Threat Hunting Content: Uncover Bladabindi Backdoor

Bladabindi backdoor has been known since at least 2013, its authors monitor cybersecurity trends and improve backdoor to prevent its detection: they recompile, refresh, and rehash it, so IOCs-based detection content is almost useless. In 2018, the Bladabindi backdoor became fileless and was used as a secondary payload delivered by njRAT / Njw0rm malware. The backdoor infects USB drives to spread across the attacked organizations. Adversaries use Bladabindi to steal sensitive data, download and execute additional tools, and collect credentials, it is also used as a backdoor and keylogger.


Ariel Millahuel created the Threat Hunting Sigma rule based on recent findings to spot characteristics of this malware and released it on Threat Detection Marketplace.


Ariel is one of the most active contributors to the Developer Program, who leads the top 10 content authors this month. In April, he published 50+ Sigma rules to detect APT groups’ activity and various malware used in recent attacks.

Interview with Ariel Millahuel:

Explore content submitted by Ariel:


Threat Detection is supported for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, RSA NetWitness

EDR: Carbon Black, Elastic Endpoint



Tactics: Execution, Defense Evasion 

Techniques: Command-Line Interface (T1059), Disabling Security Tools (T1089), Modify Registry (T1112)

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko