Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware

Researchers at Proofpoint have spotted a piece of downloader, dubbed WhiteShadow, that leverages Microsoft SQL queries to pull and deliver malicious payloads.  In August, malware researchers at Proofpoint spotted a new downloader which is being used to deliver a variety of malware via Microsoft SQL queries. The experts detected new Microsoft Office macros, which collectively […]

whiteshadow

Researchers at Proofpoint have spotted a piece of downloader, dubbed WhiteShadow, that leverages Microsoft SQL queries to pull and deliver malicious payloads. 

In August, malware researchers at Proofpoint spotted a new downloader which is being used to deliver a variety of malware via Microsoft SQL queries. The experts detected new Microsoft Office macros, which collectively act as a staged downloader, and tracked it as WhiteShadow.

Initially the downloader was involved in a small campaign aimed at distributing the Crimson RAT, over the time researchers observed the implementation of detection evasion techniques.

“In August 2019, the macros that make up WhiteShadow appeared in English-language cleartext. The only observed obfuscation technique was in the simple case altering of strings such as “Full_fILE” or “rUN_pATH.” In early September, we observed slight misspellings of certain variables such as “ShellAppzz.Namespace(Unzz).” Mid-September brought another change in macro code using reversed strings such as “StrReverse(“piz.Updates\stnemucoD\”)”.” reads the analysis published by Proofpoint.

“The most recently observed versions of the WhiteShadow macros contain long randomized text strings such as “skjfhskfhksfhksfhksjfh1223sfsdf.eDrAerTerAererer”.”

Experts believe that WhiteShadow is one component of a malware delivery service that includes a rented instance of Microsoft SQL Server to host various payloads retrieved by the downloader. Experts observed the downloader in campaigns spreading Crimson RAT, Agent Tesla, AZORult, and multiple keyloggers.

The macros observed in the campaigns, once enables, execute SQL queries to retrieve the malicious code, stored as ASCII-encoded strings, from Microsoft SQL Server databases controlled by threat actors. 

The result of the query is written to disk as a PKZip archive of a Windows executable. 

WhiteShadow uses a SQLOLEDB connector to connect to a remote Microsoft SQL Server instance, execute a query, and save the results to a file in the form of a zipped executable. The SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many (if not all) installations of Microsoft Office.” continues the report.

“Once extracted by the macro, the executable is run on the system to start installing malware, which is determined by the actor based on the script configuration stored in the malicious Microsoft Office attachments.”

whiteshadow

Proofpoint warns that the Microsoft SQL technique is still a rarity in the threat landscape, but threat actors could increasingly adopt it in future campaigns. 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WhiteShadow, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]