What is KNOTWEED and who operates it?

KNOTWEED is an Austria-based private-sector offensive actor (PSOA) operated by DSIRF. DSIRF claims to provide advanced due diligence, risk analysis, and red teaming services to multinational corporations in technology, retail, energy, and financial sectors.

What malware is associated with KNOTWEED attacks?

KNOTWEED attacks are associated with the Subzero malware, which is deployed using various methods including exploit chains and malicious Excel documents. Subzero consists of multiple components, including Jumplump (persistent loader) and Corelump (main malware).

How does the Subzero malware operate?

Subzero is deployed through exploit chains or malicious Excel files. The attack involves a downloader shellcode that retrieves a JPEG image with encrypted data, which is then decrypted and loaded into memory as the Corelump malware. Corelump operates in memory, evading detection, and provides capabilities such as keylogging, screenshot capture, file exfiltration, remote shell access, and running arbitrary plugins.

What exploits were used in KNOTWEED's attack chain?

KNOTWEED used a chain of exploits including CVE-2021-31199, CVE-2021-31201 (Windows privilege escalation), and CVE-2021-28550 (Adobe Reader). An additional exploit, CVE-2021-36948, targeted the Windows Update Medic Service to load arbitrary signed DLLs.

What are the capabilities of the Corelump malware?

Corelump provides keylogging, screenshot capture, file exfiltration, remote shell access, and the ability to run arbitrary plugins downloaded from KNOTWEED's command-and-control server. It operates exclusively in memory to evade detection.

What utility tools are used by KNOTWEED?

KNOTWEED uses bespoke utility tools such as Mex and PassLib. Mex is a command-line tool with several red teaming or security plugins, some of which are copied from public sources like GitHub.

How does KNOTWEED use malicious Excel documents in its attacks?

KNOTWEED uses Excel files masquerading as legitimate documents, containing obfuscated macros and benign comments to evade detection. These macros use Excel 4.0 functions to load shellcode, which then downloads and executes the Corelump malware.

What infrastructure is associated with KNOTWEED's operations?

KNOTWEED's infrastructure includes domains and IP addresses hosted by providers like Digital Ocean and Choopa. Domains such as acrobatrelay[.]com, demo3[.]dsirf[.]eu, debugmex[.]dsirflabs[.]eu, and szstaging[.]dsirflabs[.]eu have been linked to their operations.

How does Jumplump contribute to KNOTWEED's persistence?

Jumplump is a trojanized DLL dropped to disk that loads Corelump into memory from the JPEG file in the %TEMP% directory. It also modifies COM registry keys for persistence and attempts to download Corelump again if not present.

What are the main stages of the KNOTWEED attack chain?

The main stages include initial access via exploit chains or malicious documents, deployment of downloader shellcode, retrieval and decryption of the Corelump payload, in-memory execution, and persistence via COM hijacking and trojanized DLLs.

How does KNOTWEED evade detection?

KNOTWEED uses heavy obfuscation in its shellcode and loader, operates Corelump exclusively in memory, and modifies legitimate DLLs and registry keys to avoid traditional detection methods.

What is the significance of the JPEG file in KNOTWEED's attack?

The JPEG file is used to conceal the encrypted loader and Corelump payload. The downloader shellcode retrieves this image, extracts and decrypts the payload, and loads it into memory, making detection more difficult.

What are the main post-compromise actions of KNOTWEED?

Post-compromise actions include keylogging, screenshot capture, file exfiltration, remote shell access, and running additional plugins. The malware also modifies system files and registry keys for persistence and evasion.

How can organizations use Cymulate to validate defenses against threats like KNOTWEED?

Cymulate's Exposure Management Platform enables organizations to simulate real-world attack scenarios, including those similar to KNOTWEED, to validate detection and response capabilities, identify exploitable exposures, and prioritize remediation efforts. Features like Exposure Validation, Attack Path Discovery, and Automated Mitigation help organizations proactively defend against advanced threats.

What resources are available for learning more about exposure management and threat validation?

Cymulate offers a range of resources, including whitepapers, guides, solution briefs, data sheets, and reports. Notable examples include the 'Exposure Management Platform and CTEM Whitepaper', 'Continuous Threat Exposure Management Solution Brief', and the 'Threat Exposure Validation Impact Report 2025'. Visit the Cymulate Resource Hub for more information.

What are the key features of Cymulate's Exposure Management Platform?

Cymulate's platform offers continuous threat validation, unified breach and attack simulation (BAS), continuous automated red teaming (CART), exposure analytics, AI-powered optimization, complete kill chain coverage, attack path discovery, cloud validation, and an extensive threat library with daily updates.

Does Cymulate integrate with other security technologies?

Yes, Cymulate integrates with a wide range of security technologies, including EDR and anti-malware solutions (e.g., CrowdStrike Falcon, Cisco Secure Endpoint, BlackBerry Cylance PROTECT), SIEM (CrowdStrike Falcon LogScale), cloud security (AWS GuardDuty, Check Point CloudGuard), network security (Akamai Guardicore), and vulnerability management (CrowdStrike Falcon Spotlight). For a full list, visit the Cymulate integrations page .

