Customer support queues for Web3 platforms are facing a highly sophisticated, multi-stage malware campaign disguised as routine user inquiries. Attackers posed as frustrated users needing transaction help, sharing links that appeared to be innocent screenshots. Instead of a standard image, these links initiated a complex infection chain designed to compromise workstations and establish persistent backdoor access.
Security researchers have tracked the tooling and infrastructure and, with moderate confidence, attributed the activity to APT-Q-27, a financially motivated group also known as GoldenEyeDog. Active since at least 2022, this Chinese-nexus group has a documented history of targeting the global cryptocurrency and gambling sectors.
Upon successful execution, the initial loader performs anti-debugging and sandbox-evasion checks before establishing network communication. All strings in the loader are protected by a custom runtime encryption scheme, preventing plaintext URLs or file paths from being stored on disk. The malware retrieves a payload manifest from an AWS S3 dead drop. It downloads a six-file package into a hidden staging directory.
This directory path deliberately impersonates the Windows Update cache to evade casual security monitoring, consistently appending a unique @27 tag to the hidden folder name. The attackers utilize a classic DLL sideloading technique to execute their payload. The staging directory includes a legitimately signed executable from the YY platform, named updat.exe. Because this legitimate binary imports specific dependencies, Windows searches the local directory first, inadvertently loading malicious copies of vcruntime140.dll and msvcp140.dll dropped by the attacker.
This sideloading process ensures the execution occurs within the context of a trusted application, successfully bypassing standard signature verification checks. The infrastructure analysis of the final backdoor reveals hardcoded communication with 37 distinct command-and-control servers. All outbound traffic routes over TCP port 15628, utilizing a custom 16-byte rolling XOR cipher to encrypt network communications.
Several of these IP addresses reside on autonomous systems previously linked to APT-Q-27 infrastructure and use geolocation obfuscation to mask their true origins. Furthermore, zeroshadow network defenders must monitor for unexpected outbound connections over port 15628 and the simultaneous zeroing of UAC registry keys. System administrators in the Web3 space should ensure file extensions are visible on all workstations to identify disguised executables easily.
Leave a Reply