Fake Screenshots Infect Web3 Support Staff with Multi-Stage Malware
Key Takeaways A sophisticated multi-stage malware campaign, attributed to APT-Q-27 (also known as GoldenEyeDog), is actively targeting Web3 customer support personnel. Attackers leverage social...
Key Takeaways
- A sophisticated multi-stage malware campaign, attributed to APT-Q-27 (also known as GoldenEyeDog), is actively targeting Web3 customer support personnel.
- Attackers leverage social engineering, posing as customers and delivering malicious files disguised as screenshot links through live chat.
- The malware establishes a persistent backdoor, disables User Account Control (UAC), and employs DLL sideloading and memory-only execution to evade detection.
- Organizations in the Web3, gambling, and cryptocurrency sectors are particularly at risk and should implement specific defensive measures.
APT-Q-27 Deploys Multi-Stage Malware Against Web3 Support Staff
A persistent threat group, identified as APT-Q-27 and also known as GoldenEyeDog, is currently executing a cunning campaign against customer support teams within the Web3 ecosystem. This operation involves attackers posing as ordinary users in live chat interactions to distribute malicious links disguised as screenshots. Clicking these links initiates a silent, multi-stage malware installation, leading to a persistent backdoor on victim systems, as detailed in a recent analysis.
Table Of Content
The GoldenEyeDog group has a documented history of operations dating back to at least 2022, with a notable focus on the gambling and cryptocurrency industries. While previous campaigns from this actor typically relied on trojanized software or compromised “watering hole” websites to ensnare victims, this new approach marks a significant strategic evolution. Instead of passively waiting for targets to encounter their malicious infrastructure, APT-Q-27 is now actively engaging with support queues, presenting themselves as confused customers requiring assistance with transactions.
The campaign came to light after ZeroShadow analysts detected unusual patterns in support requests flagged by their partner, 1inch. These alerts pointed to multiple help requests originating from distinct accounts and rotating IP addresses, all exhibiting a consistent modus operandi: a shortlink designed to appear as a legitimate screenshot. ZeroShadow’s subsequent investigation involved meticulous tracking of the malware’s tooling, mapping its command-and-control infrastructure, and ultimately attributing the activity to APT-Q-27 with moderate confidence, according to their report published on their blog.
The Infection Chain: From Fake Screenshot to Persistent Backdoor
The attack initiates when a victim receives a seemingly innocuous link in a chat window, which purports to lead to a Google-hosted image. However, clicking this link downloads a file with a deceptive name, designed to resemble a photograph. On Windows systems, where file extensions are often hidden by default, this file appears as an ordinary image, further enhancing the deception.
The downloaded file utilizes the .pif format, an obscure executable type that most users would not recognize as a potential threat. Upon execution, the file displays what appears to be a broken webpage, while the malware silently installs itself in the background. The final implant then establishes communication with 37 hardcoded command-and-control (C2) servers over TCP port 15628. For persistence, it registers itself as a Windows service named “Windows Eventn,” a deliberate misspelling intended to blend in with legitimate system services. Crucially, the malware also silently disables User Account Control (UAC) across three separate registry keys, effectively removing a critical layer of Windows security without any user prompt.
Inside the Attack: DLL Sideloading and Staged Delivery
The initial lure file’s execution triggers a request to an Amazon AWS S3 bucket for a manifest file. This manifest, which is remotely updatable, contains a list of URLs pointing to the subsequent components of the malware. This modular design grants the attackers the flexibility to frequently rotate their infrastructure without needing to alter the core malware itself.
The downloaded package includes a legitimate, digitally signed executable from the YY platform, named updat.exe. Alongside this genuine binary are malicious versions of two standard Windows runtime files: vcruntime140.dll and msvcp140.dll. Windows operating systems prioritize loading dynamic-link libraries (DLLs) from the application’s current working directory before searching system folders. Therefore, when updat.exe is launched from the staging directory, it inadvertently loads the attacker-controlled DLLs instead of the authentic ones. This technique, known as DLL sideloading, allows the signed binary to execute normally while simultaneously loading and running the attacker’s malicious code.
The malicious DLL, specifically crashreport.dll, then reads an encrypted file named yyext.log. It decrypts this file in memory and executes the resulting shellcode without writing any temporary files to disk. This in-memory execution is a tactic designed to bypass memory scanning tools that typically detect injected executables. The shellcode proceeds to decompress the final backdoor implant, approximately 340KB in size, entirely within process memory, leaving no discernible file artifacts behind.
To ensure persistence across system reboots, the loader creates a registry startup key named “SystemUpdats,” another intentional misspelling designed to mimic the legitimate “SystemUpdate” entry. The staging directory itself is crafted to resemble a Windows Update cache path. Each installation consistently includes a hardcoded @27 tag within the directory name, providing a unique and reliable signature for detection.
What You Should Do
- Enable Visible File Extensions: Configure all Windows workstations to display full file extensions. This simple step would immediately expose files like “image.pif” as executables rather than images.
- Block Malicious IP Addresses and Ports: Block all outbound connections on TCP port 15628 and add the 37 identified C2 IP addresses to network blocklists and firewall rules.
- Monitor for Registry and File System Anomalies: Implement monitoring for the “SystemUpdats” registry value and for any staging directories containing the
@27suffix. These are strong indicators of an active infection. - Alert on UAC Disablement: Create detection rules that alert on the simultaneous disablement of all three UAC registry keys, as this behavior is highly indicative of malicious activity and is not performed by legitimate software.
- Conduct Employee Training: Reinforce cybersecurity awareness training, specifically focusing on social engineering tactics, malicious links, and the dangers of opening unexpected attachments or files, even if they appear to be from trusted sources or platforms.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.