Elastic Security Labs uncovers BRUSHWORM and BRUSHLOGGER

**Executive summary:** Elastic Security Labs identified two custom malware components used against a South Asian financial institution: BRUSHWORM (a modular backdoor with scheduled‑task persistence, WinHTTP C2/payload download, USB propagation, and broad file theft with staging and hash tracking) and BRUSHLOGGER (a DLL side‑loading keylogger that captures window context and XOR‑encoded logs); the report provides behavioral details, YARA rules, IoCs, and evidence of iterative development and active C2 infrastructure.