Malware

DarkMatter

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1059Command and Scripting InterpreterEvidence1

In this example, the payload simply executes the whoami command and returns the result through the HTTP response.

Persistence

1 technique

T1505.003Web ShellEvidence1

During the development of both Java and .NET webshells, I encountered an interesting challenge: how can a webshell communicate with its controller through encrypted HTTP traffic while remaining flexible enough to execute arbitrary payloads?

Stealth

2 techniques

T1564.001Hidden Files and DirectoriesEvidence1

This type of webshell is widely used... by dynamically loading Java bytecode directly into memory instead of storing it on disk.

T1620Reflective Code LoadingEvidence1

The simplest way to execute arbitrary Java code from JSP is to dynamically load a compiled Java class through a custom ClassLoader.

Command and Control

2 techniques

T1105Ingress Tool TransferEvidence1

Once the implant has been injected successfully, subsequent payloads (such as DarkMatter) are encrypted with AES before being sent.

T1573Encrypted ChannelEvidence1

My primary goal was to establish an encrypted communication channel between the client and the implant. To achieve this, I chose AES to encrypt all subsequent communications.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

iss4cf0ng githubNews

Jun 27, 2026

NebulaPulsar: A Proof-of-Concept In-Memory Implant Framework for JSP and ASP.NET | ISSAC/iss4cf0ng's blog

A command-execution payload used with NebulaPulsar that is loaded in memory and executes operator-supplied system commands, returning encrypted output to the controller.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.