Fake Screenshot Lures Target Web3 Support Staff with Multi-Stage Malware Attack

A campaign attributed to APT-Q-27 (GoldenEyeDog), a Chinese group targeting Web3, is leveraging deceptive fake screenshot links delivered through support chat workflows to deploy a multi-stage, memory-resident Farfli backdoor.

The attack starts with an attacker posing as a customer support user sharing a seemingly innocuous screenshot link in a live chat. The link features a Google-like URL and a filename resembling a photo. On Windows systems, the default setting hides file extensions, making a .pif program appear harmless.

Opening the link triggers a fake error image or opens in Paint, masking the background execution of a .NET downloader. This first-stage malware, signed with a legitimate but abused EV certificate, communicates with an AWS S3 “dead drop” manifest listing URLs for the second stage. It creates a hidden staging directory under AppData mimicking Windows Update with a distinctive “@27” tag, pulling down DLLs, executables, and other files.

Persistence is established via a registry Run key pointing to a fake “SystemUpdats” value. The heavily obfuscated .NET loaders (e.g., Feedback.exe, photo2025060268jpg.exe) use runtime decryption and anti-analysis techniques, including stack inspection. They can also fall back to downloading legitimate Microsoft VC++ redistributables.

The staged chain leverages the legitimate YY platform binary (updat.exe) for DLL sideloading. Malicious replacements for vcruntime140.dll and msvcp140.dll are loaded, which then execute shellcode from an encrypted log file (yyext.log). This shellcode decompresses a UPX-packed PE into memory, unpacking the final Farfli backdoor DLL – a fully in-memory implant with no file presence.

The memory-resident Farfli backdoor maintains 37 hard-coded C2 servers over TCP port 15628 using rolling XOR encryption. It employs stealth techniques: checking for admin privileges, suppressing UAC prompts, registering as a Windows service (“Windows Eventn”), and using watchdog loops.

Attribution overlaps with previous APT-Q-27 activity through tooling, infrastructure (Chinese EV certs, YY binaries), and behaviors (C2 patterns, staging tags). The campaign represents a shift from SEO watering holes to direct attacks on Web3 support channels, exploiting high-trust, high-speed workflows.

Detections include monitoring for AppData Windows Update mimics with “@27”, the “SystemUpdats” registry key, the “Windows Eventn” service, and changed UAC settings. Memory hunting for the specific XOR key and the delimiter ” |#$| ” can identify active implants. Blocking outbound TCP port 15628 to C2 ranges is advised.

Defense requires hardening support environments: enforcing visible file extensions, sandboxing file handling, and robust phishing training. Web3 firms should treat support systems as high-value assets with strict EDR, least-privilege access, and dedicated monitoring.

Indicators of Compromise (IOCs) include specific filenames and SHA-256 hashes for the malicious loaders, sideload DLLs, and the final Farfli backdoor DLL.

Related Articles

Back to top button