{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/unicode/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","unicode","malware","github"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Glassworm malware is a newly discovered threat that leverages the presence of invisible Unicode characters within source code to inject malicious payloads into software projects.  Discovered in early 2026, this malware has already compromised over 150 repositories on GitHub. The attack focuses on injecting these invisible characters into popular repositories, particularly those related to JavaScript and Node.js development, potentially impacting a wide range of applications and services. The delivery mechanism involves contributors with malicious intent adding these characters or compromised accounts injecting them. This sophisticated approach allows the malware to remain undetected during code reviews and traditional security scans, making it a significant threat to the software supply chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious actor gains commit access to a target GitHub repository through either direct contribution or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe actor injects invisible Unicode characters into source code files, such as JavaScript or package.json files.\u003c/li\u003e\n\u003cli\u003eThese Unicode characters are strategically placed within the code to be innocuous visually but alter the program\u0026rsquo;s execution when interpreted.\u003c/li\u003e\n\u003cli\u003eThe altered code, containing the Unicode characters, is committed to the repository, potentially passing initial code review checks due to the characters\u0026rsquo; invisibility.\u003c/li\u003e\n\u003cli\u003eWhen a developer clones or downloads the compromised repository, the Unicode characters are included in their local copy of the code.\u003c/li\u003e\n\u003cli\u003eDuring the build process (e.g., \u003ccode\u003enpm install\u003c/code\u003e), the malicious code embedded within the Unicode characters is executed.\u003c/li\u003e\n\u003cli\u003eThis execution leads to the download and execution of a secondary payload from a remote server, potentially installing malware, backdoors, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is to compromise the developer\u0026rsquo;s system or to inject malicious code into applications built using the compromised repository, thus propagating the malware further.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful deployment of Glassworm can lead to widespread supply chain compromise, potentially affecting thousands of developers and end-users.  Over 150 GitHub repositories have already been identified as infected, and the actual number could be much higher. Successful exploitation leads to arbitrary code execution on developer machines and within deployed applications. The compromised code can steal credentials, inject backdoors, and exfiltrate sensitive data, leading to significant financial and reputational damage. The lack of visibility makes remediation challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement static analysis tools capable of detecting invisible Unicode characters in source code repositories (reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to identify suspicious process executions originating from build processes that may indicate Glassworm activity.\u003c/li\u003e\n\u003cli\u003eEducate developers about the risks associated with invisible Unicode characters and the importance of careful code review (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication on all developer accounts to prevent account compromise (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to suspicious or unknown domains originating from build processes (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eUtilize file integrity monitoring (FIM) to track changes to critical files within repositories and development environments (reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T15:30:24Z","date_published":"2026-03-15T15:30:24Z","id":"/briefs/2024-02-29-glassworm-unicode-malware/","summary":"The Glassworm malware utilizes invisible unicode characters to infect over 150 GitHub repositories, posing a supply chain risk to developers and users.","title":"Glassworm Malware Hidden in Unicode Characters Affecting GitHub Repositories","url":"https://feed.craftedsignal.io/briefs/2024-02-29-glassworm-unicode-malware/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon","Elastic Endgame","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","command-line","unicode","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly employing Unicode modifier letters to obfuscate command-line arguments, thereby bypassing traditional string-based detection mechanisms. This technique involves replacing standard ASCII characters with visually similar Unicode characters, making it difficult for simple pattern-matching rules to identify malicious commands. The obfuscation targets common Windows utilities such as \u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ePowerShell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, and others frequently abused in post-exploitation scenarios. Defenders need to implement more sophisticated detection methods that account for Unicode normalization or character range analysis to identify and mitigate this threat. This technique has become more prevalent in the last year as attackers seek to evade common detection strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a command-line utility like \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to perform malicious actions.\u003c/li\u003e\n\u003cli\u003eObfuscation: The command-line arguments are obfuscated by replacing ASCII characters with Unicode modifier letters.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The obfuscation allows the attacker to evade simple string-based detections that would normally flag the command as malicious.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker may use the obfuscated command to escalate privileges or gain access to sensitive resources.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker may establish persistence by creating a scheduled task or modifying the registry using obfuscated commands.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker may use the obfuscated command to move laterally to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful command obfuscation can lead to a significant compromise of Windows systems. Attackers can bypass security controls and execute malicious code undetected, potentially leading to data theft, system disruption, or ransomware deployment. The obfuscation makes it harder for security teams to identify and respond to attacks, increasing the dwell time and potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect the presence of Unicode modifier letters in command lines (references: Sigma rules).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line arguments for analysis (references: Sysmon setup instructions).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule and analyze the raw command lines to identify the true intent of the command (references: Triage and Analysis section of the source).\u003c/li\u003e\n\u003cli\u003eConsider implementing Unicode normalization techniques to remove the obfuscation before analyzing command lines.\u003c/li\u003e\n\u003cli\u003eMonitor the listed processes (\u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, etc.) more closely for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unicode-cmd-obfuscation/","summary":"Adversaries use Unicode modifier letters to obfuscate command-line arguments, evading string-based detections on common Windows utilities like PowerShell and cmd.exe.","title":"Command Obfuscation via Unicode Modifier Letters","url":"https://feed.craftedsignal.io/briefs/2024-01-unicode-cmd-obfuscation/"}],"language":"en","title":"CraftedSignal Threat Feed — Unicode","version":"https://jsonfeed.org/version/1.1"}