Unfurling Hemlock Threat group uses cluster bomb campaigns
A threat actor dubbed Unfurling Hemlock has been observed distributing hundreds of thousands of malware samples in a campaign lasting several months. The malware is distributed using a cluster bomb technique where each sample contains multiple stages of nested executable files each containing additional malware payloads. The distributed malware includes stealers like Redline RisePro and Mystic Stealer as well as loaders like Amadey and SmokeLoader. The campaign appears financially motivated and targets victims globally with no specific industry focus. The actor is suspected to be Eastern European based on language artifacts and hosting infrastructure.