Trojan:Win32/Occamy is a highly sophisticated, often fileless trojan framework engineered to evade detection and deliver severe secondary payloads like ransomware and information stealers.
Understanding Occamy
To an end-user, an Occamy infection presents no visible symptoms until the secondary payload executes. For threat intelligence analysts, Occamy represents a modern, evasive loader. It relies heavily on 'Living off the Land' (LotL) techniques, utilizing built-in Windows administrative tools (like PowerShell, WMI, and MSHTA) to download and execute its code entirely in memory, leaving a minimal footprint on the hard drive.
Execution and Evasion Strategies
Occamy is frequently distributed via weaponized Microsoft Office documents containing malicious VBA macros. Upon opening, the macro spawns a hidden PowerShell process that connects to a Command and Control (C2) server. It uses AES encryption and heavy obfuscation to hide its network traffic. The trojan employs Process Hollowing, injecting its malicious payload into legitimate system processes like svchost.exe or explorer.exe to bypass behavioral detection. Persistence is often achieved through WMI event subscriptions or hidden scheduled tasks rather than traditional Registry keys.
Indicators of Compromise & Impact
The impact of Occamy is a complete compromise of the endpoint, often leading to ransomware deployment or lateral movement. Incident responders should monitor for anomalous child processes spawning from Microsoft Office applications (e.g., winword.exe spawning powershell.exe). Hunt for encoded PowerShell commands (-enc) executing from the command line. Memory forensics is crucial to extract the decrypted Occamy payload from the hollowed system processes.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1059.001 | Command and Scripting Interpreter: PowerShell | Execution |
T1055.012 | Process Injection: Process Hollowing | Defense Evasion |
T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | Persistence |
T1105 | Ingress Tool Transfer | Command and Control |
T1027.005 | Obfuscated Files or Information: Indicator Removal from Tools | Defense Evasion |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_OCCAMY {
meta:
description = "Detects Occamy (trojan_generic)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "occamy" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Occamy Activity
id: bc25e2c138328789db30787d67c223e6
status: experimental
description: Detects generic indicators of the occamy malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*occamy*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/occamy.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.