A sophisticated cyber threat is currently targeting users by distributing a malicious installer disguised as a legitimate Telegram download. This campaign leverages a deceptive website, telegrgam[.]com, which closely mimics the official Telegram domain. Unsuspecting users attempting to download the popular messaging application are instead presented with a Windows installer, tsetup-x64.6.exe, that silently deploys a multi-stage loader with advanced in-memory execution capabilities.
K7 Security Labs researchers identified this campaign through routine web monitoring. The fake website and its associated malware are designed to bypass traditional security measures, making it a significant concern for individuals seeking to download software from seemingly trusted sources. The multi-stage nature of the payload and its execution directly in memory are key features that distinguish this threat from simpler malware distribution methods.
Unmasking the In-Memory Loader Mechanism
The infection chain begins when a user executes the downloaded file, tsetup-x64.6.exe. The installer immediately launches a command prompt to check for a process named 0tray.exe, which serves as an indicator of a prior infection. This reconnaissance step ensures that the malware doesn’t re-infect a system already compromised.
Following this check, the installer deploys an obfuscated PowerShell command. Once decoded, this command instructs Windows Defender to exclude all disk partitions from real-time scanning. This effectively disables the primary built-in security feature of Windows, creating a permissive environment for the subsequent stages of the attack. This Defender bypass is crucial for the malware’s ability to operate undetected.
With security defenses weakened, the installer proceeds to drop several files into the C:Users directory. This location is chosen strategically to mimic a legitimate software installation path, aiming to avoid suspicion from manual system audits. Additionally, a registry entry is created under HKCUMicrosoft UserSource to serve as an infection marker, preventing repeated installations on the same machine.
To further enhance its deception, the installer also silently deploys a genuine Telegram executable. This ensures that the user experiences what appears to be a successful and legitimate installation of the messaging application, diverting attention from the malicious activities occurring in the background. The presence of the genuine application masks the true nature of the downloaded file.
The core of the in-memory loader mechanism lies in the execution of a Dynamic Link Library (DLL) file, AutoRecoverDat.dll. This DLL is launched using rundll32.exe, a legitimate Windows utility, with the DllRegisterServer function as its entry point. Inside the DLL, encoded binary data is read from a file named GPUCache.xml. This data is then used to reconstruct a full Portable Executable (PE) file directly in the system’s memory. This technique, known as reflective loading, allows the malware to execute without ever being written to the disk, making it exceptionally difficult for traditional antivirus software to detect.
The reconstructed payload operates silently within the rundll32.exe process, effectively blending with normal Windows system activity. Once loaded into memory, it establishes a connection to a command-and-control (C2) server. Researchers have identified the C2 server operating at 27[.]50[.]59[.]77 on port 18852, linked to the domain jiijua[.]com. Through this connection, attackers can issue commands, deliver updated malicious payloads, and maintain persistent access to the infected system indefinitely.
K7 Security Labs also noted the existence of additional typosquatted domains associated with this campaign, including www.telefgram[.]com and www.tejlegram[.]com. The use of multiple fake domains suggests a coordinated effort by the attackers to cover various potential search queries and maximize their reach. This strategy highlights the resourceful nature of these threat actors in exploiting user errors.
The implications of such a campaign are significant, underscoring the risks associated with downloading software from unofficial sources. The sophisticated in-memory execution method employed by this malware allows attackers to evade detection by most traditional security solutions, which primarily rely on file-based scanning. This advanced technique poses a persistent threat to users who may inadvertently fall victim through simple visually deceptive tactics. Staying vigilant about download sources and confirming URLs is paramount in mitigating such risks. Further analysis may reveal the specific types of payloads being delivered via the C2 server, potentially indicating further malicious intent beyond initial system compromise.