Neshta

Category: file_infector · Aliases: win32.neshta, neshuta, neshta.a, neshta.b, sality_neshta · Sample count (EMBER 2018): 443 · Enrichment: curated_sourced · Updated: 2026-06-11

Overview

Neshta is a file infector virus first identified around 2005 and attributed to a Belarusian author. It is written in the Delphi programming language. Its name derives from the Belarusian word "neshta" (something). As a classic file infector, Neshta spreads by modifying legitimate Windows executable (.exe) files so that its own code runs when an infected program is launched, which is why it continues to appear in malware telemetry long after its initial release. It is documented by Fraunhofer FKIE's Malpedia and has been the subject of named-vendor analyses, including write-ups by BlackBerry and Virus Bulletin.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1080 T1547.001 T1041 T1027

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_NESHTA {
    meta:
        description = "Detects Neshta (file_infector)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "neshta" ascii wide nocase
        $s2 = "win32.neshta" ascii wide nocase
        $s3 = "neshuta" ascii wide nocase
        $s4 = "neshta.a" ascii wide nocase
        $s5 = "neshta.b" ascii wide nocase
        $s6 = "sality_neshta" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Neshta Activity
id: 05c1fd9015aa309c7b29a3452e91ffeb
status: experimental
description: Detects generic indicators of the neshta malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*neshta*"
            - "*win32.neshta*"
            - "*neshuta*"
            - "*neshta.a*"
            - "*neshta.b*"
            - "*sality_neshta*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Neshta?

Neshta is a file infector virus, first seen around 2005 and written in the Delphi programming language. It is attributed to a Belarusian author, and its name comes from the Belarusian word "neshta," meaning "something."

How does Neshta spread?

As a file infector, Neshta propagates by altering legitimate Windows executable (.exe) files so that the malicious code executes whenever an infected program is run. This parasitic infection of host files is the defining behavior of the file infector class to which Neshta belongs.

Why does Neshta still appear in malware datasets today?

Because Neshta infects existing executables rather than relying on a single dropper, infected files can persist and continue to circulate for many years. Security vendors such as BlackBerry have noted that the file infector endures in collected samples long after its original 2005 appearance.

What sources document Neshta?

Neshta has a profile in Fraunhofer FKIE's Malpedia, and it has been analyzed in named-vendor publications including a BlackBerry threat spotlight (2019) and a Virus Bulletin article (2014). These sources describe it as a long-running Delphi file infector of Belarusian origin.

Related Families (Category: file_infector)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/neshta.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.