The BLISTER malware [2] [3] [4], a well-known loader [2], is currently being used in conjunction with SocGholish in multiple campaigns. It serves as a second-stage loader for distributing Cobalt Strike and LockBit ransomware [2] [3]. BLISTER is integrated into a legitimate VLC Media Player library to bypass security software and infiltrate victim networks [2].


This updated version of BLISTER includes a keying feature [3], which allows for precise targeting of victim networks and reduces exposure in VM/sandbox environments [3]. Initially discovered in December 2021 [1] [3] [4], BLISTER has since been utilized to distribute Cobalt Strike and BitRAT payloads on compromised systems [3]. The authors of BLISTER consistently employ techniques to evade detection and complicate analysis [3], ensuring its effectiveness as an active loader capable of deploying various types of malware while maintaining a low profile [3]. BLISTER is actively maintained and used to load various types of malware [1] [4], including clipbankers [4], information stealers [4], trojans [4], ransomware [1] [2] [3] [4], and shellcode [4].


The presence of BLISTER malware alongside SocGholish in multiple campaigns poses significant risks to victim networks. Its integration into a legitimate VLC Media Player library allows it to bypass security software, making it difficult to detect and mitigate. The keying feature of the updated version enhances its ability to target specific networks, further increasing its potential impact. To effectively combat BLISTER and its associated threats, organizations should implement robust security measures, including regular software updates and comprehensive threat detection systems. Additionally, ongoing research and analysis are crucial to staying ahead of the evolving techniques employed by the authors of BLISTER.