Skip to content
Information theft and persistent backdoor access. What’s Inside?
: A legitimate, digitally signed executable used for "DLL side-loading." By using a trusted binary, the attacker lowers the suspicion level of the initial process start. SnoozeGnat.7z
: The malicious payload. This is the heart of the SnoozeGnat operation. When the launcher runs, it automatically calls this DLL, which contains the encrypted malware logic. Information theft and persistent backdoor access
: Addition of a key in HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to the extracted folder. : The malicious payload
: Unusual POST requests to /api/v2/update on non-standard domains.
: To avoid behavioral analysis (sandboxing), the malware enters a long sleep state. It uses high-resolution timers to wait for several minutes—or even hours—before making its first network call.
: An obfuscated configuration file containing Command & Control (C2) server addresses and sleep timers (hence the name "Snooze"). Execution Chain: How it Works