https://www.elastic.co/security-labs/tricks-and-treats

Scan ID:: 38c35b09-33d5-4863-84ca-760cbe19235eFinished
Submitted URL:: https://www.elastic.co/security-labs/tricks-and-treats
Report Finished:: Oct 22, 2024, 14:40:04
Links · 9 found

The outgoing links identified from the page
Link	Text
https://cloud.elastic.co/registration?cta=cloud-registration&tech=trial&plcmt=navigation&pg=security-labs	Start free trial
https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/	HarfangLab
https://www.secureworks.com/blog/fake-human-verification-prompt-delivers-infostealers	creative social engineering tactics
https://learn.microsoft.com/en-us/windows/win32/gdiplus/-gdiplus-gdi-start	GdiPlus(GDI+)
https://github.com/elastic/labs-releases/tree/main/tools/ghostpulse	labs-releases repository
https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_GhostPulse.yar	GHOSTPULSE YARA
https://github.com/elastic/labs-releases/tree/main/indicators/ghostpulse	download
https://elastic.co?utm_source=elastic-search-labs&utm_medium=referral&utm_campaign=search-labs&utm_content=footer	Elastic.co
https://twitter.com/elasticseclabs	@elasticseclabs
JavaScript Variables · 48 found

Global JavaScript variables loaded on the window object of a page, are variables declared outside of functions and accessible from anywhere in the code within the current scope
Name	Type
onbeforetoggle	object
documentPictureInPicture	object
onscrollend	object
dataLayer	object
webpackChunk_N_E	object
__next_require__	function
next	object
__NEXT_DATA__	object
__SSG_MANIFEST_CB	function
__NEXT_P	object
Console log messages · 2 found

Messages logged to the web console
Type	Category	Log
error	other	URL https://cdn.iubenda.com/cookie_solution/iubenda_cs/1.68.0/core-en.js Text [IUBCS\|ERROR]: Google Tag Manager initialized before setting the default consent or before embedding the TCF stub.
log	other	Text Vidyard: Initializing Vidyard Listener
HTML

The raw HTML body of the page
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width"><title>Tricks and Treats: GHOSTPULSE’s new pixel-level deception — Elastic Security Labs</title><meta name="description" content="The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques."><meta property="og:title" content="Tricks and Treats: GHOSTPULSE’s new pixel-level deception — Elastic Security Labs"><meta property="og:description" content="The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques."><meta property="og:image:alt" content="The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques."><meta property="og:site_name"><meta property="og:url" content="https://www.elastic.co/security-labs/tricks-and-treats"><meta property="og:type" content="website"><meta name="twitter:card" content="summary_large_image"><meta name="twitter:title" content="Tricks and Treats: GHOSTPULSE’s new pixel-level deception — Elastic Security Labs"><meta name="twitter:description" content="The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques."><meta name="twitter:image:alt" content="The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques."><link rel="canonical" href="https://www.elastic.co/security-labs/tricks-and-treats"><link rel="preload" href="/security-labs/logo.svg" as="image" fetchpriority="high"><link rel="preload" as="image" imagesrcset="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=640&amp;q=75 640w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=750&amp;q=75 750w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=828&amp;q=75 828w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=1080&amp;q=75 1080w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=1200&amp;q=75 1200w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=1920&amp;q=75 1920w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=2048&amp;q=75 2048w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=3840&amp;q=75 3840w" imagesizes="100vw" fetchpriority="high"><meta property="og:image" content="https://www.elastic.co/security-labs/assets/images/tricks-and-treats/tricks-and-treats.jpg?e476a6a103d0d2a3df383ed6f5356b3f"><meta name="twitter:image" content="https://www.elastic.co/security-labs/assets/images/tricks-and-treats/tricks-and-treats.jpg?e476a6a103d0d2a3df383ed6f5356b3f"><meta name="next-head-count" content="19"><script async="" src="https://cs.iubenda.com/cookie-solution/confs/js/67332803.js"></script><script src="https://cdn.iubenda.com/cookie_solution/iubenda_cs/1.68.0/core-en.js" charset="UTF-8"></script><script async="" src="https://www.googletagmanager.com/gtm.js?id=GTM-KNJMG2M"></script><script src="https://play.vidyard.com/embed/v4.js" type="text/javascript" async=""></script><link rel="icon" href="/security-labs/favicon.svg"><link rel="mask-icon" href="/security-labs/favicon.svg" color="#1C1E23"><link rel="apple-touch-icon" href="/security-labs/favicon.svg"><meta name="theme-color" content="#1C1E23"><link rel="preload" href="/security-labs/_next/static/media/6d93bde91c0c2823-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"><link rel="preload" href="/security-labs/_next/static/media/a34f9d1faa5f3315-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"><link rel="preload" href="/security-labs/_next/static/media/369c6e283c5acc6e-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"><link rel="preload" href="/security-labs/_next/static/media/92f44bb82993d879-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"><link rel="preload" href="/security-labs/_next/static/media/ee71530a747ff30b-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"><link rel="preload" href="/security-labs/_next/static/media/9fac010bc1f02be0-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"><link rel="preload" href="/security-labs/_next/static/media/cbf5fbad4d73afac-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"><script id="google-tag-manager" data-nscript="beforeInteractive">
          (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
          new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
          j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
          'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
          })(window,document,'script','dataLayer','GTM-KNJMG2M');
          </script><link rel="preload" href="/security-labs/_next/static/css/265ed7605fd03477.css" as="style"><link rel="stylesheet" href="/security-labs/_next/static/css/265ed7605fd03477.css" data-n-g=""><link rel="preload" href="/security-labs/_next/static/css/1007ff9e696f6f88.css" as="style"><link rel="stylesheet" href="/security-labs/_next/static/css/1007ff9e696f6f88.css" data-n-p=""><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/security-labs/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js"></script><script src="/security-labs/_next/static/chunks/webpack-7987c6fda769d510.js" defer=""></script><script src="/security-labs/_next/static/chunks/framework-7a7e500878b44665.js" defer=""></script><script src="/security-labs/_next/static/chunks/main-ebd33a9f1cae5951.js" defer=""></script><script src="/security-labs/_next/static/chunks/pages/_app-cb8664d1d3df2511.js" defer=""></script><script src="/security-labs/_next/static/chunks/fec483df-43ee602fabdfe3a4.js" defer=""></script><script src="/security-labs/_next/static/chunks/877-34f408271ef44c22.js" defer=""></script><script src="/security-labs/_next/static/chunks/511-d08fe0fdd6f8a984.js" defer=""></script><script src="/security-labs/_next/static/chunks/683-a5053c37fe5bd0c9.js" defer=""></script><script src="/security-labs/_next/static/chunks/402-791da5e634930df4.js" defer=""></script><script src="/security-labs/_next/static/chunks/616-0b017b9cfa597392.js" defer=""></script><script src="/security-labs/_next/static/chunks/pages/%5Bslug%5D-3d74e9a05863bcfd.js" defer=""></script><script src="/security-labs/_next/static/dGrrQfBbQkqaleQ_11aBK/_buildManifest.js" defer=""></script><script src="/security-labs/_next/static/dGrrQfBbQkqaleQ_11aBK/_ssgManifest.js" defer=""></script><style type="text/css">.vidyard-player-container .play-button{position:absolute;width:16%;height:auto;border-radius:50%;border:none;cursor:pointer;opacity:.65;filter:alpha(opacity = 65);transition:opacity .2s linear;overflow:hidden;font-size:0;padding:0;min-width:20px;top:50%;left:50%;transform:translate(-50%,-50%);-webkit-appearance:initial!important;-moz-appearance:initial!important;appearance:initial!important}.vidyard-player-container .play-button .play-button-size{padding-top:100%;width:100%}.vidyard-player-container .play-button .arrow-size{position:absolute;top:50%;left:50%;width:35%;height:auto;margin:-25% 0 0 -12%;overflow:hidden}.vidyard-player-container .play-button .arrow-size-ratio{padding-top:150%;width:100%}.vidyard-player-container .play-button .arrow{position:absolute;top:50%;left:auto;right:0;bottom:auto;width:0;height:0;margin:-200px 0 -200px -300px;border:200px solid transparent;border-left:300px solid #fff;border-right:none}.vidyard-lightbox-thumbnail:hover .play-button{opacity:1;filter:alpha(opacity = 100);zoom:1}.vidyard-player-container{position:relative;height:100%;text-align:center}.vidyard-player-container img{height:100%}.vidyard-player-container .play-button{display:none}.vidyard-close-container{position:fixed;right:20px;top:20px;height:34px;width:34px;cursor:pointer;z-index:1000}.vidyard-close-container:focus{outline:1px dotted grey}.vidyard-close-x{position:absolute;height:100%;width:100%;color:#fff;font-size:2em;text-align:center;line-height:34px}.vidyard-close-x:hover{color:#ddd}.vidyard-close-x:hover:after,.vidyard-close-x:hover:before{background:#ddd}.vidyard-close-x:after,.vidyard-close-x:before{content:"";position:absolute;background:#fff;display:block;left:50%;top:50%;height:65%;width:2px;transition:all .2s;-ms-high-contrast-adjust:none}.vidyard-close-x:before{transform:translate(-50%,-50%) rotate(45deg);-ms-transform:translate(-50%,-50%) rotate(45deg)}.vidyard-close-x:after{transform:translate(-50%,-50%) rotate(-45deg);-ms-transform:translate(-50%,-50%) rotate(-45deg)}.vidyard-close-x.simple-close:after,.vidyard-close-x.simple-close:before{display:none}.vidyard-lightbox-thumbnail{width:100%;height:100%;margin:auto}.vidyard-lightbox-image{height:100%;left:0;position:absolute;top:0;width:100%}.vidyard-lightbox-centering{cursor:pointer;height:0;max-width:100%;overflow:hidden;padding-bottom:56.25%;position:relative}.vidyard-lightbox-content-backer{-webkit-transform:opacity 1s,filter 1s;-ms-transform:opacity 1s,filter 1s;transition:opacity 1s,filter 1s;background-color:#000;height:100%;width:100%;position:absolute}#vidyard-overlay-wrapper,.vidyard-lightbox-content-backer{filter:alpha(opacity = 0);opacity:0;top:0;right:0;bottom:0;left:0}#vidyard-overlay-wrapper{position:relative;box-sizing:border-box;display:none;transition:opacity .5s,filter .5s}#vidyard-overlay{top:0;right:0;bottom:0;left:0;opacity:.9;filter:alpha(opacity = 90);width:100%;height:100%;background-color:#000;z-index:800}#vidyard-content-fixed,#vidyard-overlay{position:fixed;box-sizing:border-box;display:none}#vidyard-content-fixed{opacity:1;z-index:900;text-align:center;top:5%;right:5%;bottom:5%;left:5%;width:90%}#vidyard-popbox{display:inline-block;position:absolute;left:50%;top:50%;-webit-transform:translate(-50%,-50%);-ms-transform:translate(-50%,-50%);transform:translate(-50%,-50%)}#vidyard-popbox-constraint{opacity:0;filter:alpha(opacity = 0);display:block;visibility:hidden}#vidyard-popbox-constraint.landscape{height:90vh}#vidyard-popbox-constraint.portrait{width:90vw}.vidyard-player-container div[class^=vidyard-iframe-]{z-index:1}.vidyard-player-container div[class^=vidyard-div-]{background-repeat:no-repeat;background-position:0 50%;background-size:100%}img.vidyard-player-embed{width:100%}img.vidyard-player-embed.inserted{position:absolute;top:0;left:0;z-index:0;max-width:100%!important}.vidyard-player-container.playlist-open{padding-right:319px;width:auto!important}.vidyard-player-container.playlist-open div[class^=vidyard-div-]{width:calc(100% + 319px);max-width:calc(100% + 319px)!important;background-size:calc(100% - 319px);background-color:#f5f9ff}.vidyard-player-container.playlist-open div[class^=vidyard-div-] img.vidyard-player-embed{width:calc(100% - 319px)!important}#backlink-icon{height:15px;width:15px;margin-right:6px;transition:.3s}#backlink{align-items:center;border-radius:4px;border:3px solid #ebeeff;display:inline-block;float:left;line-height:18px;margin:8px 0 0;outline:none;padding:1px 8px 1px 5px;position:relative;*zoom:1;font-family:Arial,Helvetica Neue,Helvetica,sans-serif;font-style:normal;font-weight:400;font-size:12px;text-decoration:none}#backlink:after,#backlink:before{content:" ";display:table}#backlink:after{clear:both}#backlink:link,#backlink:visited{background:#ebeeff;border-color:#ebeeff;color:#414dd4}#backlink:hover{background:#bfc2ff;color:#1b1a82;cursor:pointer}#backlink:focus,#backlink:hover{border-color:#bfc2ff}#backlink:active{background:#8f97ff;border-color:#8f97ff;color:#0c084d}#backlink-icon{float:left;height:18px;margin-right:5px;position:relative;width:18px}#backlink-text{float:left}</style><style type="text/css">.vidyard-player-container .play-button{position:absolute;width:16%;height:auto;border-radius:50%;border:none;cursor:pointer;opacity:.65;filter:alpha(opacity = 65);transition:opacity .2s linear;overflow:hidden;font-size:0;padding:0;min-width:20px;top:50%;left:50%;transform:translate(-50%,-50%);-webkit-appearance:initial!important;-moz-appearance:initial!important;appearance:initial!important}.vidyard-player-container .play-button .play-button-size{padding-top:100%;width:100%}.vidyard-player-container .play-button .arrow-size{position:absolute;top:50%;left:50%;width:35%;height:auto;margin:-25% 0 0 -12%;overflow:hidden}.vidyard-player-container .play-button .arrow-size-ratio{padding-top:150%;width:100%}.vidyard-player-container .play-button .arrow{position:absolute;top:50%;left:auto;right:0;bottom:auto;width:0;height:0;margin:-200px 0 -200px -300px;border:200px solid transparent;border-left:300px solid #fff;border-right:none}.vidyard-lightbox-thumbnail:hover .play-button{opacity:1;filter:alpha(opacity = 100);zoom:1}.vidyard-player-container{position:relative;height:100%;text-align:center}.vidyard-player-container img{height:100%}.vidyard-player-container .play-button{display:none}.vidyard-close-container{position:fixed;right:20px;top:20px;height:34px;width:34px;cursor:pointer;z-index:1000}.vidyard-close-container:focus{outline:1px dotted grey}.vidyard-close-x{position:absolute;height:100%;width:100%;color:#fff;font-size:2em;text-align:center;line-height:34px}.vidyard-close-x:hover{color:#ddd}.vidyard-close-x:hover:after,.vidyard-close-x:hover:before{background:#ddd}.vidyard-close-x:after,.vidyard-close-x:before{content:"";position:absolute;background:#fff;display:block;left:50%;top:50%;height:65%;width:2px;transition:all .2s;-ms-high-contrast-adjust:none}.vidyard-close-x:before{transform:translate(-50%,-50%) rotate(45deg);-ms-transform:translate(-50%,-50%) rotate(45deg)}.vidyard-close-x:after{transform:translate(-50%,-50%) rotate(-45deg);-ms-transform:translate(-50%,-50%) rotate(-45deg)}.vidyard-close-x.simple-close:after,.vidyard-close-x.simple-close:before{display:none}.vidyard-lightbox-thumbnail{width:100%;height:100%;margin:auto}.vidyard-lightbox-image{height:100%;left:0;position:absolute;top:0;width:100%}.vidyard-lightbox-centering{cursor:pointer;height:0;max-width:100%;overflow:hidden;padding-bottom:56.25%;position:relative}.vidyard-lightbox-content-backer{-webkit-transform:opacity 1s,filter 1s;-ms-transform:opacity 1s,filter 1s;transition:opacity 1s,filter 1s;background-color:#000;height:100%;width:100%;position:absolute}#vidyard-overlay-wrapper,.vidyard-lightbox-content-backer{filter:alpha(opacity = 0);opacity:0;top:0;right:0;bottom:0;left:0}#vidyard-overlay-wrapper{position:relative;box-sizing:border-box;display:none;transition:opacity .5s,filter .5s}#vidyard-overlay{top:0;right:0;bottom:0;left:0;opacity:.9;filter:alpha(opacity = 90);width:100%;height:100%;background-color:#000;z-index:800}#vidyard-content-fixed,#vidyard-overlay{position:fixed;box-sizing:border-box;display:none}#vidyard-content-fixed{opacity:1;z-index:900;text-align:center;top:5%;right:5%;bottom:5%;left:5%;width:90%}#vidyard-popbox{display:inline-block;position:absolute;left:50%;top:50%;-webit-transform:translate(-50%,-50%);-ms-transform:translate(-50%,-50%);transform:translate(-50%,-50%)}#vidyard-popbox-constraint{opacity:0;filter:alpha(opacity = 0);display:block;visibility:hidden}#vidyard-popbox-constraint.landscape{height:90vh}#vidyard-popbox-constraint.portrait{width:90vw}</style><style type="text/css">#iubenda-cs-banner .iub-toggle-checkbox,#iubenda-iframe .iub-toggle-checkbox{flex-shrink:0!important;display:flex!important;align-items:center!important;margin-left:24px!important}#iubenda-cs-banner .iub-toggle-checkbox input,#iubenda-iframe .iub-toggle-checkbox input{-moz-appearance:none!important;appearance:none!important;-webkit-appearance:none!important;padding:0!important;border:0!important;margin:0!important}#iubenda-cs-banner .iub-toggle-checkbox input::-ms-check,#iubenda-iframe .iub-toggle-checkbox input::-ms-check{visibility:hidden}#iubenda-cs-banner .iub-toggle-checkbox input.style1,#iubenda-iframe .iub-toggle-checkbox input.style1{width:64px!important;height:32px!important;border-radius:32px!important;transition:background-position .4s ease,background-color .4s ease!important;background-color:#ccc!important;background-image:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='18' height='18' viewBox='0 0 18 18'%3E%3Cpath fill='%23FFF' fill-rule='evenodd' d='M9 0a9 9 0 1 1 0 18A9 9 0 0 1 9 0zM5.729 5.033a.5.5 0 0 0-.638.058l-.058.07a.5.5 0 0 0 .058.637l3.201 3.201-3.201 3.203a.5.5 0 0 0 .707.707l3.201-3.203 3.203 3.203.07.058a.5.5 0 0 0 .637-.058l.058-.07a.5.5 0 0 0-.058-.637L9.706 8.999l3.203-3.201a.5.5 0 0 0-.707-.707L8.999 8.292 5.798 5.091z'/%3E%3C/svg%3E")!important;background-repeat:no-repeat!important;background-position:top 4px left 4px!important;background-size:24px 24px!important}#iubenda-cs-banner .iub-toggle-checkbox input.style1:checked,#iubenda-iframe .iub-toggle-checkbox input.style1:checked{background-color:#1cc691!important;background-position:top 4px left 36px!important;background-image:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='18' height='18' viewBox='0 0 18 18'%3E%3Cpath fill='%23FFF' fill-rule='evenodd' d='M9 0a9 9 0 1 1 0 18A9 9 0 0 1 9 0zm4.646 5.646l-6.198 6.2-3.1-3a.5.5 0 1 0-.696.718l3.454 3.342a.5.5 0 0 0 .701-.006l6.547-6.546a.5.5 0 1 0-.708-.708z'/%3E%3C/svg%3E")!important}#iubenda-cs-banner .iub-toggle-checkbox input.style1:checked.sm,#iubenda-iframe .iub-toggle-checkbox input.style1:checked.sm{background-position:top 3px left 27px!important}#iubenda-cs-banner .iub-toggle-checkbox input.style1:checked.half,#iubenda-cs-banner .iub-toggle-checkbox input.style1:checked[value=partial],#iubenda-iframe .iub-toggle-checkbox input.style1:checked.half,#iubenda-iframe .iub-toggle-checkbox input.style1:checked[value=partial]{background-color:#ffd24d!important;background-position:top 4px left 20px!important;background-image:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='18' height='18' viewBox='0 0 18 18'%3E%3Cpath fill='%23FFF' fill-rule='evenodd' d='M9 0a9 9 0 1 1 0 18A9 9 0 0 1 9 0zm4 8.5H5a.5.5 0 0 0 0 1h8a.5.5 0 0 0 0-1z'/%3E%3C/svg%3E")!important}#iubenda-cs-banner .iub-toggle-checkbox input.style1:checked.half.sm,#iubenda-cs-banner .iub-toggle-checkbox input.style1:checked[value=partial].sm,#iubenda-iframe .iub-toggle-checkbox input.style1:checked.half.sm,#iubenda-iframe .iub-toggle-checkbox input.style1:checked[value=partial].sm{background-position:top 3px left 15px!important}#iubenda-cs-banner .iub-toggle-checkbox input.style1.sm,#iubenda-iframe .iub-toggle-checkbox input.style1.sm{width:48px!important;height:24px!important;border-radius:24px!important;background-size:18px 18px!important;background-position:top 3px left 3px!important}#iubenda-cs-banner .iub-toggle-checkbox input::-ms-check,#iubenda-iframe .iub-toggle-checkbox input::-ms-check{visibility:hidden!important}#iubenda-cs-banner .iub-toggle-checkbox input:not([disabled]),#iubenda-iframe .iub-toggle-checkbox input:not([disabled]){cursor:pointer!important}#iubenda-cs-banner .iub-toggle-checkbox input[disabled],#iubenda-iframe .iub-toggle-checkbox input[disabled]{opacity:.35}#iubenda-cs-banner .iub-toggle-checkbox .iub-caption,#iubenda-iframe .iub-toggle-checkbox .iub-caption{display:none!important}#iubenda-cs-banner{font-size:15px!important;background:0 0!important;line-height:1.4!important;position:fixed!important;z-index:99999998!important;top:0!important;left:0!important;width:100%!important;height:100%!important;border:0!important;margin:0!important;padding:0!important;overflow:hidden!important;display:flex!important;will-change:opacity;opacity:0!important;pointer-events:none!important;transition:opacity .4s ease!important}#iubenda-cs-banner .iubenda-banner-content:not(.iubenda-custom-content) *,#iubenda-cs-banner [class*=" iub"],#iubenda-cs-banner [class^=iub]{font-size:100%!important;width:auto!important;-webkit-appearance:none!important;-moz-appearance:none!important;appearance:none!important;background:0 0!important;box-sizing:border-box!important;-webkit-tap-highlight-color:transparent!important;font-family:-apple-system,sans-serif!important;text-decoration:none!important;color:currentColor!important;background-attachment:scroll!important;background-color:transparent!important;background-image:none!important;background-position:0 0!important;background-repeat:repeat!important;border:0!important;border-color:#000!important;border-color:currentColor!important;border-radius:0!important;border-style:none!important;border-width:medium!important;bottom:auto!important;clear:none!important;clip:auto!important;counter-increment:none!important;counter-reset:none!important;direction:inherit!important;float:none!important;font-style:inherit!important;font-variant:normal!important;font-weight:inherit!important;height:auto!important;left:auto!important;letter-spacing:normal!important;line-height:inherit!important;list-style-type:inherit!important;list-style-position:outside!important;list-style-image:none!important;margin:0!important;max-height:none!important;max-width:none!important;min-height:0!important;min-width:0!important;opacity:1;overflow:visible!important;padding:0!important;position:static!important;quotes:"" ""!important;right:auto!important;table-layout:auto!important;text-align:left!important;text-indent:0!important;text-transform:none!important;top:auto!important;unicode-bidi:normal!important;vertical-align:baseline!important;white-space:normal!important;width:auto!important;word-spacing:normal!important;z-index:auto!important;background-origin:padding-box!important;background-origin:padding-box!important;background-clip:border-box!important;background-size:auto!important;-o-border-image:none!important;border-image:none!important;border-radius:0!important;border-radius:0!important;box-shadow:none!important;-moz-column-count:auto!important;column-count:auto!important;-moz-column-gap:normal!important;column-gap:normal!important;-moz-column-rule:medium none #000!important;column-rule:medium none #000!important;-moz-column-span:none!important;column-span:none!important;-moz-column-width:auto!important;column-width:auto!important;font-feature-settings:normal!important;overflow-x:visible!important;overflow-y:visible!important;-webkit-hyphens:manual!important;hyphens:manual!important;perspective:none!important;perspective-origin:50% 50%!important;text-shadow:none!important;transition:all 0s ease 0s!important;transform:none!important;transform-origin:50% 50%!important;transform-style:flat!important;word-break:normal!important;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}#iubenda-cs-banner .iubenda-banner-content:not(.iubenda-custom-content) * strong,#iubenda-cs-banner [class*=" iub"] strong,#iubenda-cs-banner [class^=iub] strong{font-weight:700!important}#iubenda-cs-banner.iubenda-cs-overlay:before{content:""!important;position:fixed!important;top:0!important;left:0!important;width:100%!important;height:100%!important;background-color:rgba(0,0,0,.5)!important;z-index:1!important;pointer-events:auto!important}#iubenda-cs-banner.iubenda-cs-center{align-items:center!important;justify-content:center!important}#iubenda-cs-banner.iubenda-cs-top{align-items:flex-start!important}#iubenda-cs-banner.iubenda-cs-bottom{align-items:flex-end!important}#iubenda-cs-banner.iubenda-cs-left{justify-content:flex-start!important}#iubenda-cs-banner.iubenda-cs-right{justify-content:flex-end!important}#iubenda-cs-banner.iubenda-cs-visible{opacity:1!important}#iubenda-cs-banner.iubenda-cs-visible>*{pointer-events:auto!important}#iubenda-cs-banner.iubenda-cs-slidein .iubenda-cs-container{transition:transform .4s ease!important}#iubenda-cs-banner.iubenda-cs-slidein.iubenda-cs-top .iubenda-cs-container{transform:translateY(-48px)!important}#iubenda-cs-banner.iubenda-cs-slidein.iubenda-cs-bottom .iubenda-cs-container{transform:translateY(48px)!important}#iubenda-cs-banner.iubenda-cs-slidein.iubenda-cs-visible .iubenda-cs-container{transform:translateY(0)!important}#iubenda-cs-banner .iubenda-cs-container{position:relative!important;z-index:2!important}#iubenda-cs-banner .iubenda-cs-container.iubenda-cs-themed{display:flex;flex-direction:column}#iubenda-cs-banner .iubenda-cs-brand{display:flex!important;padding:16px!important;flex-shrink:0!important}#iubenda-cs-banner .iubenda-cs-brand>div{display:flex!important;justify-content:flex-start!important}#iubenda-cs-banner .iubenda-cs-brand img{max-width:192px!important;max-height:32px!important}#iubenda-cs-banner .iubenda-cs-content{position:relative!important;z-index:1!important;overflow:hidden!important;transition:transform .4s ease!important;background-color:#000!important;color:#fff!important;font-size:14px!important;display:flex;flex-direction:column}#iubenda-cs-banner .iubenda-cs-rationale{position:relative!important;display:flex!important;flex-direction:column!important;flex:1 1 auto}#iubenda-cs-banner .iubenda-cs-close-btn{z-index:1!important;top:6px!important;right:0!important;margin:10px!important;min-width:32px!important;height:32px!important;padding:6px!important;font-size:24px!important;line-height:0!important;font-weight:lighter!important;cursor:pointer!important;text-align:center!important;border:1px solid transparent!important;border-radius:4px!important;opacity:.7!important;align-self:flex-end!important}#iubenda-cs-banner .iubenda-cs-close-btn:hover{opacity:1!important}#iubenda-cs-banner .iubenda-banner-content{font-weight:300!important;padding:16px!important;flex:1 1 auto!important;overflow-y:auto!important}#iubenda-cs-banner .iubenda-banner-content a,#iubenda-cs-banner .iubenda-banner-content button{cursor:pointer!important;color:currentColor!important;opacity:.7!important;text-decoration:underline!important}#iubenda-cs-banner .iubenda-banner-content a:hover,#iubenda-cs-banner .iubenda-banner-content button:hover{opacity:1!important}@media (min-width:640px){#iubenda-cs-banner .iubenda-banner-content div:nth-child(1){margin-top:40px!important}}#iubenda-cs-banner #iubenda-cs-paragraph.iubenda-cs-no-margin-top{margin-top:0!important}#iubenda-cs-banner #iubenda-cs-paragraph.iubenda-cs-small-margin-top{margin-top:16px!important}#iubenda-cs-banner #iubenda-cs-title{margin-bottom:16px!important;margin-top:8px!important;font-weight:700!important;font-size:14px!important}#iubenda-cs-banner .iubenda-cs-counter{text-align:center!important;position:relative!important;z-index:1!important;display:none;pointer-events:none;flex-shrink:0;padding:8px!important;font-size:13px!important;font-weight:700!important}#iubenda-cs-banner .iubenda-cs-cwa-button{font-weight:700!important;font-size:13px!important;background:rgba(255,255,255,.1)!important;color:#fff!important;padding:8px 14px!important;flex-shrink:0;border-radius:4px!important;text-align:center!important;z-index:1!important;margin:16px!important;margin-bottom:0!important;cursor:pointer!important}#iubenda-cs-banner .iubenda-cs-cwa-button:focus,#iubenda-cs-banner .iubenda-cs-cwa-button:hover{box-shadow:0 0 0 999px inset rgba(0,0,0,.1)!important}@media (max-width:639px){#iubenda-cs-banner .iubenda-cs-cwa-button{box-shadow:0 8px 16px 4px rgba(0,0,0,.2)!important}}@media (min-width:640px){#iubenda-cs-banner .iubenda-cs-cwa-button{align-self:flex-end}}#iubenda-cs-banner .iubenda-cs-cwa-button:focus,#iubenda-cs-banner .iubenda-cs-cwa-button:hover{box-shadow:0 0 0 999px inset rgba(0,0,0,.1)!important}@media (max-width:639px){#iubenda-cs-banner .iubenda-cs-cwa-button{box-shadow:0 8px 16px 4px rgba(0,0,0,.2)!important}}@media (min-width:640px){#iubenda-cs-banner .iubenda-cs-cwa-button{align-self:flex-end}}#iubenda-cs-banner .iubenda-cs-opt-group{z-index:1!important;display:flex!important;margin-top:0!important;flex-shrink:0!important;color:#000!important;margin:16px!important;margin-top:0!important}#iubenda-cs-banner .iubenda-cs-opt-group>div{display:flex!important}@media (min-width:640px){#iubenda-cs-banner .iubenda-cs-opt-group{align-items:center!important;justify-content:space-between!important}#iubenda-cs-banner .iubenda-cs-opt-group-custom{margin-right:auto!important;align-self:start!important;justify-content:flex-start!important}#iubenda-cs-banner .iubenda-cs-opt-group-consent{margin-left:auto!important;align-self:end!important;justify-content:flex-end!important}}@media (max-width:639px){#iubenda-cs-banner .iubenda-cs-opt-group{flex-direction:column!important}#iubenda-cs-banner .iubenda-cs-opt-group-custom:not(.iubenda-cs-opt-group-granular){order:2}#iubenda-cs-banner .iubenda-cs-opt-group-consent{order:1}}#iubenda-cs-banner .iubenda-cs-opt-group button{-webkit-appearance:none!important;-moz-appearance:none!important;appearance:none!important;padding:8px 32px!important;border-radius:64px!important;cursor:pointer!important;font-weight:700!important;font-size:100%!important;margin-top:4px!important;margin-bottom:4px!important;text-align:center!important;border:0!important;background-color:#1a1a1a!important;color:#fff!important}@-moz-document url-prefix(){#iubenda-cs-banner .iubenda-cs-opt-group button{padding-top:7px!important}}#iubenda-cs-banner .iubenda-cs-opt-group button.focus,#iubenda-cs-banner .iubenda-cs-opt-group button.hover{box-shadow:0 0 0 999px inset rgba(0,0,0,.1)!important}@media (min-width:640px){#iubenda-cs-banner .iubenda-cs-opt-group button:not(:last-of-type){margin-right:8px!important}}@media (max-width:639px){#iubenda-cs-banner .iubenda-cs-opt-group button{padding:8px 24px!important;width:100%!important;display:block;text-align:center!important;margin:6px 3px!important;flex:1}}#iubenda-cs-banner .iubenda-cs-opt-group button.iubenda-cs-accept-btn,#iubenda-cs-banner .iubenda-cs-opt-group button.iubenda-cs-btn-primary{background-color:#0073ce!important;color:#fff!important}#iubenda-cs-banner .iubenda-cs-opt-group button.iubenda-cs-reject-btn{background-color:#0073ce!important;color:#fff!important}#iubenda-cs-banner.iubenda-cs-padded:not(.iubenda-cs-branded) .iubenda-banner-content{padding-right:48px!important}#iubenda-cs-banner.iubenda-cs-padded .iubenda-cs-close-btn{position:absolute!important}@media (min-width:640px){#iubenda-cs-banner:not(.iubenda-cs-padded).iubenda-cs-branded .iubenda-cs-cwa-button{position:absolute!important}}@media (min-width:640px){#iubenda-cs-banner:not(.iubenda-cs-branded):not(.iubenda-cs-no-heading) .iubenda-cs-cwa-button{position:absolute!important;top:-4px!important;right:-4px!important;padding:5px 10px!important}}@media (min-width:640px){#iubenda-cs-banner.iubenda-cs-branded:not(.iubenda-cs-default-floating).iubenda-cs-bottom .iubenda-cs-brand,#iubenda-cs-banner.iubenda-cs-branded:not(.iubenda-cs-default-floating).iubenda-cs-top .iubenda-cs-brand{border-radius:8px!important}}@media (min-width:640px){#iubenda-cs-banner.iubenda-cs-branded .iubenda-cs-cwa-button{margin:15px!important}}#iubenda-cs-banner.iubenda-cs-branded .iubenda-cs-close-btn{height:32px!important;min-width:32px!important}#iubenda-cs-banner.iubenda-cs-default .iubenda-cs-brand-badge-outer,#iubenda-cs-banner.iubenda-cs-default-floating .iubenda-cs-brand-badge-outer{height:0!important}#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-left) .iubenda-cs-brand-badge-outer,#iubenda-cs-banner.iubenda-cs-default:not(.iubenda-cs-left) .iubenda-cs-brand-badge-outer{margin-left:auto!important;margin-right:0!important;float:right!important}#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-bottom .iubenda-cs-brand-badge-outer,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-cs-brand-badge-outer{order:-1!important;display:inline-flex!important}#iubenda-cs-banner.iubenda-cs-default .iubenda-cs-brand{margin:0 -8px 0!important}@media (max-width:991px){#iubenda-cs-banner.iubenda-cs-default .iubenda-cs-brand{margin:-8px -8px 0!important}}@media (min-width:992px){#iubenda-cs-banner.iubenda-cs-default .iubenda-cs-brand div{margin:0 auto!important;width:calc(992px - 32px)!important}}@media (max-width:991px){#iubenda-cs-banner.iubenda-cs-default .iubenda-cs-brand div{margin:0 8px!important}}#iubenda-cs-banner.iubenda-cs-default .iubenda-cs-container{width:100%!important}@media (min-width:992px){#iubenda-cs-banner.iubenda-cs-default .iubenda-cs-rationale{width:992px!important;margin:16px auto!important}}@media (min-width:992px){#iubenda-cs-banner.iubenda-cs-default-floating .iubenda-cs-brand-badge{margin:0 16px!important}}@media (min-width:992px){#iubenda-cs-banner.iubenda-cs-default-floating .iubenda-cs-container{width:992px!important}}@media (max-width:991px){#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-cs-container,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-cs-container{width:100%!important}}@media (min-width:640px){#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center:not(.iubenda-cs-top):not(.iubenda-cs-bottom) .iubenda-cs-container,#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-bottom):not(.iubenda-cs-center) .iubenda-cs-container,#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-top):not(.iubenda-cs-center) .iubenda-cs-container{width:480px!important}}#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center:not(.iubenda-cs-top):not(.iubenda-cs-bottom) .iubenda-cs-opt-group,#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-bottom):not(.iubenda-cs-center) .iubenda-cs-opt-group,#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-top):not(.iubenda-cs-center) .iubenda-cs-opt-group{flex-direction:column!important}#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center:not(.iubenda-cs-top):not(.iubenda-cs-bottom) .iubenda-cs-opt-group>div,#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-bottom):not(.iubenda-cs-center) .iubenda-cs-opt-group>div,#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-top):not(.iubenda-cs-center) .iubenda-cs-opt-group>div{width:100%!important}#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center:not(.iubenda-cs-top):not(.iubenda-cs-bottom) .iubenda-cs-opt-group