https://feed.craftedsignal.io/tags/unicode/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSun, 15 Mar 2026 15:30:24 +0000https://feed.craftedsignal.io/briefs/2024-02-29-glassworm-unicode-malware/Sun, 15 Mar 2026 15:30:24 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-02-29-glassworm-unicode-malware/The Glassworm malware utilizes invisible unicode characters to infect over 150 GitHub repositories, posing a supply chain risk to developers and users.The Glassworm malware is a newly discovered threat that leverages the presence of invisible Unicode characters within source code to inject malicious payloads into software projects. Discovered in early 2026, this malware has already compromised over 150 repositories on GitHub. The attack focuses on injecting these invisible characters into popular repositories, particularly those related to JavaScript and Node.js development, potentially impacting a wide range of applications and services. The delivery mechanism involves contributors with malicious intent adding these characters or compromised accounts injecting them. This sophisticated approach allows the malware to remain undetected during code reviews and traditional security scans, making it a significant threat to the software supply chain.

Attack Chain

1. A malicious actor gains commit access to a target GitHub repository through either direct contribution or compromised credentials.
2. The actor injects invisible Unicode characters into source code files, such as JavaScript or package.json files.
3. These Unicode characters are strategically placed within the code to be innocuous visually but alter the program’s execution when interpreted.
4. The altered code, containing the Unicode characters, is committed to the repository, potentially passing initial code review checks due to the characters’ invisibility.
5. When a developer clones or downloads the compromised repository, the Unicode characters are included in their local copy of the code.
6. During the build process (e.g., npm install), the malicious code embedded within the Unicode characters is executed.
7. This execution leads to the download and execution of a secondary payload from a remote server, potentially installing malware, backdoors, or exfiltrating sensitive data.
8. The final objective is to compromise the developer’s system or to inject malicious code into applications built using the compromised repository, thus propagating the malware further.

Impact

The successful deployment of Glassworm can lead to widespread supply chain compromise, potentially affecting thousands of developers and end-users. Over 150 GitHub repositories have already been identified as infected, and the actual number could be much higher. Successful exploitation leads to arbitrary code execution on developer machines and within deployed applications. The compromised code can steal credentials, inject backdoors, and exfiltrate sensitive data, leading to significant financial and reputational damage. The lack of visibility makes remediation challenging.

Recommendation

• Implement static analysis tools capable of detecting invisible Unicode characters in source code repositories (reference: Overview).
• Deploy the Sigma rules provided below to identify suspicious process executions originating from build processes that may indicate Glassworm activity.
• Educate developers about the risks associated with invisible Unicode characters and the importance of careful code review (reference: Attack Chain).
• Implement multi-factor authentication on all developer accounts to prevent account compromise (reference: Attack Chain).
• Monitor network traffic for connections to suspicious or unknown domains originating from build processes (reference: Attack Chain).
• Utilize file integrity monitoring (FIM) to track changes to critical files within repositories and development environments (reference: Attack Chain).

]]>highadvisorysupply-chainunicodemalwaregithubhttps://feed.craftedsignal.io/briefs/2024-01-unicode-cmd-obfuscation/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-unicode-cmd-obfuscation/Adversaries use Unicode modifier letters to obfuscate command-line arguments, evading string-based detections on common Windows utilities like PowerShell and cmd.exe.Attackers are increasingly employing Unicode modifier letters to obfuscate command-line arguments, thereby bypassing traditional string-based detection mechanisms. This technique involves replacing standard ASCII characters with visually similar Unicode characters, making it difficult for simple pattern-matching rules to identify malicious commands. The obfuscation targets common Windows utilities such as reg.exe, net.exe, certutil.exe, PowerShell.exe, cmd.exe, and others frequently abused in post-exploitation scenarios. Defenders need to implement more sophisticated detection methods that account for Unicode normalization or character range analysis to identify and mitigate this threat. This technique has become more prevalent in the last year as attackers seek to evade common detection strategies.

Attack Chain

1. Initial Access: An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.
2. Execution: The attacker executes a command-line utility like cmd.exe or powershell.exe to perform malicious actions.
3. Obfuscation: The command-line arguments are obfuscated by replacing ASCII characters with Unicode modifier letters.
4. Defense Evasion: The obfuscation allows the attacker to evade simple string-based detections that would normally flag the command as malicious.
5. Privilege Escalation: The attacker may use the obfuscated command to escalate privileges or gain access to sensitive resources.
6. Persistence: The attacker may establish persistence by creating a scheduled task or modifying the registry using obfuscated commands.
7. Lateral Movement: The attacker may use the obfuscated command to move laterally to other systems on the network.

Impact

Successful command obfuscation can lead to a significant compromise of Windows systems. Attackers can bypass security controls and execute malicious code undetected, potentially leading to data theft, system disruption, or ransomware deployment. The obfuscation makes it harder for security teams to identify and respond to attacks, increasing the dwell time and potential damage.

Recommendation

• Deploy the Sigma rule provided below to detect the presence of Unicode modifier letters in command lines (references: Sigma rules).
• Enable Sysmon process creation logging to capture command-line arguments for analysis (references: Sysmon setup instructions).
• Investigate any alerts triggered by the Sigma rule and analyze the raw command lines to identify the true intent of the command (references: Triage and Analysis section of the source).
• Consider implementing Unicode normalization techniques to remove the obfuscation before analyzing command lines.
• Monitor the listed processes (reg.exe, net.exe, certutil.exe, etc.) more closely for suspicious activity.

]]>highadvisorydefense-evasioncommand-lineunicodeobfuscation