New malware: Akemi uses trailing slash in class filenames to thwart static analysis and unzipping
21 May 2025
Malicious JAR uses trailing slash in class filenames to thwart static analysis and unzipping
A sample of the Akemi malware family has been flying under the radar of most AVs on VirusTotal for a week now (1/67).
The malware is delivered via a Java Archive (which is essentially a Zip file) where the obfuscation and protection layer uses a very interesting technique to avoid analysis:
Filenames within the archive use a trailing “/” to fool unzipping and analysis tools into believing that the files are folders. The infostealer itself is obfuscated and protected via radon in addition to qProtect, which is the likely source of the trailing slash evasion technique. It abuses GitHub as a C2 and exfiltrates stolen data, such as browser cookies, via Discord webhooks.
1 / 67 detections on VirusTotal on May 25th 2025
In a nutshell:
🔍 1/67 AV detections on VT, eight crowdsourced rules without classification
📦 Java archive includes files pretending to be directories to avoid extraction and static analysis
🌐 Pulls encoded data from GitHub via web request
🧠 GitHub repositories are quite active and exist since mid to late 2024
🎯 Monitors keyboard and mouse input, takes screenshots
Tech Insights Deep Dive of April:
Detection Strategies & Operational Excellence
join VMRay for two powerhouse webinars designed to sharpen your threat detection and response capabilities — featuring a special joint session with Red Canary:
Live session's over. Watch the on-demand video to learn how VMRay and Red Canary combine forces to deliver faster, smarter threat detection!