Hello and welcome to the Thursday, February 5th, 2026 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu credit certificate program in penetration testing and ethical hacking.

When you're dealing with incident like you find an infected system, the problem, probably the hardest thing in instant response is always figuring out if you found everything that's wrong with the system.

And let's have a little example here that Xavier posted about today.

Initially this looked, well, like an info stealer that is injected into Chrome

in order to steal data.

So nothing really all that fancy.

And this is where someone may have stopped investigating,

but not so Xavier.

Xavier dove deeper into the script

and found that at the end,

it actually then downloads another image.

Now, this image is at first sight, a legitimate image.

It looks like sort of one of those wallpapers for fans of MSI motherboards, I guess.

But it does have additional code added at the end.

And that then installs, well, more malware.

So after the initial malware runs and keeps running, it then installs X-Worm as the

additional payload. The other reason why this sometimes happens is just in case antivirus would catch

the first part. Well, maybe the second makes it through, so that's also one reason. Why an attacker

may do that? In this case, I think it's probably more that they will try to get more out of the system.

And adding a couple lines to the existing script was sort of an easy way to expand the capabilities of their malware.

...