button,#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-bottom):not(.iubenda-cs-center) .iubenda-cs-opt-group button,#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-top):not(.iubenda-cs-center) .iubenda-cs-opt-group button{display:block!important;width:100%!important;text-align:center!important}#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center:not(.iubenda-cs-top):not(.iubenda-cs-bottom) .iubenda-cs-opt-group-custom,#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-bottom):not(.iubenda-cs-center) .iubenda-cs-opt-group-custom,#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-top):not(.iubenda-cs-center) .iubenda-cs-opt-group-custom{order:2}#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center:not(.iubenda-cs-top):not(.iubenda-cs-bottom) .iubenda-cs-opt-group-consent,#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-bottom):not(.iubenda-cs-center) .iubenda-cs-opt-group-consent,#iubenda-cs-banner.iubenda-cs-default-floating:not(.iubenda-cs-top):not(.iubenda-cs-center) .iubenda-cs-opt-group-consent{order:1}#iubenda-cs-banner.iubenda-cs-default-floating .iubenda-cs-content{box-shadow:0 8px 48px rgba(0,0,0,.15)!important;max-width:100%!important}@media (min-width:992px){#iubenda-cs-banner.iubenda-cs-default-floating .iubenda-cs-content{border-radius:4px!important;margin:16px!important}}#iubenda-cs-banner.iubenda-cs-scrollable .iubenda-banner-content{mask-image:linear-gradient(to top,rgba(0,0,0,0) 0%,rgb(0,0,0) 16px)!important;-webkit-mask-image:linear-gradient(to top,rgba(0,0,0,0) 0%,rgb(0,0,0) 16px)!important}#iubenda-cs-banner.iubenda-cs-fix-height .iubenda-cs-container,#iubenda-cs-banner.iubenda-cs-fix-height .iubenda-cs-content,#iubenda-cs-banner.iubenda-cs-fix-height .iubenda-cs-rationale{height:100%!important}@media (min-width:992px){#iubenda-cs-banner.iubenda-cs-fix-height.iubenda-cs-default-floating .iubenda-cs-content{height:calc(100% - 32px)!important}}#iubenda-cs-banner.iubenda-cs-fix-height .iubenda-cs-brand img{max-width:75%!important}#iubenda-cs-banner [tabindex]:not([tabindex="-1"]):focus,#iubenda-cs-banner a[href]:focus,#iubenda-cs-banner button:focus,#iubenda-cs-banner details:focus,#iubenda-cs-banner input:focus,#iubenda-cs-banner select:focus,#iubenda-cs-banner textarea:focus{outline-width:2px!important;outline-style:solid!important;outline-color:#005fcc!important;outline-offset:2px!important}#iubenda-cs-banner .iubenda-cs-brand-badge{flex-shrink:0!important;margin:16px!important;padding:6px 34px 6px 10px!important;background:#fff!important;display:inline-flex;border-radius:6px!important;border:1px solid rgba(0,0,0,.2)!important;box-shadow:0 0 16px rgba(0,0,0,.1)!important;align-self:flex-end;background-image:url("data:image/svg+xml,%3Csvg fill='none' height='19' viewBox='0 0 9 19' width='9' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath clip-rule='evenodd' d='m4.1555.211426c.81725.000101 1.61499.249693 2.28656.715401.67157.465713 1.18496 1.125343 1.47153 1.890693.28657.76536.33266 1.59996.13211 2.39221-.20055.79226-.63818 1.50441-1.25438 2.04124l.87593 11.02083h-7.023493l.875933-11.02083c-.616206-.53683-1.053841-1.24898-1.254391-2.04124-.2005501-.79225-.154458-1.62685.132114-2.39221.286572-.76535.799967-1.42498 1.471537-1.890693.67157-.465708 1.46931-.7153 2.28655-.715401z' fill='%231cc691' fill-rule='evenodd'/%3E%3C/svg%3E")!important;background-position:center right 12px!important;background-repeat:no-repeat!important;color:#222!important;font-weight:400!important;font-size:14px!important;pointer-events:auto!important}#iubenda-cs-banner .iubenda-cs-brand-badge:hover{border:1px solid rgba(0,0,0,.4)!important}#iubenda-cs-banner .iubenda-cs-brand-badge>span{border-right:1px solid rgba(0,0,0,.1)!important;padding-right:12px!important}#iubenda-cs-banner .iubenda-cs-brand-badge>span>span{text-decoration:underline!important}#iubenda-cs-banner .iubenda-cs-brand-badge-text{font-size:11px!important;font-weight:700!important;text-align:right!important;margin:-4px 16px 12px!important}#iubenda-cs-banner .iubenda-cs-brand-badge-text a{color:inherit}#iubenda-cs-banner .iubenda-iframe-spinner~.iubenda-iframe-badge-container .iubenda-cs-brand-badge{display:none!important}#iubenda-cs-banner .iubenda-granular-controls-container{--iub-granular-background:rgba(0, 0, 0, .02);--iub-granular-border:rgba(0, 0, 0, 0.08);--iub-granular-toggle-background:rgba(0, 0, 0, 0.2);display:flex;flex-wrap:wrap;flex-shrink:0;margin-bottom:16px!important;border-top:1px solid var(--iub-granular-border)!important}#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox{flex-basis:100%;display:flex!important;gap:10px!important;padding-left:16px!important;padding-right:16px!important;padding-bottom:14px!important;background-color:var(--iub-granular-background)!important;margin:0!important}#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox input.style1{width:48px!important;height:24px!important;background-position:top 3px left 3px!important;background-size:18px 18px!important;background-color:var(--iub-granular-toggle-background)!important}#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox input.style1,#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox input.style1:checked{background-image:url("data:image/svg+xml,%3Csvg height='20' viewBox='0 0 20 20' width='20' xmlns='http://www.w3.org/2000/svg'%3E%3Ccircle cx='10' cy='10' fill='%23fff' fill-rule='evenodd' r='10'/%3E%3C/svg%3E")!important}#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox input.style1:checked{background-position:top 3px left 27px!important;background-color:#1cc691!important}#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox input.style1:checked[value=partial]{background-position:top 3px left 15px!important;background-color:#ffd24d!important}#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox:nth-child(2){padding-top:16px!important}#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox:last-child{padding-bottom:16px!important;border-bottom:1px solid var(--iub-granular-border)!important}#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd),#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox{flex-basis:50%;flex-direction:column-reverse;padding:14px 10px!important;border:1px solid var(--iub-granular-border)!important;border-right:0!important;border-top:0!important}#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox--disabled{display:none!important}@media (max-width:991px){#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox{min-width:0!important}#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox label{max-width:100%}#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox label span{display:block;white-space:nowrap!important;overflow:hidden!important;text-overflow:ellipsis!important}#iubenda-cs-banner .iubenda-granular-controls-container .granular-control-checkbox--mobile-hidden{display:none!important}}#iubenda-cs-banner.iubenda-cs-black .iubenda-granular-controls-container{--iub-granular-background:rgba(255, 255, 255, .02);--iub-granular-border:rgba(255, 255, 255, 0.08);--iub-granular-toggle-background:rgba(255, 255, 255, 0.2)}@media (min-width:640px){#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox{flex:1!important;flex-direction:column-reverse!important;padding:14px 10px!important;border:1px solid var(--iub-granular-border)!important;border-right:0!important;border-top:0!important;padding-top:16px!important}}@media (min-width:992px){#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container{grid-gap:24px!important;padding:16px 16px 32px!important;border-top:0!important;margin-bottom:0!important}#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox--disabled,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox--disabled,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox--disabled,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox--disabled{display:flex!important}#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:first-child,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:first-child,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:first-child,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:first-child{padding-left:16px!important}#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:last-child,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:last-child,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:last-child,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:last-child{padding-right:16px!important}#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:first-child,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd),#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox:last-child,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox:nth-last-child(2),#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:last-child,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:nth-child(2),#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:first-child,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd),#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox:last-child,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox:nth-last-child(2),#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:last-child,#iubenda-cs-banner.iubenda-cs-default-floating.iubenda-cs-center.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:nth-child(2),#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:first-child,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd),#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox:last-child,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox:nth-last-child(2),#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:last-child,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-bottom .iubenda-granular-controls-container .granular-control-checkbox:nth-child(2),#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:first-child,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd),#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox:last-child,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:first-child:nth-last-child(odd)~.granular-control-checkbox:nth-last-child(2),#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:last-child,#iubenda-cs-banner.iubenda-cs-default.iubenda-cs-top .iubenda-granular-controls-container .granular-control-checkbox:nth-child(2){flex:0 1 auto!important;flex-direction:row!important;background-color:transparent!important;padding:0!important;border:none!important;margin:0!important}}.iubenda-tp-alert-btn *,.iubenda-tp-alert-btn:not([data-tp-nostyle]),.iubenda-tp-btn *,.iubenda-tp-btn:not([data-tp-nostyle]),.iubenda-uspr-btn *,.iubenda-uspr-btn:not([data-tp-nostyle]){font-size:100%!important;width:auto!important;-webkit-appearance:none!important;-moz-appearance:none!important;appearance:none!important;background:0 0!important;box-sizing:border-box!important;-webkit-tap-highlight-color:transparent!important;backface-visibility:hidden!important;font-family:-apple-system,sans-serif!important;text-decoration:none!important;color:currentColor!important;background-attachment:scroll!important;background-color:transparent!important;background-image:none!important;background-position:0 0!important;background-repeat:repeat!important;border:0!important;border-color:#000!important;border-color:currentColor!important;border-radius:0!important;border-style:none!important;border-width:medium!important;bottom:auto!important;clear:none!important;clip:auto!important;counter-increment:none!important;counter-reset:none!important;cursor:auto!important;direction:inherit!important;float:none!important;font-style:inherit!important;font-variant:normal!important;font-weight:inherit!important;height:auto!important;left:auto!important;letter-spacing:normal!important;line-height:inherit!important;list-style-type:inherit!important;list-style-position:outside!important;list-style-image:none!important;margin:0!important;max-height:none!important;max-width:none!important;min-height:0!important;min-width:0!important;opacity:1;outline:0!important;overflow:visible!important;padding:0!important;position:static!important;quotes:"" ""!important;right:auto!important;table-layout:auto!important;text-align:left!important;text-indent:0!important;text-transform:none!important;top:auto!important;unicode-bidi:normal!important;vertical-align:baseline!important;visibility:inherit!important;white-space:normal!important;width:auto!important;word-spacing:normal!important;z-index:auto!important;background-origin:padding-box!important;background-origin:padding-box!important;background-clip:border-box!important;background-size:auto!important;-o-border-image:none!important;border-image:none!important;border-radius:0!important;border-radius:0!important;box-shadow:none!important;-moz-column-count:auto!important;column-count:auto!important;-moz-column-gap:normal!important;column-gap:normal!important;-moz-column-rule:medium none #000!important;column-rule:medium none #000!important;-moz-column-span:none!important;column-span:none!important;-moz-column-width:auto!important;column-width:auto!important;font-feature-settings:normal!important;overflow-x:visible!important;overflow-y:visible!important;-webkit-hyphens:manual!important;hyphens:manual!important;perspective:none!important;perspective-origin:50% 50%!important;text-shadow:none!important;transition:all 0s ease 0s!important;transform:none!important;transform-origin:50% 50%!important;transform-style:flat!important;word-break:normal!important;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}.iubenda-tp-alert-btn:not([data-tp-nostyle]),.iubenda-tp-btn:not([data-tp-nostyle]),.iubenda-uspr-btn:not([data-tp-nostyle]){-webkit-appearance:none!important;-moz-appearance:none!important;appearance:none!important;line-height:34px!important;height:34px!important;min-width:34px!important;border-radius:4px!important;cursor:pointer!important;font-weight:700!important;font-size:14px!important;box-shadow:0 0 0 1px rgba(0,0,0,.15)!important;color:rgba(0,0,0,.65)!important;background-color:#fff!important;display:inline-block!important;vertical-align:middle!important}.iubenda-tp-alert-btn.iubenda-tp-btn--warning,.iubenda-tp-btn.iubenda-tp-btn--warning,.iubenda-uspr-btn.iubenda-tp-btn--warning{z-index:2147483647!important}.iubenda-tp-alert-btn.iubenda-tp-btn--warning:before,.iubenda-tp-btn.iubenda-tp-btn--warning:before,.iubenda-uspr-btn.iubenda-tp-btn--warning:before{content:"";background-image:url("data:image/svg+xml,%3Csvg fill='none' height='17' viewBox='0 0 17 17' width='17' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='m6.79042 2.81577c.7788-1.28272 2.64036-1.28272 3.41918 0l5.9459 9.79333c.8093 1.3328-.1503 3.038-1.7095 3.038h-11.89195c-1.55927 0-2.5188026-1.7052-1.709576-3.038z' fill='%23fb6666'/%3E%3Cpath d='m14.446 15.1471h-11.89195c-1.16945 0-1.889102-1.2789-1.28218-2.2785l5.94595-9.79334c.5841-.96204 1.98026-.96204 2.56436 0l5.94592 9.79334c.607.9996-.1127 2.2785-1.2821 2.2785z' stroke='%23000' stroke-opacity='.1'/%3E%3Cg fill='%23fff'%3E%3Crect height='4.97619' rx='.497619' width='.995238' x='8' y='6'/%3E%3Cpath d='m8 12.5c0-.2761.22386-.5.5-.5.27614 0 .5.2239.5.5 0 .2761-.22386.5-.5.5-.27614 0-.5-.2239-.5-.5z'/%3E%3C/g%3E%3C/svg%3E");background-position:center;background-size:24px 24px;background-repeat:no-repeat;position:absolute;top:-16px;right:-16px;width:32px;height:32px}.iubenda-tp-alert-btn[data-tp-icon],.iubenda-tp-btn[data-tp-icon],.iubenda-uspr-btn[data-tp-icon]{background-image:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='32' height='32' viewBox='0 0 32 32'%3E%3Cpath fill='%231CC691' fill-rule='evenodd' d='M16 7a4 4 0 0 1 2.627 7.016L19.5 25h-7l.873-10.984A4 4 0 0 1 16 7z'/%3E%3C/svg%3E")!important;background-repeat:no-repeat!important;background-size:32px 32px!important;background-position:top .5px left 1px!important}.iubenda-tp-alert-btn[data-tp-circle],.iubenda-tp-btn[data-tp-circle],.iubenda-uspr-btn[data-tp-circle]{border-radius:32px!important}.iubenda-tp-alert-btn[data-tp-label]:after,.iubenda-tp-btn[data-tp-label]:after,.iubenda-uspr-btn[data-tp-label]:after{content:attr(data-tp-label)!important;padding:0 16px!important;white-space:nowrap!important}.iubenda-tp-alert-btn[data-tp-label][data-tp-icon]:after,.iubenda-tp-btn[data-tp-label][data-tp-icon]:after,.iubenda-uspr-btn[data-tp-label][data-tp-icon]:after{padding-left:32px!important}.iubenda-tp-alert-btn[data-tp-float],.iubenda-tp-btn[data-tp-float],.iubenda-uspr-btn[data-tp-float]{position:fixed!important}.iubenda-tp-alert-btn[data-tp-float]:not([data-tp-anchored]),.iubenda-tp-btn[data-tp-float]:not([data-tp-anchored]),.iubenda-uspr-btn[data-tp-float]:not([data-tp-anchored]){margin:16px!important}.iubenda-tp-alert-btn[data-tp-float]:focus,.iubenda-tp-btn[data-tp-float]:focus,.iubenda-uspr-btn[data-tp-float]:focus{outline:2px solid -webkit-focus-ring-color!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored],.iubenda-tp-btn[data-tp-float][data-tp-anchored],.iubenda-uspr-btn[data-tp-float][data-tp-anchored]{margin:0 16px!important;border-radius:6px!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-left],.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-right],.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored][data-tp-hover][data-tp-float=center-left],.