Hackers Exploit Microsoft Fondue.exe to Side- Abuse Side-Load

A newly uncovered attack campaign has brought a rarely scrutinized Windows executable, Fondue.exe, into the spotlight, revealing its exploitation for sophisticated side-loading attacks. Cybersecurity researchers at Threat actors are actively abusing Fondue.exe, a legitimate Microsoft utility built into the Windows operating system, to side-load a malicious control panel file named APPWIZ.cpl and silently deploy dangerous malware on victim machines.

The technique is deceptively clever because it relies entirely on a trusted system binary, making it far harder for standard security tools to detect.

The attack chain begins with a malicious MSI installer, disguised as a legitimate software application, delivered to targeted users through deceptive websites mimicking real developer tools.

Once the victim runs the installer, it quietly drops several files into a hidden directory on the compromised machine, including both the legitimate Fondue.exe binary and a malicious version of APPWIZ.cpl packed with obfuscation tools.

The attacker’s goal is to make the entire process look like normal system activity from the very start.

Trend Micro said in a report shared with Cyber Security News (CSN) that they have noted this pattern of abusing legitimate Windows binaries as a growing and highly effective tactic among advanced threat groups, allowing attackers to bypass security controls by hiding behind trusted processes.

The specific cluster behind the Fondue.exe campaign, tracked by threat intelligence teams, has been observed using generative AI to accelerate the development of its attack tools, reflecting a troubling evolution in adversary capabilities.

The campaign has primarily targeted government organizations, military personnel, and individuals involved in drone manufacturing and engineering.

Attackers leveraged fake Starlink device registration services and drone pilot training applications as lures to trick victims into running the malicious installers.

These socially engineered decoys are designed to appear completely credible to their intended targets, making them especially dangerous in high-stakes operational environments.

Once inside a system, the malware establishes persistence, communicates with attacker-controlled servers, and positions itself for long-term espionage activity.

The attackers have demonstrated a sophisticated understanding of their targets, crafting convincing fake applications that align closely with the tools and workflows their victims use daily.

Security teams and organizations operating in sensitive sectors are urged to exercise extreme caution when downloading and running software outside of verified, official channels.

How Fondue.exe Is Abused to Side-Load Malicious Code

Fondue.exe is a legitimate Windows system utility officially named the “Features on Demand UX” application, version 10.0.19041.1. Its normal purpose is to enable or disable optional Windows operating system components.

Attackers exploited the fact that when Fondue.exe runs, it looks for APPWIZ.cpl in its local directory before checking the standard Windows system paths.

By placing a malicious copy of APPWIZ.cpl in the same hidden folder as Fondue.exe, the attackers force the trusted binary to load their rogue file instead of the real one.

The malicious APPWIZ.cpl file is packed with UPX compression and further protected using Oreans Code Virtualizer, a tool commonly used to make reverse engineering extremely difficult.

Once loaded into the memory space of Fondue.exe, the rogue control panel file deploys a Sliver post-exploitation framework implant.

Sliver is an open-source adversary simulation tool that gives attackers a powerful foothold on the infected machine, allowing them to issue remote commands and move through compromised networks with ease.

To maintain persistence, the malicious applet creates a scheduled task in Windows Task Scheduler that runs every minute.

The task is named in a format designed to blend in with legitimate Windows update activity, such as MicrosoftEdgeUpdateTaskMachineUA{GUID}, making it easy to overlook during routine system audits.

The implant connects to the attacker’s command-and-control server at curtainbeatdisturbance[.]com and creates a mutex named MediumTurquoiseBeige to avoid running duplicate instances on the same machine.

Multi-Stage Delivery and Espionage Objectives

The malware delivery process is notably multi-staged and carefully layered. The initial MSI installer drops a PowerShell script, a VBS helper file, and a .NET loader, which work together to download and execute the next-stage payload without triggering obvious alerts.

The inner Inno Setup installer, named testexe.exe, is responsible for unpacking the final components into a hidden directory under %PROGRAMDATA%, where both Fondue.exe and the rogue APPWIZ.cpl are quietly placed.

Alongside the Fondue.exe-based attack path, the same threat cluster also deployed a separate JavaScript-based remote access trojan named SoullessRAT against other targets.

SoullessRAT was reportedly written using generative AI, and it supports a broad range of espionage capabilities including remote command execution, file uploads to the attacker’s server, screenshot capture, and harvesting of system information.

The use of AI-generated malware code signals that the barriers to creating capable custom implants are dropping rapidly for threat actors.

Threat intelligence researchers recommend that organizations monitor for unexpected execution of Fondue.exe from non-standard directories, especially outside of C:WindowsSystem32.

Deploying endpoint detection that flags DLL and CPL side-loading behavior, combined with alerts for new scheduled tasks using Microsoft Edge or Microsoft Office naming patterns, can help defenders catch this threat early.

Users and administrators should also avoid running software installers obtained from unofficial sources, even when those sources appear visually convincing.

The abuse of legitimate Windows binaries for DLL and CPL side-loading continues to be one of the most effective techniques used by advanced persistent threat actors, and that detections should focus on behavioral indicators rather than file-level signatures alone.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.