Neshta

Neshta is a long-standing Windows file-infector virus, described in the content as active since 2003. Its core behavior is to infect executable files by modifying sections of PE files and loading malicious code, and it establishes persistence by hijacking executable launch behavior through the registry, specifically HKLM\SOFTWARE\Classes\exefile\shell\open\command, with observed values such as %SystemRoot%\svchost.com "%1" %*. In observed intrusions, Neshta was stored as C:\Windows\svchost.com, copied itself as a hidden file, and caused original executables to be copied to temporary locations while ensuring code execution whenever EXE files are opened.

The malware appears in multiple operational contexts as both a standalone file infector and as a delivery/persistence mechanism for other malware. It was repeatedly observed alongside Vice Society ransomware activity, where Trend Micro noted the presence of the Neshta file infector during many detections, although the exact introduction vector was unclear. In a Windows cryptomining intrusion, a self-extracting archive (sqlsupdater.sfx.exe) appeared to include Neshta for persistence, alongside NSSM-managed services and scheduled tasks, supporting deployment of an XMRig-based Monero miner. In SCILabs reporting on the Red Akodon threat actor, Neshta was used in phishing-driven campaigns targeting Colombia, where it infected executables and established execution-on-EXE-launch behavior as part of a broader infection chain involving AsyncRAT, RemcosRAT, QuasarRAT, and XWorm. Picus Security also reported that HardBit 4.0 ransomware distribution relied on Neshta as a dropper mechanism: Neshta extracted, decrypted, and launched the HardBit payload from memory offsets while also modifying registry keys for persistence.

Associated actors and malware ecosystems mentioned in the content include Vice Society, Red Akodon, HardBit 4.0 operators, and MuddyWater, whose toolset listing also included the Neshta virus. Targeting reflected the campaigns in which Neshta was embedded rather than a single intrinsic victimology: manufacturing, education, healthcare, and virtualized environments in Vice Society cases; Colombian users and organizations, especially government/judicial-themed phishing victims, in Red Akodon campaigns; and victims exposed via brute-forced RDP/SMB in HardBit 4.0 operations.

High-confidence indicators and artifacts directly mentioned include the registry persistence path HKLM\SOFTWARE\Classes\exefile\shell\open\command, the persistence value %SystemRoot%\svchost.com "%1" %*, the file path C:\Windows\svchost.com, and the sqlsupdater.sfx.exe archive observed in the cryptomining case. Overall, the content characterizes Neshta as a legacy file-infector repurposed in modern operations for persistence and as a dropper or enabler for ransomware, RAT, and cryptomining payloads.