NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month

The NullMixer loader has compromised thousands of endpoints in the US, France, and Italy, stealing data and selling it to Dark Web data dealers, all without setting off alarm bells.

Dark Reading Staff, Dark Reading

March 28, 2023

1 Min Read
malware concept image
Source: EyeEm via Alamy Stock Photo

A new version of the NullMixer dropper includes polymorphic loaders from malware-as-a-service (MaaS) and pay-per-install (PPI) providers on Dark Web markets, and it's being used to target organizations in North America, as well as Italy and France.

The malware, a known threat, typically installs a suite of downloaders, banking Trojans, stealers, and spyware on victims' systems, all in one go. The new additions, however, make the threat even more dangerous, according to a detailed NullMixer analysis this week from Security Affairs, because the threat can adapt to whatever the specific environment is that it infects.

The analysis also explains how threat actors have been using search engine optimization (SEO) poisoning and malicious video tutorials to con IT staff into installing the new malware. In just one month, the newly enhanced NullMixer malware has established initial access into more than 8,000 endpoints, stealing data to sell it to brokers in underground markets.

Most victims are running Windows 10 Professional and Enterprise operating systems, the NullMixer report said, adding that the malware also seems to have successfully infected Windows Embedded IoT environments.

"The NullMixer package is including new polymorphic loaders by third parties MaaS and PPI service providers in the underground markets, and also pieces of controversial, potentially North-Korean linked PseudoManuscript code," the researchers explained about the latest NullMixer malware strain. "Our insights into a recent NullMixer malware operation revealed Italy and France are the favorite European countries from the opportunistic attackers' perspective."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights