21 May 2025
Malicious JAR uses trailing slash in class filenames to thwart static analysis and unzipping
A sample of the Akemi malware family has been flying under the radar of most AVs on VirusTotal for a week now (1/67).
The malware is delivered via a Java Archive (which is essentially a Zip file) where the obfuscation and protection layer uses a very interesting technique to avoid analysis:
Filenames within the archive use a trailing “/” to fool unzipping and analysis tools into believing that the files are folders. The infostealer itself is obfuscated and protected via radon in addition to qProtect, which is the likely source of the trailing slash evasion technique. It abuses GitHub as a C2 and exfiltrates stolen data, such as browser cookies, via Discord webhooks.
In a nutshell:
🔍 1/67 AV detections on VT, eight crowdsourced rules without classification
📦 Java archive includes files pretending to be directories to avoid extraction and static analysis
🌐 Pulls encoded data from GitHub via web request
🧠 GitHub repositories are quite active and exist since mid to late 2024
🎯 Monitors keyboard and mouse input, takes screenshots
📤 Exfiltrates data via Discord webhook
Sample SHA256:
f69b6e971b994893435c57c549a6c0bdfb188f2f0339f993251ce8be2a469175
See why we think this is malicious in plain language.
See the whole path of the sample’s execution
Map the malicious activities on the MITRE ATT&CK Framework
Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams
Download the IOCs and artifacts to have a clear picture of the threat.
Download the files that the malware downloads, drops or modifies.
Explore how you can use these insights