How does Cymulate help organizations prioritize exposures?

Cymulate ranks vulnerabilities based on exploitability, business context, and threat intelligence, enabling organizations to focus remediation efforts on the most critical exposures. This evidence-based prioritization improves operational efficiency and reduces risk.

What is Cymulate's 'Threat (IoC) updates' feature?

The 'Threat (IoC) updates' feature provides recommended Indicators of Compromise (IoCs) that can be exported via the UI or API in plain text or STIX format. This helps control owners quickly build defenses against new threats and improve threat resilience.

How often is Cymulate's threat library updated?

Cymulate's threat library is updated daily, ensuring that organizations can validate their defenses against the latest attack techniques and emerging threats.

What technical documentation is available for Cymulate?

Cymulate provides whitepapers, guides, solution briefs, data sheets, and industry reports covering topics such as exposure management, CTEM, detection engineering, and vulnerability management. Access these resources at the Cymulate Resource Hub .

How does Cymulate support cloud and hybrid environments?

Cymulate provides dedicated validation features for hybrid and cloud environments, enabling organizations to assess and optimize their cloud security controls and address new attack surfaces introduced by cloud adoption.

What is Cymulate's approach to detection engineering?

Cymulate enables organizations to build, validate, and optimize threat detections at scale, providing tools for SIEM, EDR, and XDR validation to improve mean time to detect and respond to threats.

How easy is it to implement Cymulate?

Cymulate is known for its quick and straightforward implementation. It operates in agentless mode, requiring no additional hardware or complex configuration. Customers can start running simulations almost immediately, and comprehensive support is available throughout onboarding.

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's needs. Pricing depends on the selected package, number of assets, and scenarios for testing. For a personalized quote, schedule a demo with the Cymulate team.

What security and compliance certifications does Cymulate have?

Cymulate is certified for SOC2 Type II, ISO 27001:2013 (Information Security Management), ISO 27701 (Privacy Information Management), ISO 27017 (Cloud Services Security), and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to security, privacy, and cloud compliance. Learn more .

How does Cymulate ensure data security and privacy?

Cymulate employs strong physical security, encryption for data in transit (TLS 1.2+) and at rest (AES-256), and hosts services in secure AWS data centers. The platform follows a strict Secure Development Lifecycle (SDLC), conducts continuous vulnerability scanning, and undergoes annual third-party penetration tests. A dedicated privacy and security team, including a DPO and CISO, oversees compliance and GDPR adherence.

Is Cymulate GDPR compliant?

Yes, Cymulate adopts a holistic approach to GDPR, incorporating data protection by design and maintaining a dedicated privacy and security team. The company ensures compliance with GDPR requirements for all customers.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across industries such as media, transportation, financial services, and retail. Organizations of all sizes, from small teams to enterprises with over 10,000 employees, can benefit from Cymulate's platform.

What business impact can customers expect from Cymulate?

Customers have reported an 81% reduction in cyber risk within four months, a 60% increase in team efficiency, 40X faster threat validation, a 30% improvement in threat prevention, and a 52% reduction in critical exposures. These outcomes are supported by case studies such as Hertz Israel and Nemours Children's Health. Read the Hertz Israel case study .

Are there customer testimonials about Cymulate's ease of use?

Yes, customers consistently praise Cymulate for its intuitive and user-friendly platform. For example, Raphael Ferreira, Cybersecurity Manager, stated, "Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture." Read more testimonials .

What are some real-world use cases for Cymulate?

Use cases include reducing cyber risk (Hertz Israel), increasing visibility (Nemours Children's Health), automating vulnerability prioritization (financial services organization), optimizing SecOps (credit union), consolidating security tools (IT services organization), automating compliance (sustainable energy company), and providing clear metrics for investment justification (UK bank). See all case studies .

How does Cymulate compare to AttackIQ?

AttackIQ provides automated security validation but lacks Cymulate's innovation, threat coverage, and ease of use. Cymulate offers a more comprehensive threat scenario library and advanced AI-powered features. Read more .

How does Cymulate compare to Mandiant Security Validation?

Mandiant is one of the original BAS platforms but has seen less innovation in recent years. Cymulate continually innovates with AI and automation and has expanded into exposure management as a grid leader. Read more .

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks the depth of Cymulate's full exposure validation platform, which covers the entire kill chain and includes cloud control validation. Read more .

How does Cymulate compare to Picus Security?

Picus offers BAS with an on-prem option but does not provide Cymulate's comprehensive exposure validation, full kill chain coverage, or cloud control validation. Read more .

How does Cymulate compare to SafeBreach?

SafeBreach offers breach and attack simulation but lacks Cymulate's innovation, precision, and automation. Cymulate provides a full CTEM solution, comprehensive exposure validation, and advanced automation. Read more .

How does Cymulate compare to Scythe?

Scythe is built for advanced red teams to build custom attack campaigns but lacks Cymulate's ease of use, continuous validation, and actionable remediation guidance. Cymulate offers automated, no-code workflows, daily threat updates, and specific mitigation guidance. Read more .

When was Cymulate founded?

Cymulate was founded in 2016 and has since grown to serve over 1,000 customers in 50 countries, with offices in eight locations worldwide. Learn more .

What is Cymulate's mission and vision?

Cymulate's mission is to revolutionize cybersecurity by fostering a proactive approach to managing security threats. The company aims to empower organizations to effectively manage their security posture and improve resilience against threats through continuous validation and innovation. Read more .

Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits

July 31, 2022

KNOTWEED is an Austria-based PSOA named DSIRF.
The DSIRF website says they provide services "to multinational corporations in the technology, retail, energy and financial sectors" and that they have "a set of highly sophisticated techniques in gathering and analyzing information." They publicly offer several services including "an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities" and "highly sophisticated Red Teams to challenge your company's most critical assets."

MSTIC found KNOTWEED's Subzero malware deployed in a variety of ways.
In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: Jumplump for the persistent loader and Corelump for the main malware.

Previously, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021.
MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.

Analysts were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to load an arbitrary signed DLL.
The malicious DLL used in the attacks was signed by 'DSIRF GmbH'.

In addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document.
The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.

After de-obfuscating strings at runtime, the VBA macro uses the ExecuteExcel4Macro function to call native Win32 functions to load shellcode into memory allocated using VirtualAlloc.
Each opcode is individually copied into a newly allocated buffer using memset before CreateThread is called to execute the shellcode.
he downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents.

The shellcode's purpose is to retrieve the Corelump second-stage malware from the actor's command-and-control (C2) server.
The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the 0xFF 0xD9 marker that signifies the end of a JPEG file).
The JPEG is then written to the user's %TEMP% directory.

The downloader shellcode searches for a 16-byte marker immediately following the end of JPEG.
After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key.

Finally, the loader shellcode RC4 decrypts the Corelump malware using a second RC4 key and manually loads it into memory.
Corelump is the main payload and resides exclusively in memory to evade detection.

It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED's C2 server.

As part of installation, Corelump makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code.

As part of this process, Corelump also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling Control Flow Guard, and modifying the image file checksum with a computed value from CheckSumMappedFile.

These trojanized binaries (Jumplump) are dropped to disk in C:WindowsSystem32spooldriverscolor, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).

Jumplump is responsible for loading Corelump into memory from the JPEG file in the %TEMP% directory.

If Corelump is not present, Jumplump attempts to download it again from the C2 server.
Both Jumplump and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp combination, giving a convoluted control flow throughout the program.

KNOTWEED was also observed using the bespoke utility tools Mex and PassLib.

These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources.
Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub

Pivoting off a known command-and-control domain identified by MSTIC, acrobatrelay[.]com, RiskIQ expanded the view of KNOTWEED's attack infrastructure.
Leveraging unique patterns in the use of SSL certificates and other network fingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under the control of KNOTWEED.
This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.

RiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious.
This process yielded several domains with direct links to DSIRF, including demo3[.]dsirf[.]eu (the company's own website), and several subdomains that appear to have been used for malware development, including debugmex[.]dsirflabs[.]eu (likely a server used for debugging malware with the bespoke utility tool Mex) and szstaging[.]dsirflabs[.]eu (likely a server used to stage Subzero malware).

Corelump drops the Jumplump loader DLLs to C:WindowsSystem32spooldriverscolor.
This is a common directory used by malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.

Jumplump uses COM hijacking for persistence, modifying COM registry keys to point to the Jumplump DLL in C:WindowsSystem32spooldriverscolor.
Modifications of default system CLSID values should be monitored to detect this technique (e.g., HKLMSOFTWAREClassesCLSID{GUID}InProcServer32 Default value).
The five CLSIDs used by Jumplump are listed below with their original clean values on Windows 11:

{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea} = "%SystemRoot%System32ApplicationFrame.dll"
{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} = "%SystemRoot%system32propsys.dll"
{4590f811-1d3a-11d0-891f-00aa004b2e24} = "%SystemRoot%system32wbemwbemprox.dll"
{4de225bf-cf59-4cfc-85f7-68b90f185355} = "%SystemRoot%system32wbemwmiprvsd.dll"
{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} = "%SystemRoot%System32Actioncenter.dll"
Many of the post-compromise actions can be detected based on their command lines.
Customers should monitor for possible malicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry keys

Featured Resources

View More Resources

blog

CVE-2026-32196: One-Click RCE via Windows Admin Center Control Flow Hijacking

Ilan Kalendarov, Security Research Team LeadBen Zamir, Security ResearcherElad Beber, Security ResearcherRuben Enkaoua, Security Researcher Cymulate Research Labs identified a set of

Webinar

Cymulate Stories: A Fireside Chat with Morgan Street Holdings

Many organizations still manage cyber risk using reactive security practices that struggle to keep pace with today’s threat landscape. As

Watch Now