%20(1).webp?w=1600&resize=1600,900&ssl=1)
A threat actor operating on dark web forums has launched a sophisticated botnet marketed as “white software” designed to bypass antivirus (AV) detection, alongside a new LSASS (Local Security Authority Subsystem Service) exploitation tool capable of extracting NTLMv1 passwords from Windows systems.
The dual offerings—advertised as evasion-focused utilities—signal a concerning escalation in cybercriminal innovation, particularly in credential harvesting and network persistence tactics.
Cybersecurity analysts warn these tools could enable large-scale credential theft campaigns and botnet-driven attacks on corporate networks, compounding risks for organizations reliant on legacy authentication protocols.
Technical Architecture of the “White Software” Botnet
According to the post from ThreatMon, the botnet employs a multi-layered evasion strategy, beginning with command execution via Windows Command Prompt (CMD) to avoid triggering behavioral analysis engines in endpoint protection systems.
Its operators claim the malware uses Google search redirects to mask command-and-control (C2) server communications, a technique that routes traffic through legitimate search engine domains to blend with routine user activity.
This method complicates network-based detection mechanisms that rely on anomalous domain patterns.
Further, the botnet’s payload delivery system operates in stages: initial infection occurs through malicious downloads disguised as benign software updates, followed by secondary payloads retrieved from decentralized storage platforms.
Analysts speculate the use of blockchain-based storage or torrent networks to host malicious binaries, though the seller has not disclosed specifics.
The modular design allows operators to dynamically update functionalities, including distributed denial-of-service (DDoS) capabilities and ransomware deployment modules.
LSASS Exploit Tool: Mimikatz-Like Functionality with Enhanced Stealth
Parallel to the botnet, the threat actor is auctioning an LSASS exploitation tool that extracts NTLMv1 password hashes from Windows memory—a technique reminiscent of the open-source tool Mimikatz but with refinements to evade modern endpoint detection and response (EDR) systems.
Unlike traditional LSASS dumpers, this tool executes commands via hidden CMD instances, avoiding process creation events that typically alert security teams.
The exploit targets LSASS’s handling of NTLMv1, an outdated authentication protocol still enabled in many enterprise environments for backward compatibility.
Successful extraction of NTLMv1 hashes enables “pass-the-hash” attacks, where attackers impersonate users without decrypting passwords.
The seller claims compatibility with Windows 7 through Windows 11, though independent verification remains pending.
Implications for Enterprise Security
The convergence of an AV-evading botnet and a stealth LSASS exploit creates a potent threat vector. Attackers could deploy the botnet to establish initial access, then use the LSASS tool to escalate privileges and move laterally across networks.
Notably, NTLMv1’s vulnerabilities are well-documented; Microsoft has advocated for disabling it in favor of NTLMv2 or Kerberos since 2016. However, many organizations retain NTLMv1 for legacy applications, leaving them exposed.
Security researchers highlight similarities to the Emotet botnet’s evolution, which transitioned from banking malware to a modular threat delivery platform.
“This botnet’s use of Google redirects shows threat actors are investing in ‘living off the legitimate’ tactics,” said Clara Mendez, a threat intelligence analyst at SentinelOne.
“Combined with LSASS-based credential theft, attackers could bypass multi-factor authentication (MFA) in certain configurations”.
Mitigation Strategies and Industry Response
Enterprises are advised to:
- Disable NTLMv1: Enforce NTLMv2 or Kerberos via Group Policy and audit registry keys (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel).
- Monitor LSASS Activity: Deploy EDR solutions with behavioral analytics to detect unusual memory access patterns.
- Block Suspicious Redirects: Use web proxies to flag Google search parameters associated with known malicious campaigns.
Microsoft has not yet issued a formal advisory but recommends enabling Credential Guard for Windows 10/11 systems to isolate LSASS processes in virtualized containers.
Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) is analyzing samples of the tools to update its Known Exploited Vulnerabilities catalog.
The dark web’s latest offerings underscore cybercriminals’ growing emphasis on evasion and credential access.
While the botnet’s full impact remains uncertain, its integration with LSASS exploitation tools suggests a targeted approach toward enterprises with hybrid AD (Active Directory) environments.
Organizations must prioritize phasing out legacy protocols and adopt behavioral threat detection to counter these advanced persistent threats (APTs).
As Mendez notes, “In 2024, attackers aren’t just breaking defenses—they’re slipping through the cracks everyone ignored”.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Cybersecurity%20analysts%20warn%20these%20tools%20could%20enable%20large-scale%20credential%20theft%20campaigns%20and%20botnet-driven%20attacks%20on%20corporate%20networks.){kind=link}