Jellyfish Loader: Stealthy .NET Malware Raises Cybersecurity Concerns

Jellyfish Loader
Junk Data Embedded in the Shortcut LNK File

Recently, researchers at Cyble Research and Intelligence Labs (CRIL) uncovered a new threat in the form of a .NET-based shellcode loader dubbed “Jellyfish Loader.” CRIL indicates that this malicious tool could potentially be linked to the notorious state-sponsored hacking group responsible for the 2018 Olympic Destroyer attack, which caused widespread disruption during the Winter Olympics in Pyeongchang.

The Jellyfish Loader was discovered within a ZIP file initially uploaded from Poland. This file contained a Windows shortcut (.lnk) masquerading as a PDF document. When executed, the .lnk file opens a clean PDF while simultaneously downloading and executing the Jellyfish Loader. Notably, the loader’s code is devoid of obfuscation, showcasing a clear structure designed to manage secure communication through SSL certificate validation.

Junk Data Embedded in the Shortcut LNK File | Image: CRIL

Jellyfish is a .NET-based shellcode loader, meticulously designed to stealthily infiltrate systems, download, and execute harmful code. What makes it particularly alarming is its uncanny resemblance in tactics, techniques, and procedures (TTPs) to the Olympic Destroyer malware, a sophisticated cyber weapon wielded by the Russian-linked hacking collective known as Hades.

The most notable similarity lies in the use of the domain “connectivity-check[.]com,” which was previously identified as a key component in the Olympic Destroyer’s infrastructure. While definitive attribution remains elusive, this connection raises the specter of a resurgent threat from a highly skilled and dangerous adversary.

Jellyfish’s technical sophistication further amplifies concerns. It incorporates advanced features like dependency embedding using tools like Fody and Costura, secure communication channels through SSL certificate validation, and asynchronous execution for enhanced stealth. Additionally, the malware’s ability to gather system information from infected machines suggests a potential for highly targeted attacks.

The discovery of Jellyfish serves as a stark reminder that the cyber threat landscape is constantly evolving and becoming increasingly complex. The potential involvement of a state-sponsored actor underscores the escalating stakes in the ongoing cyberwarfare, with critical infrastructure and sensitive data increasingly at risk.

As organizations continue to face advanced threats, it is crucial to remain vigilant, enhance security measures, and foster collaborative efforts to identify and mitigate emerging risks effectively.