Skip to main content

The Mimic Octopus: Weaponizing File Corruption and Recoverability to Bypass Antivirus and Email Filtering

This paper investigates a novel tactic in phishing operations where threat actors intentionally corrupt document and archive files, such as DOCX, DOCM, PDF, and ZIP , to evade antivirus (AV) and email filtering systems. These files, though malformed, are recoverable by native tools like Microsoft Word, Adobe Reader, and WinRAR. As a result, malicious payloads can still execute after delivery. Building on prior findings by Any.Run (Any.Run, 2024), this study expands the corruption methodology to include multiple structural modifications and evaluates their impact on AV detection via VirusTotal and behavior in the Any.Run sandbox. A custom corruption suite and detection tool were developed to automate corruption detection and analyze results across formats.

Download file

sans-The-Mimic-Octopus-justin-gazick (PDF, 8.51MB)

3 Sep 2025
ByJustin Gazick
Share
All papers are copyrighted

No re-posting of papers is permitted

Related Content

Post-Exploitation: C2 Framework Effectiveness Against Advanced Audit Logging

Research Paper

This research paper examines the effectiveness of a sample of open-source Commandand-Control (C2) frameworks in evading advanced audit logging during postexploitation.

  • 20 Mar 2026

Enhancing Security Operations with Google Threat Intelligence

Research Paper

This product review examines how Google Threat Intelligence's extensive data sources, real-time insights, and investigative capabilities can elevate SecOps workflows and strengthen an organization’s defensive posture.

  • 24 Nov 2025
  • Dave Shackleford

Interrogators: Attack Surface Mapping in an Agentic World

Research Paper

This research introduces the concept of AI agent interrogators and the open-source project Agent Interrogator, an opaque box interrogation framework designed to map the attack surface of agentic systems.

  • 23 Oct 2025

From Crash to Compromise: Unlocking the Potential of Windows Crash Dumps in Offensive Security

Research Paper

This research explores how offensive security practitioners can incorporate crash dump analysis into their workflows to extract sensitive data such as plaintext credentials, encryption keys, and files from memory.

  • 9 May 2025
  • SANS Institute

CloudFront Real-Time Logs Rate Sampling and Detection

Research Paper

As businesses aim to optimize their AWS CloudFront expenses, some disable CloudFront Real-Time logs....

  • 29 Jan 2024

The Evolution of the Digital Predator: Using AI to Evade Security Controls

Research Paper

Since the advent of the computer, there has been a never-ending game of cat and mouse between those...

  • 20 Dec 2023
  • Foster Nethercott

Who Needs a Pentest: Validating the Configuration of an EDR Solution Using the MITRE ATT&CK Framework

Research Paper

Is that EDR suite fully configured, and providing the expected protection? Do we have a scalable way...

  • 7 Nov 2023

Tearing up Smart Contract Botnets

Research Paper

The distributed resiliency of smart contracts on private blockchains is enticing to bot herders as a...

  • 22 Oct 2018

Clickbait: Owning SSL via Heartbleed, POODLE, and Superfish

Research Paper

In the twilight of SSL's effectiveness as a method of secure communication,demonstration of...

  • 23 Dec 2015
  • SANS Institute