Snoozegnat.7z -

: A legitimate, digitally signed executable used for "DLL side-loading." By using a trusted binary, the attacker lowers the suspicion level of the initial process start.

: Once awake, it communicates with a hardcoded IP via HTTPS, disguised as standard telemetry traffic. Behavioral Indicators (IoCs) SnoozeGnat.7z

: The legitimate launcher looks for its required library. Because gnat_api.dll is in the same folder, it loads the malicious version instead of the system version. : A legitimate, digitally signed executable used for

Monitor for long-duration "sleep" processes that suddenly initiate external network connections. Because gnat_api

Drop a comment below or reach out to our SOC team for the full YARA rule set.

: An obfuscated configuration file containing Command & Control (C2) server addresses and sleep timers (hence the name "Snooze"). Execution Chain: How it Works