Occamy

Category: trojan_generic · Aliases: None known · Sample count (EMBER 2018): 589 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Occamy is a highly sophisticated, often fileless trojan framework engineered to evade detection and deliver severe secondary payloads like ransomware and information stealers.

Understanding Occamy
To an end-user, an Occamy infection presents no visible symptoms until the secondary payload executes. For threat intelligence analysts, Occamy represents a modern, evasive loader. It relies heavily on 'Living off the Land' (LotL) techniques, utilizing built-in Windows administrative tools (like PowerShell, WMI, and MSHTA) to download and execute its code entirely in memory, leaving a minimal footprint on the hard drive.

Execution and Evasion Strategies
Occamy is frequently distributed via weaponized Microsoft Office documents containing malicious VBA macros. Upon opening, the macro spawns a hidden PowerShell process that connects to a Command and Control (C2) server. It uses AES encryption and heavy obfuscation to hide its network traffic. The trojan employs Process Hollowing, injecting its malicious payload into legitimate system processes like svchost.exe or explorer.exe to bypass behavioral detection. Persistence is often achieved through WMI event subscriptions or hidden scheduled tasks rather than traditional Registry keys.

Indicators of Compromise & Impact
The impact of Occamy is a complete compromise of the endpoint, often leading to ransomware deployment or lateral movement. Incident responders should monitor for anomalous child processes spawning from Microsoft Office applications (e.g., winword.exe spawning powershell.exe). Hunt for encoded PowerShell commands (-enc) executing from the command line. Memory forensics is crucial to extract the decrypted Occamy payload from the hollowed system processes.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1059.001Command and Scripting Interpreter: PowerShellExecution
T1055.012Process Injection: Process HollowingDefense Evasion
T1546.003Event Triggered Execution: Windows Management Instrumentation Event SubscriptionPersistence
T1105Ingress Tool TransferCommand and Control
T1027.005Obfuscated Files or Information: Indicator Removal from ToolsDefense Evasion

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_OCCAMY {
    meta:
        description = "Detects Occamy (trojan_generic)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "occamy" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Occamy Activity
id: bc25e2c138328789db30787d67c223e6
status: experimental
description: Detects generic indicators of the occamy malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*occamy*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Immediately isolate the endpoint from the network to sever the C2 connection and prevent the download of secondary ransomware.
  2. Capture a full forensic memory dump; because Occamy often operates filelessly, crucial evidence exists only in RAM.
  3. Analyze PowerShell Script Block Logging (Event ID 4104) to decode the heavily obfuscated commands executed by the trojan.
  4. Rebuild the operating system entirely, as fileless persistence mechanisms (like WMI subscriptions) are notoriously difficult to fully eradicate.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not rely solely on traditional antivirus scans; fileless threats like Occamy are designed to bypass static, disk-based signatures.
  2. Avoid rebooting the machine during triage; rebooting clears the RAM and destroys the injected payloads needed for analysis.

References & External Analysis

Related Families (Category: trojan_generic)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/occamy.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.