Neshta is a file infector virus first identified around 2005 and attributed to a Belarusian author. It is written in the Delphi programming language. Its name derives from the Belarusian word "neshta" (something). As a classic file infector, Neshta spreads by modifying legitimate Windows executable (.exe) files so that its own code runs when an infected program is launched, which is why it continues to appear in malware telemetry long after its initial release. It is documented by Fraunhofer FKIE's Malpedia and has been the subject of named-vendor analyses, including write-ups by BlackBerry and Virus Bulletin.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1080 T1547.001 T1041 T1027
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_NESHTA {
meta:
description = "Detects Neshta (file_infector)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "neshta" ascii wide nocase
$s2 = "win32.neshta" ascii wide nocase
$s3 = "neshuta" ascii wide nocase
$s4 = "neshta.a" ascii wide nocase
$s5 = "neshta.b" ascii wide nocase
$s6 = "sality_neshta" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Neshta Activity
id: 05c1fd9015aa309c7b29a3452e91ffeb
status: experimental
description: Detects generic indicators of the neshta malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*neshta*"
- "*win32.neshta*"
- "*neshuta*"
- "*neshta.a*"
- "*neshta.b*"
- "*sality_neshta*"
condition: selection
level: mediumNeshta is a file infector virus, first seen around 2005 and written in the Delphi programming language. It is attributed to a Belarusian author, and its name comes from the Belarusian word "neshta," meaning "something."
As a file infector, Neshta propagates by altering legitimate Windows executable (.exe) files so that the malicious code executes whenever an infected program is run. This parasitic infection of host files is the defining behavior of the file infector class to which Neshta belongs.
Because Neshta infects existing executables rather than relying on a single dropper, infected files can persist and continue to circulate for many years. Security vendors such as BlackBerry have noted that the file infector endures in collected samples long after its original 2005 appearance.
Neshta has a profile in Fraunhofer FKIE's Malpedia, and it has been analyzed in named-vendor publications including a BlackBerry threat spotlight (2019) and a Virus Bulletin article (2014). These sources describe it as a long-running Delphi file infector of Belarusian origin.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/neshta.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.