Recently, on our Securelist blog, we shared a report (available only in Russian) about a cyberattack against industrial companies involving the PhantomPyramid backdoor. Our analysts are fairly confident the activity is linked to the Head Mare group. The intrusion followed a typical playbook: a phishing email promising confidential details, with an attached password-protected archive containing malware. The password to open the archive was conveniently placed in the body of the message. What made the incident noteworthy was the trick used to conceal the payload — attackers relied on what’s known as the polyglot technique.
What is the polyglot technique?
Within the Mitre ATT&CK framework, polyglot files are described as files that fit more than one format simultaneously, and behave differently depending on which application opens them. This makes them ideal for hiding malware: they can look like harmless documents or images to users and even bypass some simple security checks, while still containing malicious instructions. In certain cases, the code inside can even be written in multiple programming languages at once.
Threat actors experiment with many file type pairings. For example, Unit42 analyzed an attack where a Microsoft Compiled HTML Help file (.chm) also doubled as an HTML Application (.hta). Other researchers noted cases where a .jpeg image actually contained a PHP archive (.phar). In the PhantomPyramid incident, the dangerous code was concealed inside a .zip archive.
Polyglot file in the PhantomPyramid attack
The sample delivered to victims (linked to the Head Mare group) appeared to be a normal .zip file and could be opened with any archiver. In reality, it was a compiled executable with a small ZIP archive appended to the end. That archive contained a shortcut file with a deceptive double extension: .pdf.lnk. If a user, assuming it was a genuine PDF, clicked it, the shortcut launched a PowerShell script. This script executed the malicious .zip as an executable and simultaneously created a fake PDF in a temporary folder to distract the victim.
How to stay safe
To minimize the risk of such attacks, every internet-facing workstation should be protected with reliable endpoint security. Since email remains the main entry point for social engineering and malware delivery, deploying dedicated email security at the corporate mail gateway is also strongly advised.
Finally, staying informed about the latest attacker tactics, techniques, and procedures is critical. For that, we recommend making use of threat intelligence feeds and reports available through our Threat Intelligence services.
Below is our summary of the key takeaways, plus practical safety steps.
“Attackers use the polyglot technique to disguise malware. We explain what it is and how to protect your company against attacks....”