Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • The first ransomware SynAck use Process Doppelgänging code injection technology
  • Malware

The first ransomware SynAck use Process Doppelgänging code injection technology

Do Son May 9, 2018 3 minutes read
Add Daily CyberSecurity as a preferred source on Google

At the Black Hat 2017 Security Conference held in London, the UK on December 7, 2017, two researchers from network security company enSilo, Tal Liberman and Eugene Kogan, described to us a new type of code injection technology. They will It is named “Process Doppelgänging”.

Process Doppelgänging is described as being able to work on almost all Windows operating systems, from Windows Vista to the latest Windows. In addition, because the use of Process Doppelgänging’s malicious software code will not be saved to the local hard disk (known as “fileless attack“), this makes the vast majority of popular security products and forensic tools currently on the market cannot detect this malicious software.

Researchers stated that they have tested Process Doppelgänging injection technology for various security products, including Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and even some advanced forensics tools (such as Internal memory card tool Volatility). The result is shocking, and none of these security products and forensics tools can detect malware that uses the technology.

Kaspersky Lab released a report on Monday that they discovered the first ransomware using this code injection technology, SynAck, last month. It should be noted that SynAck is not a new ransomware that has only recently emerged. The earliest time it was discovered dates back to September 2017, but recently discovered samples are using Process Doppelgänging technology.

There is no doubt that SynAck’s use of Process Doppelgänging technology is aimed at trying to bypass the detection of security products. This technology uses the NTFS mechanism of the Windows operating system to start malicious processes from transaction files so that these processes appear to be legitimate processes.

In general, to complicate the work of a malware analyst, malware developers often use custom PE packages to protect the original code of malware executable files. However, SynAck’s developers did not seem to do so, and they did not package the ransomware executable. However, they added a lot of obfuscated code to SynAck’s source code, which made it extremely difficult to analyze SynAck.

Before encrypting a file, SynAck retrieves all running processes and services and checks the hash of its name against a list of two hard-coded hash values (hundreds of combinations). If a match is found, it will try to terminate these processes or stop the service.

SynAck attempts to terminate programs related to virtual machines, office applications, script interpreters, database applications, backup systems, and game applications. Researchers believe that SynAc’s purpose is to grant itself access to valuable files used by these processes.

Like other ransomware, SynAck also collects basic information about the infected host, such as computer and usernames, operating system version information, etc., and then encrypts the target file using a randomly generated 256-bit AES key. After the file is encrypted, it will be appended with a random production extension.

In addition, SynAck also clears the system-stored event log and can add custom text to the Windows login screen by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry. Therefore, Windows will display messages from cybercriminals before users log in to their accounts.

 

Kaspersky concluded that they are currently monitoring several SynAck ransomware attacks in the United States, Kuwait, Germany, and Iran. This convinced them that the ransomware was specifically tailored to specific goals.

Related coverage

  • North Korean APT37’s “ToyBox Story”: Stealthy Attacks Unveiled
  • North Korea’s Cyber Shadow War: Unmasking RustBucket and KandyKorn
  • Stealthy REMCOS Backdoor Delivered by LNK Files: Bypasses Antivirus with Multi-Stage PowerShell Attack
  • ESET Discovers Kamran Spyware Targeting Hunza News Readers
  • CatDDoS-Related Gangs Ramp Up Attacks Exploiting Over 80 Vulnerabilities
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: ransomware SynAck

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.