BreakglassIntelligence
Back to reports
highLoader

BadPaw: The Regex Tool That Wasn't

A five-layer .NET trojan downloader hides behind a fake regex utility -- and defeats every sandbox we threw at it

PublishedMarch 12, 2026
Threat Actors:GetCompSystem WriteProcessMemanti-tamper]anti-debug]debugger detection]Obfuscation**Assessment- **Confidence**: LOWcommercial packer
loaderratc2

Every sandbox we ran BadPaw through came back clean. CAPE: no detection. ANY.RUN: no threats. Triage: 3 out of 10. For a sample flagged by 43 of 76 AV engines, that is a remarkable evasion record -- and it tells you everything about what this malware prioritizes.

BadPaw is a .NET Framework 4.6 trojan downloader that disguises itself as "RegularExpressionExplorer," a Windows Forms regex testing utility complete with a functional GUI facade. Open it and you get a real regex tool. Behind it, five distinct protection layers ensure the actual payload never executes in anything resembling a sandbox.

A Matryoshka of Evasion

Most .NET malware relies on a single packer. BadPaw stacks five independent defense layers, each targeting a different class of analyst:

Layer 1: .NET Reactor -- Commercial obfuscation mangles all method and field names into GUID-like strings (m_807ef3e38f8143a88070fc1445bd3f47). A SuppressIldasm attribute blocks the standard .NET disassembler outright.

Layer 2: Anti-Debug -- A Debugger.IsAttached check fires early, with a reference to clrjit.dll suggesting JIT hook detection as a secondary measure.

Layer 3: Anti-Tamper -- SHA1 integrity verification of the assembly itself. Patch a single byte and you get " is tampered." Fifteen embedded SHA256 constants provide section-level verification, making surgical modifications nearly impossible without understanding the full integrity chain.

Layer 4: Sandbox Detection -- The Sand class implements IsSandBox() for environment fingerprinting, CheckSleep() for timing-based detection (real machines have real sleep; emulated sleep is instant), and a Windows EventLog reader that checks for sandbox-indicator events. System uptime analysis rounds it out -- fresh VMs have short uptimes.

Layer 5: API String Splitting -- Win32 API names are split across the .NET #US heap: "Virtual " + "Alloc", "Write " + "Process " + "Memory", "kernel " + "32.dll". These are reassembled at runtime via Marshal.GetDelegateForFunctionPointer. Static string scanners see nothing.

This layered approach is why every automated sandbox failed. The malware checks the environment, detects the sandbox, and simply never activates its malicious behavior.

The Task-Based C2

BadPaw's ApiClient class implements a structured command-and-control protocol with three core methods:

  • GetTaskRequest() -- poll the C2 for pending commands
  • GetUrlRequest() -- fetch URL content as directed by the C2
  • SendResultRequest() -- exfiltrate task results

Authentication uses a token and a victim serial number derived from MurmurHash of hardware identifiers. Transport is HTTPS with custom User-Agent headers and a TLS certificate callback that likely accepts anything. The encryption stack is AES for payload encryption, RSA for key exchange, and MD5 for hashing.

No C2 traffic was observed in any sandbox run, so the actual domains remain unknown. The malware's anti-analysis was effective enough to prevent extraction of any network indicators through dynamic analysis.

Fingerprinting via WMI

Before phoning home, BadPaw builds a comprehensive victim profile through seven WMI queries via the SOS class:

  • MAC address
  • Disk serial number
  • Motherboard serial
  • BIOS information
  • Computer system details
  • OS identity string
  • Process ID

The combined output feeds into a MurmurHash function that generates a unique victim identifier. This is not just reconnaissance -- it is deterministic fingerprinting that lets the C2 track victims across sessions without cookies or persistent files.

Process Injection Chain

The split API strings reveal a textbook injection sequence: FindResourceA locates an embedded payload, OpenProcess obtains a handle to the target, VirtualAlloc reserves memory, WriteProcessMemory writes the payload, and VirtualProtect flips the page to executable. Additional evidence of DynamicMethod + ILGenerator usage and DeflateStream decompression suggests the injected payload is compressed and dynamically generated.

Defender Reconnaissance

Before any malicious activity, BadPaw queries the registry for the state of Windows Defender:

HKLM\SOFTWARE\Microsoft\AMSI
HKLM\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\PassiveMode
HKLM\SYSTEM\Setup\SystemSetupInProgress

If Defender is active, BadPaw likely alters its execution path. The SystemSetupInProgress check adds another sandbox detection vector -- fresh Windows installations during setup have this flag set.

Campaign Context

BadPaw is an emerging family with minimal public reporting. Only one sample exists on MalwareBazaar as of our analysis. ReversingLabs first saw it on February 12, 2026 -- a full month before the MalwareBazaar submission -- meaning it operated in relative obscurity for weeks. The PE compilation timestamp is falsified to 2039, an anti-forensics measure. MalwareBazaar origin metadata points to Russia.

Asian AV vendors (CAT-QuickHeal, Antiy-AVL, Alibaba Cloud) track this as "Etset," suggesting independent discovery through different telemetry channels.

Key IOCs

Primary Sample:

SHA256: 6cad470e10c09151b5d337a082a088cfe25d697ef295e02759e1e68e8b3bbbcb
MD5:    d68871fb7a4dd5c6bde1e4b7986e9222
SHA1:   a378db27df2dfed4172dfccd18bbb580a4b5cec1

Assembly Identifiers:

GUID:  8ff3932a-81fb-428f-ab54-af1bd43df2f6
MVID:  1dd26053-a755-4735-9ee9-b678fbdb8e7b

Known Filenames: RegularExpressionExplorer.exe, HelperForLibraries.exe, 15n21.exe

Detection Guidance

  1. YARA/Sigma: Hunt for .NET assemblies with SuppressIldasm attribute, assembly name "RegularExpressionExplorer," and split Win32 API strings in the #US heap.
  2. Behavioral: Alert on processes performing combined WMI queries for MAC + DiskSerial + MotherBoard + BIOS within a short window. This fingerprinting pattern is distinctive.
  3. Endpoint: Search for scheduled tasks created by CreateOrUpdateTask() and the known process names above.
  4. Network: Monitor for HTTPS connections with custom User-Agent headers from .NET Framework 4.6 processes that also load bcrypt.dll, crypt32.dll, and SensApi.dll.
  5. Registry: Alert on processes checking both HKLM\SOFTWARE\Microsoft\AMSI and multiple Defender policy keys in sequence.

The fact that BadPaw defeated three major sandboxes while being detected by 43 AV engines tells a specific story: the operators invested in anti-analysis over anti-detection. They expect the malware to reach endpoints where behavioral analysis matters more than signatures -- and they built accordingly.

Share