A sophisticated cyber threat campaign is targeting Web3 customer support staff, employing fake screenshot lures to install persistent backdoors on unsuspecting employees’ machines. The stealthy operation, attributed to APT-Q-27, leverages social engineering within live chat interactions to bypass traditional security measures and infiltrate organizations, according to recent analysis.
The threat group, also recognized as GoldenEyeDog, has a history of targeting the gambling and cryptocurrency sectors. This latest strategy marks a significant shift from their previous methods, moving from broad attacks via trojanized software or watering hole sites to a more focused approach that infiltrates the direct line of communication between customers and support agents. ZeroShadow researchers identified the campaign after partners at 1inch reported suspicious activity in their support queue, characterized by repetitive requests from various accounts and rotating IP addresses, all utilizing the same disguised shortlink.
Web3 Support Staff Targeted by Multi-Stage Malware Campaign
The attack chain begins when a threat actor, posing as a confused customer, sends a shortlink within a live chat window. This link is cleverly disguised to appear as a benign screenshot, often hosted on a platform like Google Drive to enhance its credibility. Upon clicking the link, victims are prompted to download a file that, due to default Windows settings hiding file extensions, appears to be an image. However, the file is actually an executable disguised using the obscure .pif format. When opened, it displays a visual deception—a broken web page—while the malicious payload is silently installed in the background.
This initial lure file is designed to fetch a manifest file from an AWS S3 bucket. This manifest acts as a dynamic table of contents, containing a list of URLs that can be updated remotely, allowing the attackers to easily rotate their infrastructure without altering the malware itself. This agility is a key aspect of the campaign’s effectiveness, making it harder for security teams to blacklist malicious infrastructure.
DLL Sideloading and Stealthy Execution
The core of the malware delivery mechanism relies on a technique known as DLL sideloading. The downloaded package includes a legitimate, digitally signed executable from the YY platform, named ‘updat.exe’. Alongside this legitimate file, attackers place malicious copies of two standard Windows runtime dynamic-link libraries (DLLs): ‘vcruntime140.dll’ and ‘msvcp140.dll’. Windows, when loading dependencies for an application, first checks the application’s working directory before searching system folders. Consequently, when ‘updat.exe’ is launched from the staging directory, it loads the malicious DLLs instead of the legitimate ones.
The attacker-controlled ‘crashreport.dll’ then reads an encrypted file named ‘yyext.log’. This encrypted data is decrypted and executed entirely in memory as shellcode. This in-memory execution is a crucial stealth technique that helps bypass security solutions designed to detect malicious files written to disk. The shellcode’s final payload is a backdoor implant, approximately 340KB in size, which is also decompressed and loaded into memory, leaving no direct file artifact to be found by standard forensic analysis.
Persistence and Evasion Tactics
To ensure the backdoor remains persistent across reboots, the loader creates a registry startup key named “SystemUpdats,” a deliberate misspelling of the legitimate “SystemUpdate” service. Furthermore, the malware achieves a significant level of privilege escalation and evasion by silently disabling User Account Control (UAC) across three separate registry keys. This action, which typically prompts a user for confirmation, is performed without any visible notification to the victim, removing a critical layer of Windows security protection.
The staging directory used by the malware mimics the Windows Update cache path, and each installation contains a hardcoded ‘@27’ tag in its name, providing a reliable detection signature for security teams. The final implant communicates with a network of 37 hardcoded command-and-control (C2) servers over TCP port 15628, registering itself as a Windows service named “Windows Eventn,” another deliberate misspelling to blend in with legitimate system services.
System administrators are advised to enable visible file extensions on all workstations, a simple measure that would immediately expose the true nature of the lure files. Security teams should focus on blocking outbound connections on TCP port 15628 and adding the identified C2 IP addresses to network blocklists. Active infections can be identified by monitoring for the ‘SystemUpdats’ registry value and staging directories containing the ‘@27’ suffix. Additionally, detection rules should be configured to alert on the simultaneous disablement of all three UAC registry keys, as no legitimate software performs such an action.
The ongoing evolution of these attack vectors highlights the need for continuous vigilance and adaptation within the cybersecurity community. As threat actors refine their methods, organizations must remain proactive in bolstering their defenses and educating their employees on the latest social engineering tactics to protect against these increasingly sophisticated threats.