en.Disneyme.com
Snoozegnat.7z
: Creation of temporary .tmp files in the %AppData% directory that match the size of your system's ntdll.dll . Conclusion & Mitigation
: An obfuscated configuration file containing Command & Control (C2) server addresses and sleep timers (hence the name "Snooze"). Execution Chain: How it Works
The SnoozeGnat.7z file is a compressed archive (7-Zip format) typically used to bypass basic email filters that struggle with nested or password-protected compression. SnoozeGnat.7z Compression Type: LZMA2 Initial Discovery: April 2026 SnoozeGnat.7z
: To avoid behavioral analysis (sandboxing), the malware enters a long sleep state. It uses high-resolution timers to wait for several minutes—or even hours—before making its first network call.
: A legitimate, digitally signed executable used for "DLL side-loading." By using a trusted binary, the attacker lowers the suspicion level of the initial process start. : Creation of temporary
Implement that flags DLL side-loading from non-standard paths.
: Unusual POST requests to /api/v2/update on non-standard domains. SnoozeGnat
Drop a comment below or reach out to our SOC team for the full YARA rule set.