Bulwark Malware Exposed: Analysis, IoCs, and Tactical Guidance for Defenders

By Ash K
Bulwark Malware Exposed: Analysis, IoCs, and Tactical Guidance for Defenders

Executive summary

Bulwark is a commercialized evasion packer and toolkit first observed in 2025. It is sold to operators to hide Windows payloads from endpoint detection platforms by transforming binaries at runtime, unhooking user mode APIs, and reflectively loading payloads into memory. Bulwark focuses on extending the window between execution and reliable telemetry collection. That window is frequently used to harvest credentials, escalate privileges, and move laterally.

This analysis condenses the operational workflow, core techniques, detection opportunities, and concrete IoCs gathered from the Bulwark whitepaper and public analysis. Use the IoC block for immediate ingestion, and apply the detection and response playbook to hunt, contain, and remediate active infections.

Operator workflow and objectives

Operators use Bulwark in four phases. First they build a packed binary that embeds an operator chosen payload such as a stealer, loader, or remote access trojan. Next they deliver the packed binary via phishing, trojanised installers, or malvertising. On execution the loader performs environment checks, decrypts staged payloads into private memory regions, and injects or reflectively loads them into a target process. Finally the operator optionally enables persistence modules and configures C2 endpoints while minimizing network noise.

The productized nature of Bulwark means low-skill actors can launch sophisticated campaigns. Defenders must therefore treat Bulwark not as an isolated tool but as an enabler that increases the operational reach of commodity malware.

Core evasion techniques

  • Multi-stage packing and in-memory reshaping: Sections are encrypted per build and decrypted into transient buffers, leaving minimal static artifacts on disk.
  • Dynamic import resolution: API imports are resolved by hashed names at runtime to defeat static import table analysis.
  • User-mode unhooking: Bulwark maps clean copies of system DLLs and restores bytes for sensitive functions to neutralize common EDR hooks.
  • AMSI and ETW interference: In-memory patching or redirection reduces script scanning and telemetry fidelity.
  • Reflective loading and injection variety: Supports reflective DLL load, process hollowing, thread hijack, and module stomping to avoid Windows loader traces.
  • Anti-analysis gating: Time checks, sandbox probes, virtualization checks, and low-interaction IO heuristics prevent execution in analyst environments.
  • Stealthy network behavior: Delayed beacons, jitter, and domain fronting options reduce network-based signature detection.

Detection opportunities

Bulwark is designed to hide, but it creates reliable side effects that can be hunted across endpoint and network telemetry. Focus on memory, process lifecycle anomalies, DLL integrity, and uncommon API resolution patterns.

  • Memory indicators: Executable regions in process memory with no backing file, repeated RW to RX transitions shortly after process start, and high entropy regions that appear then change protection flags.
  • DLL hygiene anomalies: Mapped system DLLs whose section hashes do not match golden images or whose prologues are restored mid-execution.
  • API resolution bursts: Unusually high counts of GetProcAddress or LdrGetProcedureAddress calls without corresponding module load activity.
  • Injection chains: Parent processes spawning regsvr32, rundll32, msbuild, or other LOLBINs followed by remote thread creation into private memory ranges.
  • Telemetry tampering: Writes to amsi.dll or ntdll text sections, or failed ETW provider registrations recorded in security logs.
  • Network faint beacons: Queries to newly registered domains, CDNs used as fronting layers, and C2 endpoints showing long idle intervals and variable jitter.

Incident response and containment

  • Prioritize live memory capture on suspected hosts because unpacked code often exists only in RAM.
  • Collect full EDR telemetry, process dumps, and network captures covering at least 48 hours prior to detection to reconstruct staged unpacking activity.
  • Compare system DLL section hashes against golden images to identify unhooking and prologue restoration.
  • Quarantine by policy and not only by process termination. Some Bulwark builds reinstall on restart via scheduled tasks or registry autoruns.
  • Rotate and revoke credentials for accounts that logged into impacted hosts and assume tokens may be reused. Clear cached tokens and session artifacts.

IoCs

Below are the IoCs extracted from the Bulwark whitepaper that you can ingest directly into SIEM, EDR, DNS sinkholes, and blocklists. All domains and URLs are listed using bracketed dot notation to avoid accidental clicks.