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored][data-tp-hover][data-tp-float=center-right],.iubenda-tp-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-left],.iubenda-tp-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-right],.iubenda-tp-btn[data-tp-float][data-tp-anchored][data-tp-hover][data-tp-float=center-left],.iubenda-tp-btn[data-tp-float][data-tp-anchored][data-tp-hover][data-tp-float=center-right],.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-left],.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-right],.iubenda-uspr-btn[data-tp-float][data-tp-anchored][data-tp-hover][data-tp-float=center-left],.iubenda-uspr-btn[data-tp-float][data-tp-anchored][data-tp-hover][data-tp-float=center-right]{margin:0!important;top:75%!important;transform:translateY(-50%)!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-left],.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored][data-tp-hover][data-tp-float=center-left],.iubenda-tp-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-left],.iubenda-tp-btn[data-tp-float][data-tp-anchored][data-tp-hover][data-tp-float=center-left],.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-left],.iubenda-uspr-btn[data-tp-float][data-tp-anchored][data-tp-hover][data-tp-float=center-left]{left:0!important;border-top-left-radius:0!important;border-bottom-left-radius:0!important;border-left:0!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-right],.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored][data-tp-hover][data-tp-float=center-right],.iubenda-tp-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-right],.iubenda-tp-btn[data-tp-float][data-tp-anchored][data-tp-hover][data-tp-float=center-right],.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-right],.iubenda-uspr-btn[data-tp-float][data-tp-anchored][data-tp-hover][data-tp-float=center-right]{right:0!important;border-top-right-radius:0!important;border-bottom-right-radius:0!important;border-right:0!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover])[data-tp-label][data-tp-float=center-left],.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover])[data-tp-label][data-tp-float=center-right],.iubenda-tp-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover])[data-tp-label][data-tp-float=center-left],.iubenda-tp-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover])[data-tp-label][data-tp-float=center-right],.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover])[data-tp-label][data-tp-float=center-left],.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover])[data-tp-label][data-tp-float=center-right]{margin:0!important;top:50%!important;border-bottom-left-radius:0!important;border-bottom-right-radius:0!important;border-bottom:0!important;transform-origin:bottom!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover])[data-tp-label][data-tp-float=center-left],.iubenda-tp-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover])[data-tp-label][data-tp-float=center-left],.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover])[data-tp-label][data-tp-float=center-left]{left:0!important;transform:translateY(-50%) rotate(90deg)!important;transform-origin:left bottom!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover])[data-tp-label][data-tp-float=center-right],.iubenda-tp-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover])[data-tp-label][data-tp-float=center-right],.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover])[data-tp-label][data-tp-float=center-right]{right:0!important;transform:translateY(-50%) rotate(-90deg)!important;transform-origin:right bottom!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-float=bottom-left],.iubenda-tp-alert-btn[data-tp-float][data-tp-float=bottom-right],.iubenda-tp-btn[data-tp-float][data-tp-float=bottom-left],.iubenda-tp-btn[data-tp-float][data-tp-float=bottom-right],.iubenda-uspr-btn[data-tp-float][data-tp-float=bottom-left],.iubenda-uspr-btn[data-tp-float][data-tp-float=bottom-right]{bottom:0!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-float=bottom-left][data-tp-anchored],.iubenda-tp-alert-btn[data-tp-float][data-tp-float=bottom-right][data-tp-anchored],.iubenda-tp-btn[data-tp-float][data-tp-float=bottom-left][data-tp-anchored],.iubenda-tp-btn[data-tp-float][data-tp-float=bottom-right][data-tp-anchored],.iubenda-uspr-btn[data-tp-float][data-tp-float=bottom-left][data-tp-anchored],.iubenda-uspr-btn[data-tp-float][data-tp-float=bottom-right][data-tp-anchored]{border-bottom-left-radius:0!important;border-bottom-right-radius:0!important;border-bottom:0!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-float=top-left],.iubenda-tp-alert-btn[data-tp-float][data-tp-float=top-right],.iubenda-tp-btn[data-tp-float][data-tp-float=top-left],.iubenda-tp-btn[data-tp-float][data-tp-float=top-right],.iubenda-uspr-btn[data-tp-float][data-tp-float=top-left],.iubenda-uspr-btn[data-tp-float][data-tp-float=top-right]{top:0!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-float=top-left][data-tp-anchored],.iubenda-tp-alert-btn[data-tp-float][data-tp-float=top-right][data-tp-anchored],.iubenda-tp-btn[data-tp-float][data-tp-float=top-left][data-tp-anchored],.iubenda-tp-btn[data-tp-float][data-tp-float=top-right][data-tp-anchored],.iubenda-uspr-btn[data-tp-float][data-tp-float=top-left][data-tp-anchored],.iubenda-uspr-btn[data-tp-float][data-tp-float=top-right][data-tp-anchored]{border-top-left-radius:0!important;border-top-right-radius:0!important;border-top:0!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-float=bottom-left],.iubenda-tp-alert-btn[data-tp-float][data-tp-float=top-left],.iubenda-tp-btn[data-tp-float][data-tp-float=bottom-left],.iubenda-tp-btn[data-tp-float][data-tp-float=top-left],.iubenda-uspr-btn[data-tp-float][data-tp-float=bottom-left],.iubenda-uspr-btn[data-tp-float][data-tp-float=top-left]{left:0!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-float=bottom-right],.iubenda-tp-alert-btn[data-tp-float][data-tp-float=top-right],.iubenda-tp-btn[data-tp-float][data-tp-float=bottom-right],.iubenda-tp-btn[data-tp-float][data-tp-float=top-right],.iubenda-uspr-btn[data-tp-float][data-tp-float=bottom-right],.iubenda-uspr-btn[data-tp-float][data-tp-float=top-right]{right:0!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-hover][data-tp-label]:after,.iubenda-tp-btn[data-tp-float][data-tp-hover][data-tp-label]:after,.iubenda-uspr-btn[data-tp-float][data-tp-hover][data-tp-label]:after{max-width:0!important;overflow:hidden!important;display:block!important;padding:0!important;opacity:0!important;transition:max-width .6s ease,padding .6s ease,opacity .6s ease!important}.iubenda-tp-alert-btn[data-tp-float][data-tp-hover][data-tp-label]:hover:after,.iubenda-tp-btn[data-tp-float][data-tp-hover][data-tp-label]:hover:after,.iubenda-uspr-btn[data-tp-float][data-tp-hover][data-tp-label]:hover:after{max-width:192px!important;padding-left:32px!important;padding-right:10px!important;opacity:1!important}.iubenda-tp-alert-btn:focus,.iubenda-tp-btn:focus,.iubenda-uspr-btn:focus{outline-width:2px!important;outline-style:solid!important;outline-color:#005fcc!important;outline-offset:2px!important}.iubenda-uspr-btn{border:1px solid rgba(0,0,0,.2)!important;box-shadow:0 .25rem 1rem rgba(0,0,0,.1)!important;border-radius:.5rem!important;font-family:sans-serif!important;font-weight:700!important;overflow:hidden!important;display:inline-flex!important;flex-wrap:wrap!important;background:#fff!important;color:#280404!important}.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-left],.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-right]{border-radius:0!important;border-bottom-left-radius:6px!important;border-bottom-right-radius:6px!important;top:auto!important;bottom:32px!important;flex-wrap:nowrap!important}.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-left] *,.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-right] *{white-space:nowrap!important}.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-left]{left:0!important;transform:translateX(46px) rotate(-90deg)!important;transform-origin:left bottom!important}.iubenda-uspr-btn[data-tp-float][data-tp-anchored]:not([data-tp-hover]):not([data-tp-label])[data-tp-float=center-right]{right:0!important;transform:translateX(-46px) rotate(90deg)!important;transform-origin:right bottom!important}@media (min-width:480px){.iubenda-uspr-btn[data-tp-float=bottom-right],.iubenda-uspr-btn[data-tp-float=bottom-right] .iubenda-cs-preferences-link,.iubenda-uspr-btn[data-tp-float=top-right],.iubenda-uspr-btn[data-tp-float=top-right] .iubenda-cs-preferences-link{flex-direction:row-reverse!important}}.iubenda-uspr-btn a{padding:.75rem!important;cursor:pointer!important;flex:1 1 auto!important;display:inline-flex!important;align-items:center!important;grid-gap:0.5rem!important}.iubenda-uspr-btn a img{width:2.5rem!important;flex-shrink:0!important}.iubenda-uspr-btn a:hover{background-color:rgba(0,0,0,.025)!important}.iubenda-uspr-btn a:first-of-type{box-shadow:0 0 0 1px rgba(0,0,0,.2)!important}.iub__us-widget{color:#595959;margin:0;padding:.5em;display:flex;justify-content:center;align-items:center;font-family:-apple-system,sans-serif!important;font-size:1rem;font-weight:700}.iub__us-widget.left{justify-content:flex-start}.iub__us-widget.right{justify-content:flex-end}.iub__us-widget__wrapper{background-color:#fff;border:1px solid currentColor;border-radius:5px;overflow:hidden;display:flex}.iub__us-widget__wrapper[data-tp-circle]{border-radius:32px}.iub__us-widget__link{display:flex;justify-content:center;align-items:center;padding:.5em 1em;line-height:1;text-decoration:none;transition:background-color .3s ease;cursor:pointer}.iub__us-widget__link--privacy-choices{border-left:1px solid currentColor}.iub__us-widget__link--privacy-choices::after{content:url("data:image/svg+xml,%3Csvg width='40' height='18' viewBox='0 0 40 18' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Crect x='0.5' y='0.5' width='39' height='17' rx='8.5' fill='white' stroke='%232569F6'/%3E%3Cpath d='M22.5 0H31C35.9706 0 40 4.02944 40 9C40 13.9706 35.9706 18 31 18H18L22.5 0Z' fill='%232569F6'/%3E%3Cpath d='M8 9.5L10.5 12L16.5 6' stroke='%232569F6' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3Cpath d='M25.5 6L31.5 12' stroke='white' stroke-width='1.5' stroke-linecap='round'/%3E%3Cpath d='M31.5 6L25.5 12' stroke='white' stroke-width='1.5' stroke-linecap='round'/%3E%3C/svg%3E%0A");height:18px;margin-left:.8em}.iub__us-widget__link:hover{background-color:#e4e6e8}@media screen and (max-width:480px){.iub__us-widget{justify-content:start}.iub__us-widget__wrapper{flex-direction:column-reverse}.iub__us-widget__link{justify-content:flex-start}.iub__us-widget__link--privacy-choices{flex-direction:row-reverse;border-left:none;border-bottom:1px solid currentColor;margin-left:0;margin-right:.8em}}</style><style type="text/css">#iubenda-cs-banner .iubenda-cs-content,#iubenda-cs-title,.iub-toggle-checkbox.granular-control-checkbox span { background-color: white!important;color: black!important;font-size: inter!important; }#iubenda-cs-banner .iubenda-cs-close-btn { font-size: inter!important;background-color: white!important; }#iubenda-cs-banner .iubenda-cs-opt-group { color: white!important; }#iubenda-cs-banner .iubenda-cs-opt-group button,.iubenda-alert button.iubenda-button-cancel { background-color: #212121!important;color: white!important; }#iubenda-cs-banner .iubenda-cs-opt-group button.iubenda-cs-accept-btn, #iubenda-cs-banner .iubenda-cs-opt-group button.iubenda-cs-btn-primary, .iubenda-alert button.iubenda-button-confirm { background-color: #0073CE!important;color: white!important; }#iubenda-cs-banner .iubenda-cs-opt-group button.iubenda-cs-reject-btn { background-color: #0073CE!important;color: white!important; }</style><link as="script" rel="prefetch" href="/security-labs/_next/static/chunks/pages/index-de37c19387b24872.js"><link as="script" rel="prefetch" href="/security-labs/_next/static/chunks/pages/author/%5Bslug%5D-13a8d867253831c3.js"><link as="script" rel="prefetch" href="/security-labs/_next/static/chunks/pages/category/%5Bslug%5D-4bd9f3bc8d6da08a.js"></head><body><noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript><div id="__next"><main class="__variable_0351a5 __variable_1f211e __variable_a5b5f5 flex flex-col min-h-screen"><div class="scroll-percentage-container"><div class="scroll-percentage-bar" style="width:0%"></div></div><nav class="fixed w-full z-40" data-headlessui-state=""><div class="bg-gradient-to-b from-zinc-900 from-20% h-[200%] to-transparent absolute inset-0 z-0 pointer-events-none"></div><div class="container relative z-10"><div class="flex h-16 items-center justify-between"><div class="flex items-center justify-start w-full"><div><a class="hover:opacity-50 transition" href="/security-labs"><img alt="elastic security labs logo" fetchpriority="high" width="200" height="30" decoding="async" data-nimg="1" style="color:transparent" src="/security-labs/logo.svg"></a></div><div class="hidden lg:ml-6 lg:block"><div class="flex space-x-4"><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/about"><span>About</span></a><div class="relative" data-headlessui-state=""><div><button class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" id="headlessui-menu-button-:R2kpm:" type="button" aria-haspopup="menu" aria-expanded="false" data-headlessui-state="">Topics<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true" class="ml-1 -mr-1 h-4 w-4 text-zinc-400 relative top-[1px]"><path fill-rule="evenodd" d="M5.23 7.21a.75.75 0 011.06.02L10 11.168l3.71-3.938a.75.75 0 111.08 1.04l-4.25 4.5a.75.75 0 01-1.08 0l-4.25-4.5a.75.75 0 01.02-1.06z" clip-rule="evenodd"></path></svg></button></div></div><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/category/vulnerability-updates"><span>Vulnerability updates</span></a><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/category/reports"><span>Reports</span></a><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/category/tools"><span>Tools</span></a></div></div><div class="hidden lg:ml-auto lg:block"><div class="flex items-center space-x-4"><a class="rounded flex items-center p-4 text-white focus:outline-none focus:ring-0 focus:ring-offset-1 focus:ring-offset-zinc-600 group" href="https://search.elastic.co/?location%5B0%5D=Security%20Labs&amp;referrer=https://www.elastic.co/security-labs/tricks-and-treats"><div class="flex items-center relative font-display"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-6 w-6"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-5.197-5.197m0 0A7.5 7.5 0 105.196 5.196a7.5 7.5 0 0010.607 10.607z"></path></svg></div></a><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="https://www.elastic.co/security-labs/rss/feed.xml"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true" class="h-4 w-4 mr-1"><path d="M3.75 3a.75.75 0 00-.75.75v.5c0 .414.336.75.75.75H4c6.075 0 11 4.925 11 11v.25c0 .414.336.75.75.75h.5a.75.75 0 00.75-.75V16C17 8.82 11.18 3 4 3h-.25z"></path><path d="M3 8.75A.75.75 0 013.75 8H4a8 8 0 018 8v.25a.75.75 0 01-.75.75h-.5a.75.75 0 01-.75-.75V16a6 6 0 00-6-6h-.25A.75.75 0 013 9.25v-.5zM7 15a2 2 0 11-4 0 2 2 0 014 0z"></path></svg><span class="hidden xl:block">Subscribe</span></a><a class="font-display inline-flex items-center justify-center rounded font-semibold disabled:!select-none disabled:!bg-gray-400 bg-blue-600 text-white hover:bg-blue-500 enabled:hover:text-white/80 transition-colors px-4 py-2 text-sm flex-1 lg:flex-auto" href="https://cloud.elastic.co/registration?cta=cloud-registration&amp;tech=trial&amp;plcmt=navigation&amp;pg=security-labs">Start free trial</a><a class="font-display inline-flex items-center justify-center rounded font-semibold text-white disabled:!select-none disabled:!bg-gray-400 button px-4 py-2 text-sm flex-1 lg:flex-auto" href="https://www.elastic.co/contact">Contact sales</a></div></div></div><div class="-mr-2 flex lg:hidden"><a class="rounded flex items-center p-4 text-white focus:outline-none focus:ring-0 focus:ring-offset-1 focus:ring-offset-zinc-600 group" href="https://search.elastic.co/?location%5B0%5D=Security%20Labs&amp;referrer=https://www.elastic.co/security-labs/tricks-and-treats"><div class="flex items-center relative font-display"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-6 w-6"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-5.197-5.197m0 0A7.5 7.5 0 105.196 5.196a7.5 7.5 0 0010.607 10.607z"></path></svg></div></a><button class="inline-flex items-center justify-center rounded-md p-2 text-gray-400 hover:bg-gray-700 hover:text-white focus:outline-none focus:ring-2 focus:ring-inset focus:ring-white" id="headlessui-disclosure-button-:R59m:" type="button" aria-expanded="false" data-headlessui-state=""><span class="sr-only">Open navigation menu</span><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="block h-6 w-6"><path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6.75h16.5M3.75 12h16.5m-16.5 5.25h16.5"></path></svg></button></div></div></div></nav><main class="mb-20 flex-1 flex flex-col"><div class="h-48 md:h-64" style="will-change: transform; transform: translateY(40.1869px);"><div class="after:absolute after:block after:bg-blue-400 after:blur-3xl after:content-[' '] after:h-96 after:opacity-5 after:right-0 after:rounded-full after:top-20 after:w-1/2 after:z-0 before:absolute before:block before:blur-3xl before:bg-orange-400 before:content-[' '] before:h-96 before:left-0 before:opacity-5 before:rounded-full before:w-1/2 before:z-0 w-full h-full relative"><div class="relative z-10 w-full h-[125%] -top-[25%] bg-no-repeat bg-cover bg-bottom flex items-center justify-center" style="background-image:url(/security-labs/grid.svg)"></div></div></div><article class="px-4"><div class="max-w-7xl mx-auto relative z-10 flex flex-col space-y-4"><div class="eyebrow break-words"><time class="block mb-2 md:mb-0 md:inline-block article-published-date" datetime="2024-10-19T00:00:00.000Z">19 October 2024</time><span class="hidden md:inline-block md:mx-2">•</span><a class="hover:text-blue-400 text-xs md:text-sm whitespace-nowrap author-name" href="/security-labs/author/salim-bitam">Salim Bitam</a></div><h1 class="font-bold leading-tighter text-3xl md:text-5xl"><span>Tricks and Treats: GHOSTPULSE’s new pixel-&nbsp;level&nbsp;deception</span></h1><p class="text-zinc-200 text-base md:text-xl">The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques.</p><div class="flex items-center mt-4 text-zinc-200 text-sm space-x-4 border-t border-white/25 pt-4"><span class="flex items-center space-x-1"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-4 w-4 text-zinc-400"><path stroke-linecap="round" stroke-linejoin="round" d="M12 6v6h4.5m4.5 0a9 9 0 11-18 0 9 9 0 0118 0z"></path></svg><span>13 min read</span></span><span class="flex items-center space-x-1"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-4 w-4 text-zinc-400"><path stroke-linecap="round" stroke-linejoin="round" d="M9.568 3H5.25A2.25 2.25 0 003 5.25v4.318c0 .597.237 1.17.659 1.591l9.581 9.581c.699.699 1.78.872 2.607.33a18.095 18.095 0 005.223-5.223c.542-.827.369-1.908-.33-2.607L11.16 3.66A2.25 2.25 0 009.568 3z"></path><path stroke-linecap="round" stroke-linejoin="round" d="M6 6h.008v.008H6V6z"></path></svg><span><a class="hover:text-blue-400 whitespace-nowrap" href="/security-labs/category/malware-analysis">Malware analysis</a></span></span></div></div><div class="max-w-7xl mx-auto"><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 sm:p-8 md:p-10 rounded-3xl mt-5 md:mt-10"><div class="relative w-full rounded-lg overflow-hidden aspect-video"><img alt="Tricks and Treats: GHOSTPULSE’s new pixel-level deception" fetchpriority="high" decoding="async" data-nimg="fill" class="object-cover absolute h-full w-full" style="position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;color:transparent" sizes="100vw" srcset="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=640&amp;q=75 640w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=750&amp;q=75 750w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=828&amp;q=75 828w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=1080&amp;q=75 1080w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=1200&amp;q=75 1200w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=1920&amp;q=75 1920w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=2048&amp;q=75 2048w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=3840&amp;q=75 3840w" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Ftricks-and-treats.jpg&amp;w=3840&amp;q=75"><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div></div></div><div class="lg:max-w-7xl mx-auto relative mt-12 lg:grid lg:grid-cols-4 lg:gap-8 items-start"><div class="flex justify-center lg:col-span-3"><div class="prose lg:prose-lg prose-invert w-full article-content"><div><h2 class="font-bold text-2xl md:text-4xl relative"><span id="update" class="absolute -top-32"></span>Update</h2>
<p>This research covers an update to stage 2 of GHOSTPULSE, <a href="https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks#stage-2">originally disclosed</a> by Elastic Security Labs in October 2023.</p>
<h2 class="font-bold text-2xl md:text-4xl relative"><span id="key-takeaways" class="absolute -top-32"></span>Key takeaways</h2>
<ol>
<li>GHOSTPULSE has shifted from using the IDAT chunk of PNG files to embedding its encrypted configuration and payload within the pixel structure.</li>
<li>Recent campaigns involve tricking victims with creative social engineering techniques, such as CAPTCHA validations that trigger malicious commands through Windows keyboard shortcuts.</li>
<li>Elastic Security has enhanced its YARA rules and updated the configuration extractor tool to detect and analyze both the old and new versions of GHOSTPULSE.</li>
</ol>
<h2 class="font-bold text-2xl md:text-4xl relative"><span id="preamble" class="absolute -top-32"></span>Preamble</h2>
<p>The GHOSTPULSE malware family (also known as HIJACKLOADER or IDATLOADER) has continuously evolved since its discovery in 2023, evading detection with increasingly developed techniques.</p>
<p>In its earlier iterations, GHOSTPULSE abused the IDAT chunk of PNG files to hide malicious payloads, as detailed in a <a href="https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks">previous article from Elastic Security Labs</a>. However, recent analysis has uncovered a significant change in its algorithm. Instead of extracting the payload from the IDAT chunk, the latest version of GHOSTPULSE now parses the pixels of the image to retrieve its configuration and payload. This new approach involves embedding malicious data directly within the pixel structure.</p>
<p>In this research publication, we’ll explore this new pixel-based algorithm and compare it with the previous IDAT chunk technique with updated detection rules.</p>
<h2 class="font-bold text-2xl md:text-4xl relative"><span id="introduction" class="absolute -top-32"></span>Introduction</h2>
<p>Recently, we've observed several campaigns involving LUMMA STEALER using GHOSTPULSE as its loader, a topic also explored by <a href="https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/">HarfangLab</a>. These campaigns stand out due to their <a href="https://www.secureworks.com/blog/fake-human-verification-prompt-delivers-infostealers">creative social engineering tactics</a>. Victims are tricked into validating a CAPTCHA, but the website instructs them to execute a series of Windows keyboard shortcuts instead of the usual process. These shortcuts trigger a command copied to the clipboard by malicious JavaScript. This leads to a PowerShell script being executed, initiating the infection chain by downloading and executing a GHOSTPULSE payload.</p>
<p><figure style="display: flex; flex-direction: column; align-items: center;"><img alt="Social engineer lure website" loading="lazy" width="779" height="782" decoding="async" data-nimg="1" class="cursor-zoom-in" srcset="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage1.png&amp;w=828&amp;q=90 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage1.png&amp;w=1920&amp;q=90 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage1.png&amp;w=1920&amp;q=90" style="color: transparent; object-fit: contain; position: relative;"><figcaption style="color: lightgray; font-style: italic;">Social engineer lure website</figcaption></figure></p>
<p>In previous versions of GHOSTPULSE, it was delivered as part of a multi-file package. This package typically contained a benign executable, an infected DLL loaded by the executable, and a PNG file storing the encrypted configuration.</p>
<p>However, in the latest version, GHOSTPULSE has streamlined its deployment. Now, the entire package consists of a single file—a benign but compromised executable that includes the PNG file within its resources section.</p>
<p><figure style="display: flex; flex-direction: column; align-items: center;"><img alt="Large embedded PNG file in the resources section" loading="lazy" width="1999" height="934" decoding="async" data-nimg="1" class="cursor-zoom-in" srcset="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage2.png&amp;w=2048&amp;q=90 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage2.png&amp;w=3840&amp;q=90 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage2.png&amp;w=3840&amp;q=90" style="color: transparent; object-fit: contain; position: relative;"><figcaption style="color: lightgray; font-style: italic;">Large embedded PNG file in the resources section</figcaption></figure></p>
<h2 class="font-bold text-2xl md:text-4xl relative"><span id="technical-analysis" class="absolute -top-32"></span>Technical analysis</h2>
<p>The updated second stage of the malware retains much of its previous structure, including using the same hashing algorithm for resolving Windows API names. However, the most significant change is in how the malware now locates its configuration, which holds both the payload and critical instructions for its deployment.</p>
<p>The following is a screenshot showing the pseudocode of both implementations:</p>
<p><figure style="display: flex; flex-direction: column; align-items: center;"><img alt="Pseudocode code comparison between old and new algorithm" loading="lazy" width="1999" height="1088" decoding="async" data-nimg="1" class="cursor-zoom-in" srcset="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage4.png&amp;w=2048&amp;q=90 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage4.png&amp;w=3840&amp;q=90 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage4.png&amp;w=3840&amp;q=90" style="color: transparent; object-fit: contain; position: relative;"><figcaption style="color: lightgray; font-style: italic;">Pseudocode code comparison between old and new algorithm</figcaption></figure></p>
<p>In earlier versions, GHOSTPULSE would parse a PNG file for an encrypted data blob, which was divided into chunks and stored sequentially. The malware’s parsing process was straightforward: it would search for a specific marker within the file—in this case, the IDAT string. Once found, the malware would check for a 4-byte tag that followed the string. The encrypted chunk would be extracted if this tag matched the expected value. This process continues for every occurrence of the IDAT string that comes after until the full encrypted payload is collected.</p>
<p>In the new version, the encrypted configuration is stored in the pixels of the image. The malware constructs a byte array by extracting each pixel's <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">RED</code>, <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">GREEN</code>, and <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">BLUE</code> (RGB) values sequentially using standard Windows APIs from the <a href="https://learn.microsoft.com/en-us/windows/win32/gdiplus/-gdiplus-gdi-start">GdiPlus(GDI+)</a> library. Once the byte array is built, the malware searches for the start of a structure that contains the encrypted GHOSTPULSE configuration, including the XOR key needed for decryption. It does this by looping through the byte array in 16-byte blocks. For each block, the first 4 bytes represent a CRC32 hash, and the next 12 bytes are the data to be hashed. The malware computes the CRC32 of the 12 bytes and checks if it matches the hash. If a match is found, it extracts the offset of the encrypted GHOSTPULSE configuration, its size, and the 4-byte XOR key, and then XOR decrypts it.</p>
<p>The following diagram provides a visual breakdown of this process:</p>
<p><figure style="display: flex; flex-direction: column; align-items: center;"><img alt="" loading="lazy" width="1999" height="467" decoding="async" data-nimg="1" class="cursor-zoom-in" srcset="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage5.png&amp;w=2048&amp;q=90 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage5.png&amp;w=3840&amp;q=90 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage5.png&amp;w=3840&amp;q=90" style="color: transparent; object-fit: contain; position: relative;"></figure></p>
<h2 class="font-bold text-2xl md:text-4xl relative"><span id="updated-configuration-extractor" class="absolute -top-32"></span>Updated configuration extractor</h2>
<p>Based on these findings, we have updated our configuration extractor to support both versions of GHOSTPULSE. This tool takes a PNG file as input and outputs the embedded payload. You can find the updated tool in our <a href="https://github.com/elastic/labs-releases/tree/main/tools/ghostpulse">labs-releases repository</a>.</p>
<p><figure style="display: flex; flex-direction: column; align-items: center;"><img alt="" loading="lazy" width="1999" height="301" decoding="async" data-nimg="1" class="cursor-zoom-in" srcset="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage3.png&amp;w=2048&amp;q=90 1x, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage3.png&amp;w=3840&amp;q=90 2x" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Ftricks-and-treats%2Fimage3.png&amp;w=3840&amp;q=90" style="color: transparent; object-fit: contain; position: relative;"></figure></p>
<h2 class="font-bold text-2xl md:text-4xl relative"><span id="detecting-ghostpulse-with-yara" class="absolute -top-32"></span>Detecting GHOSTPULSE with YARA</h2>
<p>The original <a href="https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_GhostPulse.yar">GHOSTPULSE YARA</a> rule still prevents the final stage of an infection and is built into Elastic Defend. The updated sample can be detected using the following YARA rules and will be included with Elastic Defend in a future release.</p>
<p>Elastic Security has updated the GHOSTPULSE YARA rules to identify this activity:</p>
<pre><code>rule Windows_Trojan_GHOSTPULSE_1 {
    meta:
        author = "Elastic Security"
        creation_date = "2024-10-15"
        last_modified = "2024-10-15"
        os = "Windows"
        arch = "x86"
        category_type = "Trojan"
        family = "GHOSTPULSE"
        threat_name = "Windows.Trojan.GHOSTPULSE"
        license = "Elastic License v2"

    strings:
        $stage_1 = { 49 63 D0 42 8B 0C 0A 41 03 CA 89 0C 1A 8B 05 ?? ?? ?? ?? 44 03 C0 8B 05 ?? ?? ?? ?? 44 3B C0 }
        $stage_2 = { 48 89 01 48 8B 84 24 D8 00 00 00 48 8B 4C 24 78 8B 49 0C 89 08 C7 44 24 44 00 00 00 00 }

    condition:
        any of them
}

rule Windows_Trojan_GHOSTPULSE_2 {
    meta:
        author = "Elastic Security"
        creation_date = "2024-10-10"
        last_modified = "2024-10-10"
        os = "Windows"
        arch = "x86"
        category_type = "Trojan"
        family = "GHOSTPULSE"
        threat_name = "Windows.Trojan.GHOSTPULSE"
        license = "Elastic License v2"

    strings:
        $a1 = { 48 83 EC 18 C7 04 24 00 00 00 00 8B 04 24 48 8B 4C 24 20 0F B7 04 41 85 C0 74 0A 8B 04 24 FF C0 89 04 24 EB E6 C7 44 24 08 00 00 00 00 8B 04 24 FF C8 8B C0 48 8B 4C 24 20 0F B7 04 41 83 F8 5C }

    condition:
        all of them
}</code></pre>
<h2 class="font-bold text-2xl md:text-4xl relative"><span id="conclusion" class="absolute -top-32"></span>Conclusion</h2>
<p>In summary, the GHOSTPULSE malware family has evolved since its release in 2023, with this recent update marking one of the most significant changes.</p>
<p>As attackers continue to innovate, defenders must adapt by utilizing updated tools and techniques to mitigate these threats effectively. We are excited to share our newly developed configuration extractor tool, designed to analyze the older and newer versions of GHOSTPULSE. This tool empowers researchers and cybersecurity professionals by providing enhanced capabilities for understanding and combating these evolving threats. As the landscape of cyber threats changes, collaboration, and innovation remain essential for effective protection.</p>
<h2 class="font-bold text-2xl md:text-4xl relative"><span id="observations" class="absolute -top-32"></span>Observations</h2>
<p>All observables are also available for <a href="https://github.com/elastic/labs-releases/tree/main/indicators/ghostpulse">download</a> in both ECS and STIX format.</p>
<p>The following observables were discussed in this research.</p>
<div class="table-container"><table style="width:100%;table-layout:fixed;word-wrap:break-word"><thead><tr><th>Observable</th><th>Type</th><th>Name</th><th>Reference</th></tr></thead><tbody><tr><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">57ebf79c384366162cb0f13de0de4fc1300ebb733584e2d8887505f22f877077</code></td><td>SHA-256</td><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">Setup.exe</code></td><td>GHOSTPULSE sample</td></tr><tr><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">b54d9db283e6c958697bfc4f97a5dd0ba585bc1d05267569264a2d700f0799ae</code></td><td>SHA-256</td><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">Setup_light.exe</code></td><td>GHOSTPULSE sample</td></tr><tr><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">winrar01.b-cdn[.]net</code></td><td>domain-name</td><td></td><td>Infrastructure hosting GHOSTPULSE sample</td></tr><tr><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">reinforcenh[.]shop</code></td><td>domain-name</td><td></td><td>LUMMASTEALER C2</td></tr><tr><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">stogeneratmns[.]shop</code></td><td>domain-name</td><td></td><td>LUMMASTEALER C2</td></tr><tr><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">fragnantbui[.]shop</code></td><td>domain-name</td><td></td><td>LUMMASTEALER C2</td></tr><tr><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">drawzhotdog[.]shop</code></td><td>domain-name</td><td></td><td>LUMMASTEALER C2</td></tr><tr><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">vozmeatillu[.]shop</code></td><td>domain-name</td><td></td><td>LUMMASTEALER C2</td></tr><tr><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">offensivedzvju[.]shop</code></td><td>domain-name</td><td></td><td>LUMMASTEALER C2</td></tr><tr><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">ghostreedmnu[.]shop</code></td><td>domain-name</td><td></td><td>LUMMASTEALER C2</td></tr><tr><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">gutterydhowi[.]shop</code></td><td>domain-name</td><td></td><td>LUMMASTEALER C2</td></tr><tr><td><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">riderratttinow[.]shop</code></td><td>domain-name</td><td></td><td>LUMMASTEALER C2</td></tr></tbody></table></div></div></div></div><div class="hidden lg:flex lg:col-span-1 text-sm lg:flex-col lg:space-y-6"><div class="toc"><h4 class="font-bold leading-tight text-lg md:text-2xl mb-3">Jump to section</h4><ul class="flex flex-col space-y-2"><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/tricks-and-treats#update"><span>Update</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/tricks-and-treats#key-takeaways"><span>Key&nbsp;takeaways</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/tricks-and-treats#preamble"><span>Preamble</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/tricks-and-treats#introduction"><span>Introduction</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/tricks-and-treats#technical-analysis"><span>Technical&nbsp;analysis</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/tricks-and-treats#updated-configuration-extractor"><span>Updated configuration&nbsp;extractor</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/tricks-and-treats#detecting-ghostpulse-with-yara"><span>Detecting GHOSTPULSE with&nbsp;YARA</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/tricks-and-treats#conclusion"><span>Conclusion</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/tricks-and-treats#observations"><span>Observations</span></a></li></ul></div><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 md:p-2 sm:p-4 md:px-6 md:py-4 rounded-xl"><h4 class="font-bold leading-tight text-lg md:text-2xl mb-3">Elastic Security Labs&nbsp;Newsletter</h4><div><a target="_blank" class="button inline-flex" href="https://www.elastic.co/security-labs/newsletter?utm_source=security-labs">Sign Up</a></div></div></div></div><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 md:p-2 sm:p-4 md:px-6 md:py-4 rounded-xl my-5 md:my-10 max-w-3xl mx-auto flex flex-col items-center shadow-2xl"><h4 class="font-bold leading-tight text-lg md:text-2xl">Share this article</h4><div class="flex flex-wrap items-center justify-center mt-4 space-x-4"><a class="flex items-center space-x-2 button" href="https://twitter.com/intent/tweet?text=Tricks and Treats: GHOSTPULSE’s new pixel-level deception&amp;url=https://www.elastic.co/security-labs/tricks-and-treats" target="_blank" rel="noopener noreferrer" aria-label="Share this article on Twitter" title="Share this article on Twitter"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill="currentColor" d="M23.954 4.569c-.885.389-1.83.653-2.825.772a4.98 4.98 0 002.187-2.746 9.955 9.955 0 01-3.157 1.204 4.98 4.98 0 00-8.49 4.54A14.128 14.128 0 011.69 3.05a4.98 4.98 0 001.54 6.638A4.94 4.94 0 011.2 8.62v.06a4.98 4.98 0 004 4.87 4.94 4.94 0 01-2.24.086 4.98 4.98 0 004.64 3.45A9.97 9.97 0 010 20.35a14.075 14.075 0 007.59 2.22c9.16 0 14.17-7.583 14.17-14.17 0-.217-.005-.434-.015-.65a10.128 10.128 0 002.485-2.58l-.001-.001z"></path></svg><span>Twitter</span></a><a class="flex items-center space-x-2 button" href="https://www.facebook.com/sharer/sharer.php?u=https://www.elastic.co/security-labs/tricks-and-treats" target="_blank" rel="noopener noreferrer" aria-label="Share this article on Facebook" title="Share this article on Facebook"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill="currentColor" d="M22.5 12c0-5.799-4.701-10.5-10.5-10.5S1.5 6.201 1.5 12c0 5.301 3.901 9.699 9 10.401V14.4h-2.7v-2.7h2.7v-2.1c0-2.7 1.8-4.2 4.2-4.2 1.2 0 2.1.1 2.4.2v2.4h-1.5c-1.2 0-1.5.6-1.5 1.5v1.8h3l-.3 2.7h-2.7V22C18.599 21.3 22.5 17.301 22.5 12z"></path></svg><span>Facebook</span></a><a class="flex items-center space-x-2 button" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.elastic.co/security-labs/tricks-and-treats&amp;title=Tricks and Treats: GHOSTPULSE’s new pixel-level deception" target="_blank" rel="noopener noreferrer" aria-label="Share this article on LinkedIn" title="Share this article on LinkedIn"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill="currentColor" d="M19 0h-14c-2.761 0-5 2.239-5 5v14c0 2.761 2.239 5 5 5h14c2.762 0 5-2.239 5-5v-14c0-2.761-2.238-5-5-5zm-11 19h-3v-11h3v11zm-1.5-12.268c-.966 0-1.75-.79-1.75-1.764s.784-1.764 1.75-1.764 1.75.79 1.75 1.764-.783 1.764-1.75 1.764zm13.5 12.268h-3v-5.604c0-3.368-4-3.113-4 0v5.604h-3v-11h3v1.765c1.396-2.586 7-2.777 7 2.476v6.759z"></path></svg><span>LinkedIn</span></a><a class="flex items-center space-x-2 button" href="https://reddit.com/submit?url=https://www.elastic.co/security-labs/tricks-and-treats&amp;title=Tricks and Treats: GHOSTPULSE’s new pixel-level deception" target="_blank" rel="noopener noreferrer" aria-label="Share this article on Reddit" title="Share this article on Reddit"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill-rule="evenodd" clip-rule="evenodd" d="M24 12C24 18.6274 18.6274 24 12 24C5.37258 24 0 18.6274 0 12C0 5.37258 5.37258 0 12 0C18.6274 0 24 5.37258 24 12ZM19.6879 11.0584C19.8819 11.3352 19.9916 11.6622 20.004 12C20.0091 12.3306 19.9205 12.656 19.7485 12.9384C19.5765 13.2208 19.3281 13.4488 19.032 13.596C19.0455 13.7717 19.0455 13.9483 19.032 14.124C19.032 16.812 15.9 18.996 12.036 18.996C8.172 18.996 5.04 16.812 5.04 14.124C5.02649 13.9483 5.02649 13.7717 5.04 13.596C4.80919 13.49 4.6042 13.335 4.43923 13.1419C4.27427 12.9487 4.15327 12.722 4.08462 12.4775C4.01598 12.2329 4.00133 11.9764 4.04169 11.7256C4.08205 11.4748 4.17646 11.2358 4.31837 11.0251C4.46028 10.8145 4.6463 10.6372 4.86354 10.5056C5.08078 10.3739 5.32404 10.2911 5.57646 10.2629C5.82889 10.2346 6.08444 10.2616 6.32541 10.3419C6.56638 10.4222 6.78701 10.5539 6.972 10.728C8.35473 9.79023 9.98146 9.27718 11.652 9.252L12.54 5.088C12.55 5.03979 12.5694 4.99405 12.5972 4.95341C12.625 4.91277 12.6605 4.87805 12.7018 4.85127C12.7431 4.82448 12.7894 4.80615 12.8378 4.79735C12.8862 4.78855 12.9359 4.78945 12.984 4.8L15.924 5.388C16.0676 5.14132 16.2944 4.9539 16.5637 4.85937C16.833 4.76484 17.1272 4.7694 17.3934 4.87222C17.6597 4.97505 17.8806 5.1694 18.0164 5.42041C18.1523 5.67141 18.1942 5.96262 18.1348 6.24177C18.0753 6.52092 17.9182 6.76972 17.6918 6.94352C17.4654 7.11732 17.1845 7.20473 16.8995 7.19006C16.6144 7.1754 16.3439 7.05962 16.1366 6.8635C15.9292 6.66738 15.7985 6.40378 15.768 6.12L13.2 5.58L12.42 9.324C14.0702 9.3594 15.6749 9.87206 17.04 10.8C17.2839 10.566 17.5902 10.4074 17.9221 10.3436C18.254 10.2797 18.5973 10.3132 18.9106 10.4401C19.2239 10.5669 19.4939 10.7817 19.6879 11.0584ZM8.20624 12.5333C8.07438 12.7307 8.004 12.9627 8.004 13.2C8.004 13.5183 8.13043 13.8235 8.35547 14.0485C8.58051 14.2736 8.88574 14.4 9.204 14.4C9.44134 14.4 9.67335 14.3296 9.87068 14.1978C10.068 14.0659 10.2218 13.8785 10.3127 13.6592C10.4035 13.4399 10.4272 13.1987 10.3809 12.9659C10.3346 12.7331 10.2204 12.5193 10.0525 12.3515C9.8847 12.1836 9.67089 12.0694 9.43811 12.0231C9.20533 11.9768 8.96405 12.0005 8.74478 12.0913C8.52551 12.1822 8.33809 12.336 8.20624 12.5333ZM12.012 17.424C13.0771 17.4681 14.1246 17.1416 14.976 16.5V16.548C15.0075 16.5173 15.0327 16.4806 15.05 16.4402C15.0674 16.3997 15.0766 16.3563 15.0772 16.3122C15.0777 16.2682 15.0696 16.2245 15.0533 16.1837C15.0369 16.1428 15.0127 16.1055 14.982 16.074C14.9513 16.0425 14.9146 16.0173 14.8742 16C14.8337 15.9826 14.7903 15.9734 14.7462 15.9728C14.7022 15.9723 14.6585 15.9804 14.6177 15.9967C14.5768 16.0131 14.5395 16.0373 14.508 16.068C13.7797 16.5904 12.895 16.8487 12 16.8C11.1061 16.8399 10.2255 16.5732 9.504 16.044C9.44182 15.993 9.36289 15.9669 9.28256 15.9708C9.20222 15.9748 9.12622 16.0085 9.06935 16.0653C9.01247 16.1222 8.97879 16.1982 8.97484 16.2786C8.97089 16.3589 8.99697 16.4378 9.048 16.5C9.89937 17.1416 10.9469 17.4681 12.012 17.424ZM14.0933 14.2458C14.2907 14.3776 14.5227 14.448 14.76 14.448L14.748 14.496C14.9107 14.4978 15.0721 14.4664 15.2223 14.4038C15.3725 14.3413 15.5084 14.2488 15.6218 14.1321C15.7352 14.0154 15.8236 13.8768 15.8818 13.7248C15.9399 13.5728 15.9665 13.4106 15.96 13.248C15.96 13.0107 15.8896 12.7787 15.7578 12.5813C15.6259 12.384 15.4385 12.2302 15.2192 12.1393C14.9999 12.0485 14.7587 12.0248 14.5259 12.0711C14.2931 12.1174 14.0793 12.2316 13.9115 12.3995C13.7436 12.5673 13.6294 12.7811 13.5831 13.0139C13.5368 13.2467 13.5605 13.4879 13.6513 13.7072C13.7422 13.9265 13.896 14.1139 14.0933 14.2458Z" fill="currentColor"></path></svg><span>Reddit</span></a></div></div></article></main><footer class="mt-auto text-xs md:text-sm"><div class="container py-6 flex flex-col md:flex-row gap-2 md:gap-0 justify-between items-center"><div class="text-zinc-300"><nav><ul class="flex space-x-4"><li><a class="hover:text-white font-medium" href="/security-labs/sitemap.xml">Sitemap</a></li><li><a class="hover:text-white font-medium flex items-center space-x-1" href="https://elastic.co?utm_source=elastic-search-labs&amp;utm_medium=referral&amp;utm_campaign=search-labs&amp;utm_content=footer"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="inline-block w-3 h-3"><path stroke-linecap="round" stroke-linejoin="round" d="M13.5 6H5.25A2.25 2.25 0 003 8.25v10.5A2.25 2.25 0 005.25 21h10.5A2.25 2.25 0 0018 18.75V10.5m-10.5 6L21 3m0 0h-5.25M21 3v5.25"></path></svg><span>Elastic.co</span></a></li><li><a class="hover:text-white font-medium flex items-center space-x-1" href="https://twitter.com/elasticseclabs"><svg class="w-4 h-4 inline-block w-3 h-3" viewBox="0 0 24 24"><path fill="currentColor" d="M23.954 4.569c-.885.389-1.83.653-2.825.772a4.98 4.98 0 002.187-2.746 9.955 9.955 0 01-3.157 1.204 4.98 4.98 0 00-8.49 4.54A14.128 14.128 0 011.69 3.05a4.98 4.98 0 001.54 6.638A4.94 4.94 0 011.2 8.62v.06a4.98 4.98 0 004 4.87 4.94 4.94 0 01-2.24.086 4.98 4.98 0 004.64 3.45A9.97 9.97 0 010 20.35a14.075 14.075 0 007.59 2.22c9.16 0 14.17-7.583 14.17-14.17 0-.217-.005-.434-.015-.65a10.128 10.128 0 002.485-2.58l-.001-.001z"></path></svg><span>@elasticseclabs</span></a></li></ul></nav></div><div class="flex flex-col space-y-1 text-zinc-300"><p>© <!-- -->2024<!-- -->. Elasticsearch B.V. All Rights Reserved.</p></div></div></footer></main></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"article":{"title":"Tricks and Treats: GHOSTPULSE’s new pixel-level deception","slug":"tricks-and-treats","date":"2024-10-19","description":"The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques.","image":"tricks-and-treats.jpg","tags":["ghostpulse","lummastealer","ref8207"],"body":{"raw":"\n## Update\n\nThis research covers an update to stage 2 of GHOSTPULSE, [originally disclosed](https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks#stage-2) by Elastic Security Labs in October 2023.\n\n## Key takeaways\n\n1. GHOSTPULSE has shifted from using the IDAT chunk of PNG files to embedding its encrypted configuration and payload within the pixel structure.\n1. Recent campaigns involve tricking victims with creative social engineering techniques, such as CAPTCHA validations that trigger malicious commands through Windows keyboard shortcuts.\n1. Elastic Security has enhanced its YARA rules and updated the configuration extractor tool to detect and analyze both the old and new versions of GHOSTPULSE.\n\n## Preamble\n\nThe GHOSTPULSE malware family (also known as HIJACKLOADER or IDATLOADER) has continuously evolved since its discovery in 2023, evading detection with increasingly developed techniques.\n\nIn its earlier iterations, GHOSTPULSE abused the IDAT chunk of PNG files to hide malicious payloads, as detailed in a [previous article from Elastic Security Labs](https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks). However, recent analysis has uncovered a significant change in its algorithm. Instead of extracting the payload from the IDAT chunk, the latest version of GHOSTPULSE now parses the pixels of the image to retrieve its configuration and payload. This new approach involves embedding malicious data directly within the pixel structure.\n\nIn this research publication, we’ll explore this new pixel-based algorithm and compare it with the previous IDAT chunk technique with updated detection rules.\n\n## Introduction\n\nRecently, we've observed several campaigns involving LUMMA STEALER using GHOSTPULSE as its loader, a topic also explored by [HarfangLab](https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/). These campaigns stand out due to their [creative social engineering tactics](https://www.secureworks.com/blog/fake-human-verification-prompt-delivers-infostealers). Victims are tricked into validating a CAPTCHA, but the website instructs them to execute a series of Windows keyboard shortcuts instead of the usual process. These shortcuts trigger a command copied to the clipboard by malicious JavaScript. This leads to a PowerShell script being executed, initiating the infection chain by downloading and executing a GHOSTPULSE payload.\n\n![Social engineer lure website](/assets/images/tricks-and-treats/image1.png \"Lure website\")\n\nIn previous versions of GHOSTPULSE, it was delivered as part of a multi-file package. This package typically contained a benign executable, an infected DLL loaded by the executable, and a PNG file storing the encrypted configuration.\n\nHowever, in the latest version, GHOSTPULSE has streamlined its deployment. Now, the entire package consists of a single file—a benign but compromised executable that includes the PNG file within its resources section.\n\n![Large embedded PNG file in the resources section](/assets/images/tricks-and-treats/image2.png \"Large embedded PNG file in the resources section\")\n\n## Technical analysis\n\nThe updated second stage of the malware retains much of its previous structure, including using the same hashing algorithm for resolving Windows API names. However, the most significant change is in how the malware now locates its configuration, which holds both the payload and critical instructions for its deployment.\n\nThe following is a screenshot showing the pseudocode of both implementations:\n\n![Pseudocode code comparison between old and new algorithm](/assets/images/tricks-and-treats/image4.png \"Pseudocode code comparison between old and new algorithm\")\n\nIn earlier versions, GHOSTPULSE would parse a PNG file for an encrypted data blob, which was divided into chunks and stored sequentially. The malware’s parsing process was straightforward: it would search for a specific marker within the file—in this case, the IDAT string. Once found, the malware would check for a 4-byte tag that followed the string. The encrypted chunk would be extracted if this tag matched the expected value. This process continues for every occurrence of the IDAT string that comes after until the full encrypted payload is collected.\n\nIn the new version, the encrypted configuration is stored in the pixels of the image. The malware constructs a byte array by extracting each pixel's `RED`, `GREEN`, and `BLUE` (RGB) values sequentially using standard Windows APIs from the [GdiPlus(GDI+)](https://learn.microsoft.com/en-us/windows/win32/gdiplus/-gdiplus-gdi-start) library. Once the byte array is built, the malware searches for the start of a structure that contains the encrypted GHOSTPULSE configuration, including the XOR key needed for decryption. It does this by looping through the byte array in 16-byte blocks. For each block, the first 4 bytes represent a CRC32 hash, and the next 12 bytes are the data to be hashed. The malware computes the CRC32 of the 12 bytes and checks if it matches the hash. If a match is found, it extracts the offset of the encrypted GHOSTPULSE configuration, its size, and the 4-byte XOR key, and then XOR decrypts it.\n\nThe following diagram provides a visual breakdown of this process:\n\n![](/assets/images/tricks-and-treats/image5.png)\n\n## Updated configuration extractor\n\nBased on these findings, we have updated our configuration extractor to support both versions of GHOSTPULSE. This tool takes a PNG file as input and outputs the embedded payload. You can find the updated tool in our [labs-releases repository](https://github.com/elastic/labs-releases/tree/main/tools/ghostpulse).\n\n![](/assets/images/tricks-and-treats/image3.png)\n\n## Detecting GHOSTPULSE with YARA\n\nThe original [GHOSTPULSE YARA](https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_GhostPulse.yar) rule still prevents the final stage of an infection and is built into Elastic Defend. The updated sample can be detected using the following YARA rules and will be included with Elastic Defend in a future release.\n\nElastic Security has updated the GHOSTPULSE YARA rules to identify this activity:\n\n```\nrule Windows_Trojan_GHOSTPULSE_1 {\n    meta:\n        author = \"Elastic Security\"\n        creation_date = \"2024-10-15\"\n        last_modified = \"2024-10-15\"\n        os = \"Windows\"\n        arch = \"x86\"\n        category_type = \"Trojan\"\n        family = \"GHOSTPULSE\"\n        threat_name = \"Windows.Trojan.GHOSTPULSE\"\n        license = \"Elastic License v2\"\n\n    strings:\n        $stage_1 = { 49 63 D0 42 8B 0C 0A 41 03 CA 89 0C 1A 8B 05 ?? ?? ?? ?? 44 03 C0 8B 05 ?? ?? ?? ?? 44 3B C0 }\n        $stage_2 = { 48 89 01 48 8B 84 24 D8 00 00 00 48 8B 4C 24 78 8B 49 0C 89 08 C7 44 24 44 00 00 00 00 }\n\n    condition:\n        any of them\n}\n\nrule Windows_Trojan_GHOSTPULSE_2 {\n    meta:\n        author = \"Elastic Security\"\n        creation_date = \"2024-10-10\"\n        last_modified = \"2024-10-10\"\n        os = \"Windows\"\n        arch = \"x86\"\n        category_type = \"Trojan\"\n        family = \"GHOSTPULSE\"\n        threat_name = \"Windows.Trojan.GHOSTPULSE\"\n        license = \"Elastic License v2\"\n\n    strings:\n        $a1 = { 48 83 EC 18 C7 04 24 00 00 00 00 8B 04 24 48 8B 4C 24 20 0F B7 04 41 85 C0 74 0A 8B 04 24 FF C0 89 04 24 EB E6 C7 44 24 08 00 00 00 00 8B 04 24 FF C8 8B C0 48 8B 4C 24 20 0F B7 04 41 83 F8 5C }\n\n    condition:\n        all of them\n}\n```\n\n## Conclusion\n\nIn summary, the GHOSTPULSE malware family has evolved since its release in 2023, with this recent update marking one of the most significant changes.\n\nAs attackers continue to innovate, defenders must adapt by utilizing updated tools and techniques to mitigate these threats effectively. We are excited to share our newly developed configuration extractor tool, designed to analyze the older and newer versions of GHOSTPULSE. This tool empowers researchers and cybersecurity professionals by providing enhanced capabilities for understanding and combating these evolving threats. As the landscape of cyber threats changes, collaboration, and innovation remain essential for effective protection.\n\n## Observations\n\nAll observables are also available for [download](https://github.com/elastic/labs-releases/tree/main/indicators/ghostpulse) in both ECS and STIX format.\n\nThe following observables were discussed in this research.\n\n| Observable                                                       | Type        | Name            | Reference                                |\n|------------------------------------------------------------------|-------------|-----------------|------------------------------------------|\n| `57ebf79c384366162cb0f13de0de4fc1300ebb733584e2d8887505f22f877077` | SHA-256     | `Setup.exe`       | GHOSTPULSE sample                        |\n| `b54d9db283e6c958697bfc4f97a5dd0ba585bc1d05267569264a2d700f0799ae` | SHA-256     | `Setup_light.exe` | GHOSTPULSE sample                        |\n| `winrar01.b-cdn[.]net`                                            | domain-name |                 | Infrastructure hosting GHOSTPULSE sample |\n| `reinforcenh[.]shop`                                               | domain-name |                 | LUMMASTEALER C2                          |\n| `stogeneratmns[.]shop`                                             | domain-name |                 | LUMMASTEALER C2                          |\n| `fragnantbui[.]shop`                                               | domain-name |                 | LUMMASTEALER C2                          |\n| `drawzhotdog[.]shop`                                               | domain-name |                 | LUMMASTEALER C2                          |\n| `vozmeatillu[.]shop`                                               | domain-name |                 | LUMMASTEALER C2                          |\n| `offensivedzvju[.]shop`                                            | domain-name |                 | LUMMASTEALER C2                          |\n| `ghostreedmnu[.]shop`                                              | domain-name |                 | LUMMASTEALER C2                          |\n| `gutterydhowi[.]shop`                                              | domain-name |                 | LUMMASTEALER C2                          |\n| `riderratttinow[.]shop`                                            | domain-name |                 | LUMMASTEALER C2                          |","code":"var Component=(()=\u003e{var h=Object.create;var r=Object.defineProperty;var u=Object.getOwnPropertyDescriptor;var p=Object.getOwnPropertyNames;var g=Object.getPrototypeOf,m=Object.prototype.hasOwnProperty;var f=(i,e)=\u003e()=\u003e(e||i((e={exports:{}}).exports,e),e.exports),b=(i,e)=\u003e{for(var n in e)r(i,n,{get:e[n],enumerable:!0})},d=(i,e,n,s)=\u003e{if(e\u0026\u0026typeof e==\"object\"||typeof e==\"function\")for(let a of p(e))!m.call(i,a)\u0026\u0026a!==n\u0026\u0026r(i,a,{get:()=\u003ee[a],enumerable:!(s=u(e,a))||s.enumerable});return i};var w=(i,e,n)=\u003e(n=i!=null?h(g(i)):{},d(e||!i||!i.__esModule?r(n,\"default\",{value:i,enumerable:!0}):n,i)),y=i=\u003ed(r({},\"__esModule\",{value:!0}),i);var c=f((A,o)=\u003e{o.exports=_jsx_runtime});var E={};b(E,{default:()=\u003eT,frontmatter:()=\u003eS});var t=w(c()),S={title:\"Tricks and Treats: GHOSTPULSE\\u2019s new pixel-level deception\",slug:\"tricks-and-treats\",date:\"2024-10-19\",description:\"The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques.\",author:[{slug:\"salim-bitam\"}],image:\"tricks-and-treats.jpg\",category:[{slug:\"malware-analysis\"}],tags:[\"ghostpulse\",\"lummastealer\",\"ref8207\"]};function l(i){let e=Object.assign({h2:\"h2\",p:\"p\",a:\"a\",ol:\"ol\",li:\"li\",img:\"img\",code:\"code\",pre:\"pre\",div:\"div\",table:\"table\",thead:\"thead\",tr:\"tr\",th:\"th\",tbody:\"tbody\",td:\"td\"},i.components);return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(e.h2,{id:\"update\",children:\"Update\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"This research covers an update to stage 2 of GHOSTPULSE, \",(0,t.jsx)(e.a,{href:\"https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks#stage-2\",rel:\"nofollow\",children:\"originally disclosed\"}),\" by Elastic Security Labs in October 2023.\"]}),`\n`,(0,t.jsx)(e.h2,{id:\"key-takeaways\",children:\"Key takeaways\"}),`\n`,(0,t.jsxs)(e.ol,{children:[`\n`,(0,t.jsx)(e.li,{children:\"GHOSTPULSE has shifted from using the IDAT chunk of PNG files to embedding its encrypted configuration and payload within the pixel structure.\"}),`\n`,(0,t.jsx)(e.li,{children:\"Recent campaigns involve tricking victims with creative social engineering techniques, such as CAPTCHA validations that trigger malicious commands through Windows keyboard shortcuts.\"}),`\n`,(0,t.jsx)(e.li,{children:\"Elastic Security has enhanced its YARA rules and updated the configuration extractor tool to detect and analyze both the old and new versions of GHOSTPULSE.\"}),`\n`]}),`\n`,(0,t.jsx)(e.h2,{id:\"preamble\",children:\"Preamble\"}),`\n`,(0,t.jsx)(e.p,{children:\"The GHOSTPULSE malware family (also known as HIJACKLOADER or IDATLOADER) has continuously evolved since its discovery in 2023, evading detection with increasingly developed techniques.\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"In its earlier iterations, GHOSTPULSE abused the IDAT chunk of PNG files to hide malicious payloads, as detailed in a \",(0,t.jsx)(e.a,{href:\"https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks\",rel:\"nofollow\",children:\"previous article from Elastic Security Labs\"}),\". However, recent analysis has uncovered a significant change in its algorithm. Instead of extracting the payload from the IDAT chunk, the latest version of GHOSTPULSE now parses the pixels of the image to retrieve its configuration and payload. This new approach involves embedding malicious data directly within the pixel structure.\"]}),`\n`,(0,t.jsx)(e.p,{children:\"In this research publication, we\\u2019ll explore this new pixel-based algorithm and compare it with the previous IDAT chunk technique with updated detection rules.\"}),`\n`,(0,t.jsx)(e.h2,{id:\"introduction\",children:\"Introduction\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"Recently, we've observed several campaigns involving LUMMA STEALER using GHOSTPULSE as its loader, a topic also explored by \",(0,t.jsx)(e.a,{href:\"https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\",rel:\"nofollow\",children:\"HarfangLab\"}),\". These campaigns stand out due to their \",(0,t.jsx)(e.a,{href:\"https://www.secureworks.com/blog/fake-human-verification-prompt-delivers-infostealers\",rel:\"nofollow\",children:\"creative social engineering tactics\"}),\". Victims are tricked into validating a CAPTCHA, but the website instructs them to execute a series of Windows keyboard shortcuts instead of the usual process. These shortcuts trigger a command copied to the clipboard by malicious JavaScript. This leads to a PowerShell script being executed, initiating the infection chain by downloading and executing a GHOSTPULSE payload.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/tricks-and-treats/image1.png\",alt:\"Social engineer lure website\",title:\"Lure website\",width:\"779\",height:\"782\"})}),`\n`,(0,t.jsx)(e.p,{children:\"In previous versions of GHOSTPULSE, it was delivered as part of a multi-file package. This package typically contained a benign executable, an infected DLL loaded by the executable, and a PNG file storing the encrypted configuration.\"}),`\n`,(0,t.jsx)(e.p,{children:\"However, in the latest version, GHOSTPULSE has streamlined its deployment. Now, the entire package consists of a single file\\u2014a benign but compromised executable that includes the PNG file within its resources section.\"}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/tricks-and-treats/image2.png\",alt:\"Large embedded PNG file in the resources section\",title:\"Large embedded PNG file in the resources section\",width:\"1999\",height:\"934\"})}),`\n`,(0,t.jsx)(e.h2,{id:\"technical-analysis\",children:\"Technical analysis\"}),`\n`,(0,t.jsx)(e.p,{children:\"The updated second stage of the malware retains much of its previous structure, including using the same hashing algorithm for resolving Windows API names. However, the most significant change is in how the malware now locates its configuration, which holds both the payload and critical instructions for its deployment.\"}),`\n`,(0,t.jsx)(e.p,{children:\"The following is a screenshot showing the pseudocode of both implementations:\"}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/tricks-and-treats/image4.png\",alt:\"Pseudocode code comparison between old and new algorithm\",title:\"Pseudocode code comparison between old and new algorithm\",width:\"1999\",height:\"1088\"})}),`\n`,(0,t.jsx)(e.p,{children:\"In earlier versions, GHOSTPULSE would parse a PNG file for an encrypted data blob, which was divided into chunks and stored sequentially. The malware\\u2019s parsing process was straightforward: it would search for a specific marker within the file\\u2014in this case, the IDAT string. Once found, the malware would check for a 4-byte tag that followed the string. The encrypted chunk would be extracted if this tag matched the expected value. This process continues for every occurrence of the IDAT string that comes after until the full encrypted payload is collected.\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"In the new version, the encrypted configuration is stored in the pixels of the image. The malware constructs a byte array by extracting each pixel's \",(0,t.jsx)(e.code,{children:\"RED\"}),\", \",(0,t.jsx)(e.code,{children:\"GREEN\"}),\", and \",(0,t.jsx)(e.code,{children:\"BLUE\"}),\" (RGB) values sequentially using standard Windows APIs from the \",(0,t.jsx)(e.a,{href:\"https://learn.microsoft.com/en-us/windows/win32/gdiplus/-gdiplus-gdi-start\",rel:\"nofollow\",children:\"GdiPlus(GDI+)\"}),\" library. Once the byte array is built, the malware searches for the start of a structure that contains the encrypted GHOSTPULSE configuration, including the XOR key needed for decryption. It does this by looping through the byte array in 16-byte blocks. For each block, the first 4 bytes represent a CRC32 hash, and the next 12 bytes are the data to be hashed. The malware computes the CRC32 of the 12 bytes and checks if it matches the hash. If a match is found, it extracts the offset of the encrypted GHOSTPULSE configuration, its size, and the 4-byte XOR key, and then XOR decrypts it.\"]}),`\n`,(0,t.jsx)(e.p,{children:\"The following diagram provides a visual breakdown of this process:\"}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/tricks-and-treats/image5.png\",alt:\"\",width:\"1999\",height:\"467\"})}),`\n`,(0,t.jsx)(e.h2,{id:\"updated-configuration-extractor\",children:\"Updated configuration extractor\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"Based on these findings, we have updated our configuration extractor to support both versions of GHOSTPULSE. This tool takes a PNG file as input and outputs the embedded payload. You can find the updated tool in our \",(0,t.jsx)(e.a,{href:\"https://github.com/elastic/labs-releases/tree/main/tools/ghostpulse\",rel:\"nofollow\",children:\"labs-releases repository\"}),\".\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/tricks-and-treats/image3.png\",alt:\"\",width:\"1999\",height:\"301\"})}),`\n`,(0,t.jsx)(e.h2,{id:\"detecting-ghostpulse-with-yara\",children:\"Detecting GHOSTPULSE with YARA\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"The original \",(0,t.jsx)(e.a,{href:\"https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_GhostPulse.yar\",rel:\"nofollow\",children:\"GHOSTPULSE YARA\"}),\" rule still prevents the final stage of an infection and is built into Elastic Defend. The updated sample can be detected using the following YARA rules and will be included with Elastic Defend in a future release.\"]}),`\n`,(0,t.jsx)(e.p,{children:\"Elastic Security has updated the GHOSTPULSE YARA rules to identify this activity:\"}),`\n`,(0,t.jsx)(e.pre,{children:(0,t.jsx)(e.code,{children:`rule Windows_Trojan_GHOSTPULSE_1 {\n    meta:\n        author = \"Elastic Security\"\n        creation_date = \"2024-10-15\"\n        last_modified = \"2024-10-15\"\n        os = \"Windows\"\n        arch = \"x86\"\n        category_type = \"Trojan\"\n        family = \"GHOSTPULSE\"\n        threat_name = \"Windows.Trojan.GHOSTPULSE\"\n        license = \"Elastic License v2\"\n\n    strings:\n        $stage_1 = { 49 63 D0 42 8B 0C 0A 41 03 CA 89 0C 1A 8B 05 ?? ?? ?? ?? 44 03 C0 8B 05 ?? ?? ?? ?? 44 3B C0 }\n        $stage_2 = { 48 89 01 48 8B 84 24 D8 00 00 00 48 8B 4C 24 78 8B 49 0C 89 08 C7 44 24 44 00 00 00 00 }\n\n    condition:\n        any of them\n}\n\nrule Windows_Trojan_GHOSTPULSE_2 {\n    meta:\n        author = \"Elastic Security\"\n        creation_date = \"2024-10-10\"\n        last_modified = \"2024-10-10\"\n        os = \"Windows\"\n        arch = \"x86\"\n        category_type = \"Trojan\"\n        family = \"GHOSTPULSE\"\n        threat_name = \"Windows.Trojan.GHOSTPULSE\"\n        license = \"Elastic License v2\"\n\n    strings:\n        $a1 = { 48 83 EC 18 C7 04 24 00 00 00 00 8B 04 24 48 8B 4C 24 20 0F B7 04 41 85 C0 74 0A 8B 04 24 FF C0 89 04 24 EB E6 C7 44 24 08 00 00 00 00 8B 04 24 FF C8 8B C0 48 8B 4C 24 20 0F B7 04 41 83 F8 5C }\n\n    condition:\n        all of them\n}\n`})}),`\n`,(0,t.jsx)(e.h2,{id:\"conclusion\",children:\"Conclusion\"}),`\n`,(0,t.jsx)(e.p,{children:\"In summary, the GHOSTPULSE malware family has evolved since its release in 2023, with this recent update marking one of the most significant changes.\"}),`\n`,(0,t.jsx)(e.p,{children:\"As attackers continue to innovate, defenders must adapt by utilizing updated tools and techniques to mitigate these threats effectively. We are excited to share our newly developed configuration extractor tool, designed to analyze the older and newer versions of GHOSTPULSE. This tool empowers researchers and cybersecurity professionals by providing enhanced capabilities for understanding and combating these evolving threats. As the landscape of cyber threats changes, collaboration, and innovation remain essential for effective protection.\"}),`\n`,(0,t.jsx)(e.h2,{id:\"observations\",children:\"Observations\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"All observables are also available for \",(0,t.jsx)(e.a,{href:\"https://github.com/elastic/labs-releases/tree/main/indicators/ghostpulse\",rel:\"nofollow\",children:\"download\"}),\" in both ECS and STIX format.\"]}),`\n`,(0,t.jsx)(e.p,{children:\"The following observables were discussed in this research.\"}),`\n`,(0,t.jsx)(e.div,{className:\"table-container\",children:(0,t.jsxs)(e.table,{children:[(0,t.jsx)(e.thead,{children:(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.th,{children:\"Observable\"}),(0,t.jsx)(e.th,{children:\"Type\"}),(0,t.jsx)(e.th,{children:\"Name\"}),(0,t.jsx)(e.th,{children:\"Reference\"})]})}),(0,t.jsxs)(e.tbody,{children:[(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"57ebf79c384366162cb0f13de0de4fc1300ebb733584e2d8887505f22f877077\"})}),(0,t.jsx)(e.td,{children:\"SHA-256\"}),(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"Setup.exe\"})}),(0,t.jsx)(e.td,{children:\"GHOSTPULSE sample\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"b54d9db283e6c958697bfc4f97a5dd0ba585bc1d05267569264a2d700f0799ae\"})}),(0,t.jsx)(e.td,{children:\"SHA-256\"}),(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"Setup_light.exe\"})}),(0,t.jsx)(e.td,{children:\"GHOSTPULSE sample\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"winrar01.b-cdn[.]net\"})}),(0,t.jsx)(e.td,{children:\"domain-name\"}),(0,t.jsx)(e.td,{}),(0,t.jsx)(e.td,{children:\"Infrastructure hosting GHOSTPULSE sample\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"reinforcenh[.]shop\"})}),(0,t.jsx)(e.td,{children:\"domain-name\"}),(0,t.jsx)(e.td,{}),(0,t.jsx)(e.td,{children:\"LUMMASTEALER C2\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"stogeneratmns[.]shop\"})}),(0,t.jsx)(e.td,{children:\"domain-name\"}),(0,t.jsx)(e.td,{}),(0,t.jsx)(e.td,{children:\"LUMMASTEALER C2\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"fragnantbui[.]shop\"})}),(0,t.jsx)(e.td,{children:\"domain-name\"}),(0,t.jsx)(e.td,{}),(0,t.jsx)(e.td,{children:\"LUMMASTEALER C2\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"drawzhotdog[.]shop\"})}),(0,t.jsx)(e.td,{children:\"domain-name\"}),(0,t.jsx)(e.td,{}),(0,t.jsx)(e.td,{children:\"LUMMASTEALER C2\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"vozmeatillu[.]shop\"})}),(0,t.jsx)(e.td,{children:\"domain-name\"}),(0,t.jsx)(e.td,{}),(0,t.jsx)(e.td,{children:\"LUMMASTEALER C2\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"offensivedzvju[.]shop\"})}),(0,t.jsx)(e.td,{children:\"domain-name\"}),(0,t.jsx)(e.td,{}),(0,t.jsx)(e.td,{children:\"LUMMASTEALER C2\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"ghostreedmnu[.]shop\"})}),(0,t.jsx)(e.td,{children:\"domain-name\"}),(0,t.jsx)(e.td,{}),(0,t.jsx)(e.td,{children:\"LUMMASTEALER C2\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"gutterydhowi[.]shop\"})}),(0,t.jsx)(e.td,{children:\"domain-name\"}),(0,t.jsx)(e.td,{}),(0,t.jsx)(e.td,{children:\"LUMMASTEALER C2\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:(0,t.jsx)(e.code,{children:\"riderratttinow[.]shop\"})}),(0,t.jsx)(e.td,{children:\"domain-name\"}),(0,t.jsx)(e.td,{}),(0,t.jsx)(e.td,{children:\"LUMMASTEALER C2\"})]})]})]})})]})}function v(i={}){let{wrapper:e}=i.components||{};return e?(0,t.jsx)(e,Object.assign({},i,{children:(0,t.jsx)(l,i)})):l(i)}var T=v;return y(E);})();\n;return Component;"},"_id":"articles/tricks-and-treats.mdx","_raw":{"sourceFilePath":"articles/tricks-and-treats.mdx","sourceFileName":"tricks-and-treats.mdx","sourceFileDir":"articles","contentType":"mdx","flattenedPath":"articles/tricks-and-treats"},"type":"Article","imageUrl":"/assets/images/tricks-and-treats/tricks-and-treats.jpg","readingTime":"13 min read","series":"","url":"/tricks-and-treats","headings":[{"level":2,"title":"Update","href":"#update"},{"level":2,"title":"Key takeaways","href":"#key-takeaways"},{"level":2,"title":"Preamble","href":"#preamble"},{"level":2,"title":"Introduction","href":"#introduction"},{"level":2,"title":"Technical analysis","href":"#technical-analysis"},{"level":2,"title":"Updated configuration extractor","href":"#updated-configuration-extractor"},{"level":2,"title":"Detecting GHOSTPULSE with YARA","href":"#detecting-ghostpulse-with-yara"},{"level":2,"title":"Conclusion","href":"#conclusion"},{"level":2,"title":"Observations","href":"#observations"}],"author":[{"title":"Salim Bitam","slug":"salim-bitam","description":"Elastic","body":{"raw":"","code":"var Component=(()=\u003e{var l=Object.create;var i=Object.defineProperty;var x=Object.getOwnPropertyDescriptor;var f=Object.getOwnPropertyNames;var _=Object.getPrototypeOf,d=Object.prototype.hasOwnProperty;var g=(t,n)=\u003e()=\u003e(n||t((n={exports:{}}).exports,n),n.exports),j=(t,n)=\u003e{for(var e in n)i(t,e,{get:n[e],enumerable:!0})},s=(t,n,e,o)=\u003e{if(n\u0026\u0026typeof n==\"object\"||typeof n==\"function\")for(let a of f(n))!d.call(t,a)\u0026\u0026a!==e\u0026\u0026i(t,a,{get:()=\u003en[a],enumerable:!(o=x(n,a))||o.enumerable});return t};var p=(t,n,e)=\u003e(e=t!=null?l(_(t)):{},s(n||!t||!t.__esModule?i(e,\"default\",{value:t,enumerable:!0}):e,t)),M=t=\u003es(i({},\"__esModule\",{value:!0}),t);var c=g((h,m)=\u003e{m.exports=_jsx_runtime});var F={};j(F,{default:()=\u003eD,frontmatter:()=\u003eb});var r=p(c()),b={title:\"Salim Bitam\",description:\"Elastic\",slug:\"salim-bitam\"};function u(t){return(0,r.jsx)(r.Fragment,{})}function C(t={}){let{wrapper:n}=t.components||{};return n?(0,r.jsx)(n,Object.assign({},t,{children:(0,r.jsx)(u,t)})):u(t)}var D=C;return M(F);})();\n;return Component;"},"_id":"authors/salim-bitam.mdx","_raw":{"sourceFilePath":"authors/salim-bitam.mdx","sourceFileName":"salim-bitam.mdx","sourceFileDir":"authors","contentType":"mdx","flattenedPath":"authors/salim-bitam"},"type":"Author","imageUrl":"","url":"/authors/salim-bitam"}],"category":[{"title":"Malware analysis","slug":"malware-analysis","body":{"raw":"","code":"var Component=(()=\u003e{var u=Object.create;var s=Object.defineProperty;var x=Object.getOwnPropertyDescriptor;var f=Object.getOwnPropertyNames;var _=Object.getPrototypeOf,g=Object.prototype.hasOwnProperty;var j=(t,n)=\u003e()=\u003e(n||t((n={exports:{}}).exports,n),n.exports),M=(t,n)=\u003e{for(var e in n)s(t,e,{get:n[e],enumerable:!0})},i=(t,n,e,o)=\u003e{if(n\u0026\u0026typeof n==\"object\"||typeof n==\"function\")for(let r of f(n))!g.call(t,r)\u0026\u0026r!==e\u0026\u0026s(t,r,{get:()=\u003en[r],enumerable:!(o=x(n,r))||o.enumerable});return t};var d=(t,n,e)=\u003e(e=t!=null?u(_(t)):{},i(n||!t||!t.__esModule?s(e,\"default\",{value:t,enumerable:!0}):e,t)),p=t=\u003ei(s({},\"__esModule\",{value:!0}),t);var l=j((X,c)=\u003e{c.exports=_jsx_runtime});var D={};M(D,{default:()=\u003eC,frontmatter:()=\u003ew});var a=d(l()),w={title:\"Malware analysis\",slug:\"malware-analysis\"};function m(t){return(0,a.jsx)(a.Fragment,{})}function y(t={}){let{wrapper:n}=t.components||{};return n?(0,a.jsx)(n,Object.assign({},t,{children:(0,a.jsx)(m,t)})):m(t)}var C=y;return p(D);})();\n;return Component;"},"_id":"categories/malware-analysis.mdx","_raw":{"sourceFilePath":"categories/malware-analysis.mdx","sourceFileName":"malware-analysis.mdx","sourceFileDir":"categories","contentType":"mdx","flattenedPath":"categories/malware-analysis"},"type":"Category","url":"/categories/malware-analysis"}]},"seriesArticles":null},"__N_SSG":true},"page":"/[slug]","query":{"slug":"tricks-and-treats"},"buildId":"dGrrQfBbQkqaleQ_11aBK","assetPrefix":"/security-labs","isFallback":false,"gsp":true,"scriptLoader":[]}</script><script type="text/javascript" id="" charset="">var _iub=_iub||[];
_iub.csConfiguration={perPurposeConsent:!0,lang:"en",siteId:1157787,countryDetection:!0,gdprAppliesGlobally:!1,consentOnContinuedBrowsing:!1,cookiePolicyId:67332803,cookiePolicyUrl:"https://www.elastic.co/legal/cookie-statement",banner:{textColor:"black",backgroundColor:"white",fontSize:"inter",acceptButtonDisplay:!0,acceptButtonColor:"#0073CE",acceptButtonCaptionColor:"white",customizeButtonDisplay:!0,customizeButtonColor:"#212121",customizeButtonCaptionColor:"white",rejectButtonDisplay:!0,rejectButtonColor:"#0073CE",
rejectButtonCaptionColor:"white",innerHtmlCloseBtn:'\x3cimg src \x3d "https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt1d99bdec57f737c2/5c583d5b09024fdb0b3c846f/close-blk-btn.png" width \x3d 30\x3e'},callback:{onPreferenceExpressedOrNotNeeded:function(a){dataLayer.push({iubenda_ccpa_opted_out:_iub.cs.api.isCcpaOptedOut()});if(!a)dataLayer.push({event:"iubenda_preference_not_needed",iub_consent_2:!0,iub_consent_4:!0,iub_consent_5:!0});else if(a.consent===!0)dataLayer.push({event:"iubenda_consent_given"});
else if(a.consent===!1)dataLayer.push({event:"iubenda_consent_rejected"});else if(a.purposes)for(var b in a.purposes)if(a.purposes[b]){var c={event:"iubenda_consent_given_purpose_"+b};c["iub_consent_"+b]=!0;dataLayer.push(c)}}}};</script>
<script id="" text="" charset="UTF-8" type="text/javascript" src="//cdn.iubenda.com/cs/iubenda_cs.js"></script><script type="text/javascript" id="" charset="">function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+c*864E5);c=";domain\x3d.elastic.co;path\x3d/;expires\x3d"+d.toGMTString();document.cookie=a+"\x3d"+b+c}function getCookie(a){a=new RegExp(a+"\x3d([^;]+)");a=a.exec(document.cookie);return a!=null?unescape(a[1]):null}function getParam(a){try{var b=RegExp("[?\x26]"+a+"\x3d([^\x26]*)").exec(window.location.search);return b&&decodeURIComponent(b[1].replace(/\+/g," "))}catch(c){return null}}var gclid=getParam("gclid");
if(gclid){var gclsrc=getParam("gclsrc");gclsrc&&gclsrc.indexOf("aw")===-1||setCookie("mktg_gclid",gclid,90)}
var url_values=[{param_name:"camp",cookie_name:"mktg_camp"},{param_name:"ultron",cookie_name:"mktg_camp"},{param_name:"utm_campaign",cookie_name:"mktg_camp"},{param_name:"src",cookie_name:"mktg_src"},{param_name:"blade",cookie_name:"mktg_src"},{param_name:"utm_source",cookie_name:"mktg_src"},{param_name:"mdm",cookie_name:"mktg_mdm"},{param_name:"hulk",cookie_name:"mktg_mdm"},{param_name:"utm_medium",cookie_name:"mktg_mdm"},{param_name:"trm",cookie_name:"mktg_trm"},{param_name:"thor",cookie_name:"mktg_trm"},
{param_name:"utm_term",cookie_name:"mktg_trm"},{param_name:"cnt",cookie_name:"mktg_cnt"},{param_name:"gambit",cookie_name:"mktg_cnt"},{param_name:"utm_content",cookie_name:"mktg_cnt"},{param_name:"camp",cookie_name:"utm_ultron_campaign"},{param_name:"ultron",cookie_name:"utm_ultron_campaign"},{param_name:"utm_campaign",cookie_name:"utm_ultron_campaign"},{param_name:"src",cookie_name:"utm_blade_source"},{param_name:"blade",cookie_name:"utm_blade_source"},{param_name:"utm_source",cookie_name:"utm_blade_source"},
{param_name:"mdm",cookie_name:"utm_hulk_medium"},{param_name:"hulk",cookie_name:"utm_hulk_medium"},{param_name:"utm_medium",cookie_name:"utm_hulk_medium"},{param_name:"trm",cookie_name:"utm_thor_term"},{param_name:"thor",cookie_name:"utm_thor_term"},{param_name:"utm_term",cookie_name:"utm_thor_term"},{param_name:"cnt",cookie_name:"utm_gambit_content"},{param_name:"gambit",cookie_name:"utm_gambit_content"},{param_name:"utm_content",cookie_name:"utm_gambit_content"},{param_name:"camp",cookie_name:"utm_campaign_1pc"},
{param_name:"ultron",cookie_name:"utm_campaign_1pc"},{param_name:"utm_campaign",cookie_name:"utm_campaign_1pc"},{param_name:"src",cookie_name:"utm_source_1pc"},{param_name:"blade",cookie_name:"utm_source_1pc"},{param_name:"utm_source",cookie_name:"utm_source_1pc"},{param_name:"mdm",cookie_name:"utm_medium_1pc"},{param_name:"hulk",cookie_name:"utm_medium_1pc"},{param_name:"utm_medium",cookie_name:"utm_medium_1pc"},{param_name:"trm",cookie_name:"utm_term_1pc"},{param_name:"thor",cookie_name:"utm_term_1pc"},
{param_name:"utm_term",cookie_name:"utm_term_1pc"},{param_name:"cnt",cookie_name:"utm_content_1pc"},{param_name:"gambit",cookie_name:"utm_content_1pc"},{param_name:"utm_content",cookie_name:"utm_content_1pc"},{param_name:"utm_id",cookie_name:"utm_id_1pc"},{param_name:"gclid",cookie_name:"gclid"},{param_name:"tech",cookie_name:"mktg_tech"},{param_name:"baymax",cookie_name:"mktg_tech"},{param_name:"utm_technology",cookie_name:"mktg_tech"},{param_name:"plcmt",cookie_name:"mktg_plcmt"},{param_name:"storm",
cookie_name:"mktg_plcmt"},{param_name:"utm_placement",cookie_name:"mktg_plcmt"},{param_name:"cta",cookie_name:"mktg_cta"},{param_name:"rogue",cookie_name:"mktg_cta"},{param_name:"utm_cta",cookie_name:"mktg_cta"},{param_name:"pg",cookie_name:"mktg_pg"},{param_name:"elektra",cookie_name:"mktg_pg"},{param_name:"utm_page",cookie_name:"mktg_pg"},{param_name:"q",cookie_name:"mktg_q"}],did_reset_camp=!1,i;
for(i in url_values){var item=url_values[i],utm_param=getParam(item.param_name);utm_param&&(setCookie(item.cookie_name,utm_param,30),item.cookie_name=="mktg_camp"&&(setCookie("mktg_src","",-1),setCookie("mktg_mdm","",-1),setCookie("mktg_cnt","",-1),setCookie("mktg_trm","",-1),did_reset_camp=!0),item.cookie_name!="mktg_src"||did_reset_camp||(setCookie("mktg_camp","",-1),setCookie("mktg_mdm","",-1),setCookie("mktg_cnt","",-1),setCookie("mktg_trm","",-1)))}
if(google_tag_manager["rm"]["65912973"](16)){var mktg_camp_cookie=getCookie("mktg_camp"),utm_campaign_1pc_cookie=getCookie("utm_campaign_1pc"),utm_ultron_campaign_cookie=getCookie("utm_ultron_campaign");if(google_tag_manager["rm"]["65912973"](17)!=="tagassistant.google.com"){var matches=google_tag_manager["rm"]["65912973"](18).match(/(google|bing|yahoo|duckduckgo|baidu)/i);!matches||mktg_camp_cookie&&utm_campaign_1pc_cookie&&utm_ultron_campaign_cookie&&utm_campaign_1pc_cookie!="organic"&&utm_ultron_campaign_cookie!="organic"&&mktg_camp_cookie!="organic"||
(setCookie("mktg_camp","organic",30),setCookie("mktg_src",matches[0],30),setCookie("mktg_mdm","organic",30),setCookie("mktg_cnt","",-1),setCookie("mktg_trm","",-1),setCookie("utm_campaign_1pc","organic",30),setCookie("utm_source_1pc",matches[0],30),setCookie("utm_medium_1pc","organic",30),setCookie("utm_content_1pc","",-1),setCookie("utm_term_1pc","",-1),setCookie("utm_id_1pc","",-1),setCookie("utm_ultron_campaign","organic",30),setCookie("utm_blade_source",matches[0],30),setCookie("utm_hulk_medium",
"organic",30),setCookie("utm_gambit_content","",-1),setCookie("utm_thor_term","",-1))}};</script>

<script type="text/javascript" id="" charset="">(function(){var b=document.querySelectorAll('a[href*\x3d"azuremarketplace.microsoft.com"]'),c="\x26euid\x3d17dcefec-dc04-4e57-8349-75f6ac71d7b0";b.forEach(function(a){var d=a.getAttribute("href");a.setAttribute("href",d+c)})})();</script><next-route-announcer><p aria-live="assertive" id="__next-route-announcer__" role="alert" style="border: 0px; clip: rect(0px, 0px, 0px, 0px); height: 1px; margin: -1px; overflow: hidden; padding: 0px; position: absolute; top: 0px; width: 1px; white-space: nowrap; overflow-wrap: normal;"></p></next-route-announcer><div id="iubenda-cs-banner" style="z-index:99999998 !important;" class="iubenda-cs-default iubenda-cs-top iubenda-cs-slidein iubenda-cs-visible iubenda-cs-scrollable" role="alertdialog" aria-describedby="iubenda-cs-paragraph" aria-labelledby="iubenda-cs-title"><div class="iubenda-cs-container"><div class="iubenda-cs-content" style="background-color: white !important;color: black !important;font-size: inter !important;"><div class="iubenda-cs-rationale"><button type="button" class="iubenda-cs-close-btn" tabindex="0" role="button" aria-pressed="false" aria-label="Close this notice" style="display:none!important;"><img src="https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt1d99bdec57f737c2/5c583d5b09024fdb0b3c846f/close-blk-btn.png" width="30"></button><div class="iubenda-banner-content iubenda-custom-content" role="document"><h2 id="iubenda-cs-title">Notice</h2><div id="iubenda-cs-paragraph" class="iubenda-cs-small-margin-top" "=""><p class="iub-p">We and selected third parties use cookies or similar technologies for technical purposes and, with your consent, for other purposes as specified in the <a href="https://www.elastic.co/legal/cookie-statement" target="_blank" rel="noopener" class="iubenda-cs-cookie-policy-lnk">cookie policy</a>. </p><p class="iub-p"></p><p class="iub-p">Use the “Accept” button to consent. Use the “Reject” button to continue without accepting.</p></div></div><div class="iubenda-cs-counter">Press again to continue 0/2</div><div class="iubenda-cs-opt-group" style="color:white!important;"><div class="iubenda-cs-opt-group-custom"><button class="iubenda-cs-customize-btn" tabindex="0" role="button" aria-pressed="false">Learn more and customize</button></div><div class="iubenda-cs-opt-group-consent"><button class="iubenda-cs-reject-btn iubenda-cs-btn-primary" tabindex="0" role="button" aria-pressed="false">Reject</button><button class="iubenda-cs-accept-btn iubenda-cs-btn-primary" tabindex="0" role="button" aria-pressed="false">Accept</button></div></div></div></div></div></div><script type="text/javascript" id="" charset="">function initApp(){console.log("Vidyard: Initializing Vidyard Listener");window.vidyardEmbed&&vidyardEmbed.api&&vidyardEmbed.api.addReadyListener(function(a,b){b._listenersAttached||(b._listenersAttached=!0,shouldTrackPlayer(b)&&(b.on("play",function(){handlePlayEvent(b)}),b.on("pause",function(){handlePauseEvent(b)}),b.on("ended",function(){handleEndedEvent(b)}),vidyardEmbed.api.progressEvents(function(c){handleProgressEvent(c)},[1,2,5,10,25,50,75,85],b)))})}
function shouldTrackPlayer(a){if(a.config&&(a.config.autoplay===!0||a.config.autoplay==="1")||a.options&&(a.options.autoplay===!0||a.options.autoplay==="1"))return!1;if(typeof a.getOptions==="function"){var b=a.getOptions();if(b&&(b.autoplay===!0||b.autoplay==="1"))return!1}if(a=findIframeForPlayer(a))if(a=a.getAttribute("src"))if(a=a.replace(/&amp;/g,"\x26"),b=document.createElement("a"),b.href=a,a=b.search||"",a=new URLSearchParams(a),a=a.get("autoplay"),a==="1")return!1;return!0}
function findIframeForPlayer(a){a='iframe[src*\x3d"'+a.uuid+'"]';return a=document.querySelector(a)}function handlePlayEvent(a){pushToDataLayer("video_start",a)}function handlePauseEvent(a){pushToDataLayer("video_pause",a)}function handleProgressEvent(a){var b=a.player;a=a.event;pushToDataLayer("video_progress",b,a)}function handleEndedEvent(a){pushToDataLayer("video_complete",a)}
function pushToDataLayer(a,b,c){window.dataLayer=window.dataLayer||[];var d=b.metadata&&b.metadata.name?b.metadata.name:"Unknown Title";b=b.uuid?"https://play.vidyard.com/"+b.uuid:"Unknown URL";c=typeof c!=="undefined"?c:a==="video_complete"?100:0;window.dataLayer.push({event:a,video_url:b,video_percent:c,video_title:d})}
if(window.vidyardEmbed&&vidyardEmbed.api)initApp();else{var existingOnVidyardAPI=window.onVidyardAPI;window.onVidyardAPI=function(a){initApp(a);typeof existingOnVidyardAPI==="function"&&existingOnVidyardAPI(a)}};</script><script src="/security-labs/_next/static/chunks/pages/index-de37c19387b24872.js"></script><script src="/security-labs/_next/static/chunks/pages/author/%5Bslug%5D-13a8d867253831c3.js"></script><script src="/security-labs/_next/static/chunks/pages/category/%5Bslug%5D-4bd9f3bc8d6da08a.js"></script></body></html>