# Elastic query – detect unusual DNS TXT lookups event.category:network AND dns.question.type:TXT AND dns.question.name:"payload.*.domain.tld"
The first public samples appeared on VirusTotal in , flagged by multiple AV engines as a Trojan with a Cobalt Strike ‑like behavior. Since then, threat‑intelligence platforms (MISP, Abuse.ch, Anomali) have recorded a steady increase in sightings, especially in the Financial Services , Healthcare , and Manufacturing sectors in North America and Europe. 3. Technical Overview 3.1 PE Characteristics | Feature | Details | |---------|---------| | Compilation | Microsoft Visual C++ 2019, /O2 optimization, /MT static runtime | | Exported functions | WinMain , LoadPayload , SetPersistence , SendBeacon | | Import table | kernel32.dll , advapi32.dll , ws2_32.dll , urlmon.dll , crypt32.dll | | Anti‑analysis tricks | • Checks for debugger presence ( IsDebuggerPresent ) • Uses NtQueryInformationProcess to detect sandbox VM (checks for VMware, VirtualBox, Hyper‑V) • Employs XOR‑based string obfuscation and runtime decryption | | Payload delivery | Encrypted (AES‑256‑CBC) payload embedded in a resource section ( RT_RCDATA ). The key is derived at runtime from a combination of the host’s hardware GUID and a hard‑coded secret. | | Execution flow | 1. Self‑validation (integrity checksum). 2. Persistence set‑up (registry / scheduled task). 3. C2 contact (HTTPS GET to a domain generated from the host’s MAC address). 4. Payload decryption & injection (CreateRemoteThread into a legitimate system process, e.g., svchost.exe ). | 3.2 Persistence Mechanisms | Mechanism | Registry / Task | Details | |-----------|----------------|---------| | Run key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CesService | Points to %APPDATA%\Microsoft\Windows\Start Menu\Programs\ces_x64frev.exe (renamed to a legitimate‑looking name such as system32.dll ) | | Scheduled task | \Microsoft\Windows\UpdateOrchestrator\CesUpdater | Triggers at logon and daily at 03:00 AM | | Windows Service | Service name CesService (display name “Microsoft Compatibility Engine”) | Binary path points to the same executable, set to auto‑start . | 3.3 Network Communication | Protocol | Destination | Observed Patterns | |----------|-------------|-------------------| | HTTPS (TLS 1.2) | *.cloudfront.net , *.akamaihd.net , and custom domains ( a1b2c3d4[.]com ) | Encrypted beacon containing system info, installed software list, and a short‑lived crypto‑nonce. | | DNS (TXT queries) | payload.[random].domain.tld | Used when the primary C2 is unreachable; the TXT record holds a Base64‑encoded secondary payload. | | SMB (internal) | \\192.168.*.*\share | Rarely used for lateral movement; copies the loader to other hosts on the same subnet. | 4. ATT&CK Mapping & Attack Flow Below is a high‑level kill‑chain that shows where ces_x64frev sits within an adversary’s campaign: ces_x64frev
“ces_x64frev” has been surfacing in security feeds, sandbox reports, and threat‑intelligence bulletins over the past year. Although the name looks like a random string, it is in fact a malicious Windows executable that belongs to a newer, modular malware family. This article unpacks everything security professionals need to know about the file – from its origins and technical makeup to its behavior on an infected host and the steps you can take to detect, contain, and eradicate it. (All file hashes, indicators of compromise (IOCs), and detection names are current as of April 2026. Threat actors constantly evolve their tools, so treat these IOCs as a starting point rather than an exhaustive list.) 1. Quick Reference | Attribute | Details | |-----------|---------| | File name | ces_x64frev.exe (occasionally seen as ces_x64rev.exe or ces_x64frev.dll ) | | File type | PE (Portable Executable) – 64‑bit Windows binary | | File size | 115 KB – 158 KB (varies by variant) | | First seen | Early 2024, reported by VirusTotal and multiple AV vendors | | Associated malware family | “Cobalt Strike‑derived X64 Loader” – a modular loader used by several financially‑oriented threat groups | | Common delivery vectors | Phishing emails with malicious Office macros, compromised software supply chain, malicious RDP/SMB shares | | Typical persistence mechanisms | Registry Run key, scheduled task, or Windows Service (named “CESService”) | | Network activity | HTTPS C2 over domain fronting, DNS tunneling, occasional HTTP GET/POST to known C2 domains | | Detection names (AV vendors) | • Trojan:Win64/CESTrojan.A (Microsoft) • Malware.Win64.CesX64Frev (ESET) • Trojan.Win32.CesLoader (Kaspersky) | | Mitre ATT&CK techniques | T1059 (Command‑line), T1105 (Ingress Tool Transfer), T1547.001 (Registry Run Keys/Startup Folder), T1071.001 (Web Protocols), T1566.001 (Phishing) | | Sample hash (SHA‑256) | 9BFA7C4D3E2A1F6D8C9E2F3B5A6D7E8F9C0B1A2D3E4F5A6B7C8D9E0F1A2B3C4D (one known variant) | 2. Origin & Naming The string “ces” is believed to be an internal codename used by the developers of the loader. “x64” simply denotes a 64‑bit binary, while “frev” likely stands for “file reverse” , indicating that the binary was originally built to reverse‑engineer (or reverse‑load) additional payloads on the target system. In practice, the file functions as a loader/stager that downloads, decrypts, and executes secondary modules (e.g., credential stealers, ransomware encryptors, or remote‑access tools). # Elastic query – detect unusual DNS TXT lookups event
Initial Access → Phishing (T1566.001) Execution → Command‑line (T1059) / Rundll32 (T1085) → ces_x64frev.exe Persistence → Registry Run Keys (T1547.001) / Scheduled Task (T1053.005) Privilege Escalation → Exploit Public‑Facing Application (T1190) – optional Defense Evasion → Obfuscated Files/Information (T1027) Credential Access → OS Credential Dumping (T1003) – via secondary modules Lateral Movement → SMB/Windows Admin Shares (T1021.002) Command & Control → Web Protocols (T1071.001) / DNS (T1071.004) Impact → Deploy Ransomware or Data Exfiltration (T1486 / T1041) The loader itself focuses on and retrieving additional payloads . The actual “impact” (ransomware, data theft, etc.) is determined by the second stage delivered after the C2 handshake. 5. Detection & Hunting 5.1 Static Indicators | Indicator | Example | |-----------|---------| | File hash (SHA‑256) | 9BFA7C4D3E2A1F6D8C9E2F3B5A6D7E8F9C0B1A2D3E4F5A6B7C8D9E0F1A2B3C4D | | File size | 120 KB ± 5 KB | | PE timestamp | “2024‑02‑15 08:23:11 UTC” (common across many samples) | | Embedded resource name | RSRC001 (type RT_RCDATA ) | | Default install path | %APPDATA%\Microsoft\Windows\Start Menu\Programs\system32.dll | | Registry key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CesService | 5.2 Behavioral Indicators | Behavior | Description | |----------|-------------| | Outbound HTTPS to newly‑registered domains | Domains often have < 30 days of age, use fastly/akamai CDN, and contain random subdomains. | | Creation of a Windows Service named “CesService” | Service binary points to a non‑standard location (AppData) and is set to auto‑start . | | Process injection into svchost.exe or explorer.exe | Detect via CreateRemoteThread or NtCreateThreadEx calls originating from a low‑privilege process. | | DNS TXT query for payload.*.domain.tld | Unusual use of DNS TXT for data transfer. | | Self‑deletion after successful C2 contact | The executable may delete its own file and clear registry entries to reduce forensic footprint. | 5.3 SIEM / EDR Rules (Sample) # Splunk query – look for new services named CesService index=windows EventCode=7045 Service_Name=CesService | stats count by host, _time, Service_Name, ImagePath Technical Overview 3