Domains

  • softytoys[.]shop
  • auracorp[.]cc
  • secondhandcloth[.]shop
  • armydevice[.]shop
  • opencamping[.]shop
  • glossmagazine[.]shop
  • balancedassetline[.]xyz
  • radioengineering[.]shop
  • luxgames[.]shop
  • cartdetails[.]shop
  • fancycloud[.]shop
  • clockhouse[.]shop

TA sites and delivery endpoints

  • https[:]//database[.]forum/index.html
  • https[:]//t[.]me/rootdatabase
  • https[:]//t[.]me/dbroot
  • https[:]//t[.]me/sup_database
  • https[:]//t[.]me/+tqX1gmdIfikxMDM6
  • Onion: goxq6gj4nplseo3ziivgpht24skew55sly5zazldix7bb3pfeubxt2id[.]onion
  • Bulwark webpage: https[:]//bulwark[.]pro/
  • AV lab webpage: https[:]//av-lab[.]pro/
  • Aura linker: https[:]//usrlnk[.]io/auracorp

Cryptocurrency wallets (for tracking payments)

  • Bitcoin: bc1qhsm7lssgzljvetx276y90wl7r7rw9jctjtsjymg
  • Litecoin: LLPrQ4w1MJX56GcvP4bs7twMzbWnXZiAkP

Sample hashes (representative SHA256 values)

  • 2D33509252FDEB9BF8D49F168E34CA938D6BDC2730695B7394FAF5D8F785D27D
  • e91f79999728911847313f70ec1ac76ff5965b43c929bc4db7c2f55d62f353d2
  • BAC52FFC8072893FF26CDBF1DF1ECBCBB1762DED80249D3C9D420F62ED0DC202
  • 2c4b8be34028c43d6b251fba60d75b62d2b1b70373f8eb8104205e67471bc32d
  • a73f7ff2df033591c1821fc5a74d435d5718486a3fcd9030ac8b046abef61ed7
  • 4f19aec7ae80d0595d0299470900415434ecd3b1fc03f495b69617e6489f359d
  • db3c02d40b0ec5cc6564d253ecedbb7bac08dfae7513fd9642c2ea131dcda7b7
  • f2607505337d23ecee2017a24463d00dba41a127db02ec4b347e10dcdeafe43b
  • 8f9e60a5a448126c684c2f53b6d397d751dbc6a9d005d8365ed3c4e38868f96e
  • bf60ddab670c7ed28632ddbbb2e871be853a51003441abb5e79641515df70217
  • ddd9869711d8310b87f4fcd44329c785d1a34fbe245fa644e121829c152fc88c

Hunting queries and detection rules

Convert these templates into your platform's query language. Tune thresholds to your environment to reduce false positives. 

 // Memory: RX regions with no backing file created within 10 minutes of process start process where mem_region.protection == "RX" and mem_region.backing_file == null and process.start_time >= now() - 10m
// API resolution bursts
event where event.name in ("GetProcAddress","LdrGetProcedureAddress")
  | stats count() by process_name, process_sha256
  | where count > 30 and process.start_time > ago(10m)

// RW to RX transitions
process where mem_change.from == "RW" and mem_change.to == "RX"

Recommended defensive controls

  1. Block and quarantine: Ingest the provided hashes and domains into EDR blocklists, DNS sinkholes, and network firewalls. Use short TTL block windows initially and extend based on observed activity.
  2. Memory-centric telemetry: Enable EDR features that capture memory maps and view RW/RX transitions, and require process dumps for suspicious memory-only execution.
  3. Protect telemetry: Harden EDR agent protection to prevent process suspension, driver unloading, or tampering. Alert on attempts to modify amsi.dll or ETW registrations.
  4. Application control: Enforce allow lists for binaries in high-risk groups and constrain LOLBIN usage. Block unsigned installers in critical segments.
  5. Network controls: Apply egress allow lists on sensitive segments, enforce TLS inspection where lawful, and monitor DNS for newly registered domains matching the patterns above.
  6. Forensics readiness: Maintain golden images for DLL section hashing, scripted live memory collection procedures, and coordinated playbooks for credential rotation post-detection.

Threat intelligence and sharing

Share confirmed IoCs with your intelligence sharing groups, ISACs, and national CERTs. Use passive DNS and WHOIS enrichment to identify domain registration patterns and hosting providers for takedown coordination.

If you capture a sample that matches the hashes above, preserve the sample with full metadata and share it with trusted partners and the vendor that produced the Bulwark analysis for broader community protection.

Conclusion

Bulwark is a capability multiplier that shifts detection focus from disk signatures to runtime telemetry. The most effective defensive posture combines memory-focused detection, DLL integrity validation, hardened telemetry, application control, and rapid credential hygiene. Use the IoCs above to accelerate containment, but rely primarily on behavioral detection that identifies the operational patterns Bulwark creates.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.