COVID-19 is by far the most popular topic exploited by cybercriminals in phishing and malspam campaigns. Recently, attackers have found a new and effective way to convince the user to open a malicious attachment. Researchers at IBM X-Force discovered a malicious campaign that used emails pretended to be messages from the U.S. Department of Labor. Adversaries abused the Family and Medical Leave Act theme, which gives employees the right to medical leave benefits, to convince users to install malware on their systems. At the end of April, cybercriminals spread infamous TrickBot malware through this campaign. It turned out so well for them that some other group decided to repeat their success and started to use similar emails to distribute Kpot info stealer.

Kpot info stealer is a commodity malware family that is used in attacks for 2+ years. The malware got its name from a string publicly present on the Admin-Panel. It can exfiltrate account information and other sensitive data from web browsers, instant messengers, Email, VPN, RDP, FTP, cryptocurrency, and gaming software. 

Exclusive rule by Osman Demir detects the installation of Kpot malware and its communications with C&C servers:

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint


Tactics: Initial Acess

Techniques: Spearphishing Attachment (T1193)

More rules to detect this threat:

KPOT behavior (Sysmon detection) by Ariel Millahuel –
Powershell Downloader (KPOT Malware) by Emir Erdogan –

View all rules by Osman Demir on TDM: specify the author on the Filters panel, or use Lucene search query option for search ( Demir).

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts