Threat Watch

Researchers Uncover How Colibri Malware Stays Persistent on Hacked Systems

Colibri, a malware loader first discovered in August of 2021, has been discovered using a simple but efficient persistence mechanism on infected systems. Colibri has been seen deploying Vidar, a Windows-based information stealer, as part of its latest campaign.

A Colibri infection starts with a malicious Word document that contains a callout to a remote server to download a template and execute a malicious macro via remote template injection. This macro downloads the Colibri loader and executes it on the system, which in turn, leads to downloading and executing the Vidar stealer from the Colibri Command-and-Control server (C2). The persistence mechanism used by Colibri is via a scheduled task. Colibri copies itself into the user’s AppData folder, specifically under “\Local\Microsoft\WindowsApps” and names itself “Get-Variable.exe.” The scheduled task that is created is configured to execute “powershell.exe -windowstyle hidden” when launched. Get-Variable is a valid PowerShell cmdlet that is used to retrieve the value of a variable in the current console, while the WindowsApps directory is the default path in which PowerShell is executed. When the scheduled task is launched and the PowerShell command is executed, the system first looks for the Get-Variable executable in the local path, which in turn executes the Colibri binary instead of looking for the legitimate Get-Variable cmdlet.

Colibri has been advertised for sale on Russian-based underground hacking forums since its initial discovery in August of 2021, which coincides with when the first files related to the malware were uploaded to VirusTotal. Due to this, it is likely that the malicious actors behind Colibri were the first to utilize this specific persistence mechanism.


It is highly recommended to utilize EDR and proper logging mechanisms on all endpoints. Due to these specific malware samples being uploaded to VirusTotal in August of last year, all well-known EDR and AV solutions likely have signatures for these payloads that will help prevent them from being executed on a system. More importantly, logging process activity can greatly increase the chance of being able to detect this type of malicious behavior. An Office documenting calling out to the Internet or spawning PowerShell, abnormal processes creating scheduled tasks, and a binary file called Get-Variable.exe being placed into a user’s AppData folder are all behaviors that can be monitored for and alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these detection needs. Finally, maintaining proper email security controls, such as scanning and sandboxing, can help prevent malicious Office documents, which are likely to be sent via phishing emails, from reaching end users’ devices in the first place.

Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique