Pentesting firm DSIRF linked with Subzero malware’s development

Pentesting Cyber Security Firm DSIRF Subzero Malware Knotweed Microsoft

From a recent report posted by Microsoft, the firm claimed that an Austria-based penetration testing company, DSIRF, was linked with selling spyware to clients that targets entities from Europe and Central America.

A threat group called Knotweed was associated with the pentesting firm DSIRF, which has allegedly created and spread the Subzero malware against victims since February 2020. The analysts assessed Knotweed’s attack infrastructure, showing that its website and domains were used for debugging and staging the Subzero malware.


The official website of DSIRF presents services about cybersecurity research, forensic analysis, and data-driven intelligence for clients and partners.


Despite the firm’s security services for its clients, the researchers found that DSIRF is also linked with the development of Knotweed’s Subzero malware. This malware could infiltrate a target’s device, mobile phones, computers, networks, and other internet-connected machines.

Microsoft also had seen more connections between the pentesting firm and the Knotweed threat group, including a common C2 server infrastructure. Knotweed had a history of targeting organisations using the Subzero malware, including banks and consultancy firms from the UK, Austria, and Panama.

Another payload type called Corelump had also been investigated, which could help attack operators evade detection from security tools inside a computer. The attackers also deploy Jumplump, a malware loader that could download and inject the Corelump payload into memory.

Once inside a compromised machine, the Corelump payload would deploy Subzero to begin its activities, such as keylogging, capturing screenshots, running remote shells, and downloading additional plugins from the operators’ C2 server.

According to researchers, the Knotweed campaign focused on abusing zero-day flaws, including CVE-2022-22047, a recently patched Windows vulnerability that aids hackers in escalating access privileges, achieving system-level code execution, and evading sandboxes.

Two other known Windows exploits, CVE-2021-31199 and CVE-2021-31201, have also been abused by Knotweed alongside an Adobe Reader bug tracked as CVE-2021-28550.

Organisations affected by this recently raised issue are advised to patch the abused vulnerabilities. Activating Microsoft Defender on computers is also strongly recommended to help detect compromise indicators.

About the author

Leave a Reply