New Malware Abuses Azure Functions to Host Command and Control Infrastructure

A malicious ISO image named Servicenow-BNM-Verify.iso was uploaded to VirusTotal from Malaysia with almost no detections.

The image contains four files—two openly visible and two hidden. The visible files include a Windows shortcut, servicenow-bnm-verify.lnk, which launches PanGpHip.exe, a legitimate Palo Alto Networks binary.

Hidden in the same ISO are libeay32.dll, a genuine OpenSSL library, and libwaapi.dll, a malicious DLL side-loaded by the Palo Alto executable.

servicenow-bnm-verify.lnk reveals key forensic metadata: the author’s machine (desktop-rbg1pik), username (john.GIB), and link creation timestamp of August 25, 2025, indicating the actor’s development environment, as per a report by Researcher.

Although the shortcut’s target path points to an “excluded” directory that does not exist on victim machines, the LNK file gracefully falls back to its own directory, ensuring PanGpHip.exe executes whenever the ISO is mounted.

DLL Side-Loading and Payload Injection

The core of the attack lies in libwaapi.dll. This library exports only one code-bearing function, wa_api_setup, which first hides the console window by invoking Windows GUI APIs.

It then checks for a mutex named 47c32025. If the mutex is absent, wa_api_setup calls a function we’ve renamed fn_payload_injection, which carries out in-memory payload injection.

That function computes the SHA-256 hash of the string “rdfY*&689uuaijs,” using the result as an RC4 key.

It deobfuscates the string “chakra.dll,” loads the legitimate Windows DLL from C:\Windows\System32, locates its first executable section, makes it writable, zeros its contents, and base64-decodes a hidden payload stored in the DLL’s .data section.

After decrypting the data with RC4, it validates the payload’s integrity against a hard-coded SHA-256 value. If the check passes, memory permissions are restored and execution transfers into the injected payload.

The injected shellcode unpacks an embedded DLL via RtlDecompressBuffer using the LZNT1 algorithm with maximum compression.

The resulting DLL bears a fabricated timestamp of May 5, 1984, and implements its malicious behavior in its DllUnload export.

Initial analysis indicates module unhooking to evade detection. This final payload enters a loop that sends victim data to logsapi.azurewebsites[.]net/api/logs, hosting Azure Functions as its command and control backend.

By abusing Azure Functions, the threat actor leverages a scalable, serverless environment with event-driven triggers and bindings.

The malware sends an XML-formatted payload containing system metadata—architecture, uptime, OS build, computer and user names, running process, and other details.

This information is encrypted before transit but can be captured in its pre-encryption form, revealing the actor’s intent to profile compromised hosts precisely.

A similar DLL, sharing the same imphash, appeared on VirusTotal from Singapore on September 5, 2025, indicating a campaign spanning multiple regions.

Ongoing deobfuscation aims to reveal additional payload capabilities. A follow-up analysis will explore persistence mechanisms and any lateral movement routines discovered within this sophisticated Azure Functions-backed infrastructure.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!