ESET security firm found a mysterious instance of Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication. Malware uses two different infection techniques, the first in the dropper so as to bypass detections by HIPS, and the second one in the rootkit driver to allow the malware to be alive after system reboot. The malware uses a hidden file system to store the user-mode payload module and also additional files, all the data are encrypted using a custom symmetric cipher.”]
Source: http://securityaffairs.co/wordpress/14040/cyber-crime/eset-on-ingenious-avatar-rootkit.html