (C2) domain, and registry keys. This obfuscation makes static analysis more challenging, as the malware’s code doesn’t readily reveal its purpose.
Furthermore, the malware employs “dynamic resolution of Win32 APIs“. Instead of directly calling API functions by name, it dynamically resolves them at runtime, making it difficult for security tools to identify which functions are being used. The report notes that “the malware’s functionality is concise; a portable executable file is downloaded from the configured C2 domain and written to disk…” before being loaded via a COM Hijack.
To maintain persistence on an infected system, DAMASCENED PEACOCK uses a COM Hijack, replacing a registry entry loaded by explorer.exe. Interestingly, “the analysed sample was for 32-bit (x86) Windows,” but it can download a 64-bit onward stage, showing its adaptability. Adding another layer of complexity, “DAMASCENED PEACOCK executes within the process space of the first stage downloader, which is code signed“. The NCSC report indicates that “multiple campaigns in 2024… all used code signed first stages,” suggesting the attackers have consistent access to code signing certificates.
DAMASCENED PEACOCK communicates with its C2 server over HTTP on port 8080, utilizing the WinHTTP APIs. The report provides a detailed example of a beacon, showing the structure of the HTTP POST request.
The DAMASCENED PEACOCK campaign is a textbook example of layered intrusion techniques paired with strong obfuscation and staging methods. Its use of legitimate certificates and COM hijacking highlights the blurring line between conventional malware and nation-state-level tooling.
As the NCSC warns, “the actor has a repeatable method of procurement for code signing certificates,” indicating persistent threat activity and resource access.
Related Posts:
- “The Com” Phishing Attacks Escalate, Targeting Businesses with Fake Login Pages
- China Targets U.S. Tech Startups through Investments, NCSC Reveals
- Google Project Zero team found a Windows zero-day vulnerability
- UK National Cyber Security Centre: Do not use ZTE equipment and services in the telecommunications industry
About The Author
