New malware: Akemi uses trailing slash in class filenames to thwart static analysis and unzipping

21 May 2025

Malicious JAR uses trailing slash in class filenames to thwart static analysis and unzipping

A sample of the Akemi malware family has been flying under the radar of most AVs on VirusTotal for a week now (1/67).

The malware is delivered via a Java Archive (which is essentially a Zip file) where the obfuscation and protection layer uses a very interesting technique to avoid analysis:

Filenames within the archive use a trailing “/” to fool unzipping and analysis tools into believing that the files are folders. The infostealer itself is obfuscated and protected via radon in addition to qProtect, which is the likely source of the trailing slash evasion technique. It abuses GitHub as a C2 and exfiltrates stolen data, such as browser cookies, via Discord webhooks.

1 / 67 detections on VirusTotal
on May 25th 2025

In a nutshell:

🔍 1/67 AV detections on VT, eight crowdsourced rules without classification

📦 Java archive includes files pretending to be directories to avoid extraction and static analysis

🌐 Pulls encoded data from GitHub via web request

🧠 GitHub repositories are quite active and exist since mid to late 2024

🎯 Monitors keyboard and mouse input, takes screenshots

📤 Exfiltrates data via Discord webhook

Dive deeper into the report

Sample SHA256:

f69b6e971b994893435c57c549a6c0bdfb188f2f0339f993251ce8be2a469175

Threat identifiers

See why we think this is malicious in plain language.

See the whole path of the sample’s execution

MITRE ATT&CK Matrix

Map the malicious activities on the MITRE ATT&CK Framework

Network connections

Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams

Pre-filtered IOCs

Download the IOCs and artifacts to have a clear picture of the threat.

Download the files that the malware downloads, drops or modifies.

Explore how you can use these insights

Incident
Response

Threat Intelligence
Generation