A threat actor dubbed Unfurling Hemlock is infecting systems with as many as ten pieces of malware at the same time. The researchers that uncovered the activity describe the technique as a “malware cluster bomb” that allows the threat actor to use one piece of malware that spreads additional ones on the compromised machine.

Discovered by Outpost24’s KrakenLabs, the activity dates back to at least February 2023. The researchers say they have seen over 50,000 “cluster bomb” files that share unique characteristics linking them to Unfurling Hemlock.
Attacks begin with a file named WEXTRACT.EXE that arrives via a malicious email or malware loader. The file contains nested compressed cabinet files, with each level containing a malware sample and another compressed file. When each compressed file is unpacked, another threat is dropped onto the victim’s computer.

Once the final stage is reached, the dropped malware are executed, with the most recently dropped threat executed first.
Some of the threats dropped on victims’ machines included information stealers, botnets, and backdoors, such as Redline, Mystic Stealer, RisePro, Amadey, and SmokeLoader.

The researchers say that over half of all Unfurling Hemlock attacks targeted systems in the U.S., while relatively high-volume activity was also seen in Germany, Russia, Turkey, India, and Canada.

KrakenLabs believes with “a reasonable degree of certainty” that Unfurling Hemlock is based in an Eastern European country.