Detecting the Undetectable: Threat Hunting in Appliance Environments
Sagi Tzadik, Shahar Dorfman
fwd:cloudsec North America 2025 · Day 1 · Track 1 - Crystal
Sagi Tzadik and Shahar Dorfman, security researchers at **Wiz**, present a methodology for hunting sophisticated malware in **virtual appliance environments** in the cloud. Virtual appliances -- products like Ivanti, Palo Alto PAN-OS, Fortinet, Aviatrix, and Zscaler -- are notoriously difficult to monitor because they restrict root access, prevent agent installation, and operate as black boxes. The researchers leverage cloud **snapshot APIs** to create forensic images of appliance volumes, then build file prevalence histograms across multiple deployments of the same appliance to identify anomalies. By focusing on the **"long tail"** of files that appear on fewer than 5% of monitored instances, they discovered previously undetected malware including web shells and Sliver implants, and traced the activity to what appears to be a **state-sponsored threat actor** operating across multiple appliance exploitation campaigns.
AI review
Solid threat hunting methodology with real results: four zero-day malware samples, Sliver implants in the wild, and a state-sponsored actor attribution across multiple appliance campaigns. The snapshot-based file prevalence approach is clever, practical, and fills a genuine gap in appliance security. Would have been a 5 if they'd gone deeper on the malware analysis and actor TTPs.