Trojan:Win32/Seheq!rfn

The Windows variant of Seheq arrives contains logic for process manipulation, network communication, and cryptography. Initial access is achieved through two primary methods: exploitation of unpatched vulnerabilities, such as those in internet-facing services, and sophisticated social engineering campaigns. In documented enterprise cases, threat actors have used server-side exploits to gain an initial foothold, after which they deploy web shells to execute commands and move laterally. Beyond server-side exploits, Seheq is frequently distributed through highly targeted phishing emails that use HTML attachments with browser-in-the-browser interfaces to spoof legitimate login or download sites, luring victims into downloading a compressed archive containing the malicious executable or an XLL file. 

Additional delivery methods include loaders that leverage search engine optimization poisoning to redirect users to fraudulent software update prompts. Once the binary runs, it masks its presence through process manipulation. The malware drops a legitimate console application named rgb9rast.exe into the user temporary directory, launches it in a suspended state, hollows out its memory space, and replaces it with the malicious ransomware code. This makes the activity appear to originate from a trusted signed application. Simultaneously, Seheq injects code into a command process to launch secondary commands stealthily. To prevent multiple instances from conflicting, Seheq creates a mutex named knight_0_0_1 and quits if the mutex already exists.

Defense evasion begins immediately. Seheq uses specialized utilities that exploit vulnerable drivers to deactivate endpoint protection software. It targets processes commonly associated with security agents and backup services, terminating them before encryption starts. To block system recovery, the malware runs commands through the Windows Management Instrumentation command-line utility to delete volume shadow copies, removing the builtin Windows recovery option. It also terminates database services and office productivity applications to unlock files held by active processes.

For persistence and lateral movement, threat actors manipulate Active Directory Group Policy Objects. After gaining administrative access to a domain controller, they create malicious GPOs that distribute the Seheq binary to every domain-joined device, often using deceptive policy names and configuring scheduled tasks to execute the ransomware simultaneously across the organization. For lateral movement, threat actors use legitimate remote access tools and command-and-control (C2) frameworks to navigate networks manually, identify highvalue targets such as file servers and domain controllers, and exfiltrate sensitive data before triggering the final payload.

Indicators of compromise are highly specific and should be embedded in detection strategies. 

File system artifacts include the legitimate console application rgb9rast.exe in the user temporary directory, binary files with random capital letter names in the application data folder. Those contain encrypted shellcode often extracted from remote PNG images, an eight character random alphanumeric file in the user temporary directory used as part of the multistage payload delivery, a text-based launch log created when logging is activated, and ransom notes named README.TXT or similar dropped in every encrypted folder. Registry modifications add persistence through new entries in the current version run key and the image file execution options key, and they modify Microsoft Defender policy values to deactivate real-time scanning. Network indicators include communication with a primary C2 server used for sending system information and receiving encryption keys, a remote server hosting a PNG image that contains encrypted shellcode, an early variant C2  address associated with initial versions of the malware family, and internal scanning that checks for addresses beginning with reserved private ranges to target local network resources. 

The encryption routine combines Curve25519 elliptic curve cryptography for key exchange with ChaCha20 or AES256 for file encryption. A notable feature is intermittent encryption: the malware can be configured to encrypt only portions of a file, for example encrypting 1 megabyte and then skipping 3 megabytes before continuing. This approach corrupts most file types while significantly reducing the time needed to lock large drives. Seheq excludes system directories and files with extensions such as .exe, .dll, .sys, and .msi to keep the host bootable, but it specifically targets high-value data including database formats, office documents, compressed archives and backup files, and virtual machine disks.