Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Microsoft Flaws Let Attackers Gain Privileges, Steal Data
July 2, 2026
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Home/Threats/Fake Screenshots Infect Web3 Support Staff with Multi-Stage Malware
Threats

Fake Screenshots Infect Web3 Support Staff with Multi-Stage Malware

Key Takeaways A sophisticated multi-stage malware campaign, attributed to APT-Q-27 (also known as GoldenEyeDog), is actively targeting Web3 customer support personnel. Attackers leverage social...

Jennifer sherman
Jennifer sherman
March 26, 2026 4 Min Read
37 0

Key Takeaways

  • A sophisticated multi-stage malware campaign, attributed to APT-Q-27 (also known as GoldenEyeDog), is actively targeting Web3 customer support personnel.
  • Attackers leverage social engineering, posing as customers and delivering malicious files disguised as screenshot links through live chat.
  • The malware establishes a persistent backdoor, disables User Account Control (UAC), and employs DLL sideloading and memory-only execution to evade detection.
  • Organizations in the Web3, gambling, and cryptocurrency sectors are particularly at risk and should implement specific defensive measures.

APT-Q-27 Deploys Multi-Stage Malware Against Web3 Support Staff

A persistent threat group, identified as APT-Q-27 and also known as GoldenEyeDog, is currently executing a cunning campaign against customer support teams within the Web3 ecosystem. This operation involves attackers posing as ordinary users in live chat interactions to distribute malicious links disguised as screenshots. Clicking these links initiates a silent, multi-stage malware installation, leading to a persistent backdoor on victim systems, as detailed in a recent analysis.

Table Of Content

  • Key Takeaways
  • APT-Q-27 Deploys Multi-Stage Malware Against Web3 Support Staff
  • The Infection Chain: From Fake Screenshot to Persistent Backdoor
  • Inside the Attack: DLL Sideloading and Staged Delivery
  • What You Should Do

The GoldenEyeDog group has a documented history of operations dating back to at least 2022, with a notable focus on the gambling and cryptocurrency industries. While previous campaigns from this actor typically relied on trojanized software or compromised “watering hole” websites to ensnare victims, this new approach marks a significant strategic evolution. Instead of passively waiting for targets to encounter their malicious infrastructure, APT-Q-27 is now actively engaging with support queues, presenting themselves as confused customers requiring assistance with transactions.

The campaign came to light after ZeroShadow analysts detected unusual patterns in support requests flagged by their partner, 1inch. These alerts pointed to multiple help requests originating from distinct accounts and rotating IP addresses, all exhibiting a consistent modus operandi: a shortlink designed to appear as a legitimate screenshot. ZeroShadow’s subsequent investigation involved meticulous tracking of the malware’s tooling, mapping its command-and-control infrastructure, and ultimately attributing the activity to APT-Q-27 with moderate confidence, according to their report published on their blog.

The Infection Chain: From Fake Screenshot to Persistent Backdoor

The attack initiates when a victim receives a seemingly innocuous link in a chat window, which purports to lead to a Google-hosted image. However, clicking this link downloads a file with a deceptive name, designed to resemble a photograph. On Windows systems, where file extensions are often hidden by default, this file appears as an ordinary image, further enhancing the deception.

The downloaded file utilizes the .pif format, an obscure executable type that most users would not recognize as a potential threat. Upon execution, the file displays what appears to be a broken webpage, while the malware silently installs itself in the background. The final implant then establishes communication with 37 hardcoded command-and-control (C2) servers over TCP port 15628. For persistence, it registers itself as a Windows service named “Windows Eventn,” a deliberate misspelling intended to blend in with legitimate system services. Crucially, the malware also silently disables User Account Control (UAC) across three separate registry keys, effectively removing a critical layer of Windows security without any user prompt.

Inside the Attack: DLL Sideloading and Staged Delivery

The initial lure file’s execution triggers a request to an Amazon AWS S3 bucket for a manifest file. This manifest, which is remotely updatable, contains a list of URLs pointing to the subsequent components of the malware. This modular design grants the attackers the flexibility to frequently rotate their infrastructure without needing to alter the core malware itself.

The downloaded package includes a legitimate, digitally signed executable from the YY platform, named updat.exe. Alongside this genuine binary are malicious versions of two standard Windows runtime files: vcruntime140.dll and msvcp140.dll. Windows operating systems prioritize loading dynamic-link libraries (DLLs) from the application’s current working directory before searching system folders. Therefore, when updat.exe is launched from the staging directory, it inadvertently loads the attacker-controlled DLLs instead of the authentic ones. This technique, known as DLL sideloading, allows the signed binary to execute normally while simultaneously loading and running the attacker’s malicious code.

The malicious DLL, specifically crashreport.dll, then reads an encrypted file named yyext.log. It decrypts this file in memory and executes the resulting shellcode without writing any temporary files to disk. This in-memory execution is a tactic designed to bypass memory scanning tools that typically detect injected executables. The shellcode proceeds to decompress the final backdoor implant, approximately 340KB in size, entirely within process memory, leaving no discernible file artifacts behind.

To ensure persistence across system reboots, the loader creates a registry startup key named “SystemUpdats,” another intentional misspelling designed to mimic the legitimate “SystemUpdate” entry. The staging directory itself is crafted to resemble a Windows Update cache path. Each installation consistently includes a hardcoded @27 tag within the directory name, providing a unique and reliable signature for detection.

What You Should Do

  • Enable Visible File Extensions: Configure all Windows workstations to display full file extensions. This simple step would immediately expose files like “image.pif” as executables rather than images.
  • Block Malicious IP Addresses and Ports: Block all outbound connections on TCP port 15628 and add the 37 identified C2 IP addresses to network blocklists and firewall rules.
  • Monitor for Registry and File System Anomalies: Implement monitoring for the “SystemUpdats” registry value and for any staging directories containing the @27 suffix. These are strong indicators of an active infection.
  • Alert on UAC Disablement: Create detection rules that alert on the simultaneous disablement of all three UAC registry keys, as this behavior is highly indicative of malicious activity and is not performed by legitimate software.
  • Conduct Employee Training: Reinforce cybersecurity awareness training, specifically focusing on social engineering tactics, malicious links, and the dangers of opening unexpected attachments or files, even if they appear to be from trusted sources or platforms.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Silver Fox Abuses Stolen EV Certificates in AtlasCross RAT Campaign

Next Post

Torg Grabber Stealer Shifts to Encrypted REST API for C2

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us