Run a fleet-wide scan for the SHA-256 hashes identified in Section 2.
/logs/ : Automated exfiltration logs detailing system reconnaissance. 4. Technical Analysis 4.1 Behavioral Analysis Denim_Reflux_Roving_Dove.7z
/bin/ : Contains executable files identified as [e.g., custom backdoors or loaders]. Run a fleet-wide scan for the SHA-256 hashes
Attempts to beacon to dove-reflux-api.net via HTTPS on port 443. Denim_Reflux_Roving_Dove.7z
The "Denim" component serves as a modular framework, allowing the threat actor to push additional "Reflux" plugins. Key capabilities include: Keyboard logging (Keylogging). Screen capture and video exfiltration. Lateral movement via SMB credential dumping. 5. Conclusion & Recommendations
April 28, 2026 Subject: Analysis of Compressed Archive Denim_Reflux_Roving_Dove.7z Classification: Internal / Technical Forensic Analysis 1. Executive Summary