Keypoints
- Initial access occurred via infected installers bundled with pirated software downloaded from topsoft[.]space (torrent delivery).
- The malicious payload was composed of many AutoIt scripts packed/obfuscated with Themida and included modules to install RMS and the XMRig miner.
- Persistence was achieved through multiple scheduled tasks and registry modifications; malicious files were hidden using SuperHidden attributes in system folders (e.g., C:ProgramDataReaItekHD).
- The malware disabled or modified security controls (Windows Defender exclusions/disablement, removal of some AV services) and altered file/folder permissions to hinder detection and remediation.
- Data collection included system/process/user enumeration and archiving of Telegram’s tdata folder using 7z; exfiltration used a Telegram bot as the C2 channel.
- Additional capabilities included deploying RDP Wrapper installer, creating a hidden local account, clipboard wallet hijacking (fetching replacement wallet IDs from taskmgr.xyz/rundll.xyz), and downloading/executing payloads from FTP when applicable.
- Investigators recovered the Telegram bot token and traced operator activity (nicknames splokk / cdjsend) via forum posts and code overlap in AutoIt forums.
MITRE Techniques
- [T1189] Drive-by Compromise – Malware distributed via infected installers bundled with torrent downloads. (‘the torrent file is downloaded from the website topsoft[.]space’)
- [T1204.002] User Execution: Malicious File – Execution required the victim to run the downloaded installation file. (‘the user just installed a program downloaded from a torrent site’)
- [T1053.005] Scheduled Task/Job: Scheduled Task – Multiple scheduled tasks were created to run malicious binaries every minute or at logon. (‘Task MicrosoftWindowsWindowsBackupBackUpFiles: executes … every minute’)
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Registry keys were modified to establish persistence and hide accounts. (‘softwaremicrosoftwindows ntcurrentversionwinlogonspecialaccountsuserlistjohn’ was set to 0)
- [T1562.001] Impair Defenses: Disable or Modify Tools – The malware added Defender exclusions, altered Defender settings, and removed AV services. (‘Adding exceptions in Windows Defender’ and ‘Removing services related to Malwarebytes’)
- [T1027.002] Obfuscated Files or Information: Software Packing – Components were obfuscated and packed using Themida. (‘mostly compiled AutoIt scripts additionally obfuscated with the Themida packer’)
- [T1219] Remote Access Software – RMS client was installed to provide remote control as a backup channel. (‘Installing the RMS client: C:ProgramDatawindows tasks servicewinserv.exe’)
- [T1560.001] Archive Collected Data: Archive via Utility – Telegram tdata was archived using 7z prior to exfiltration. (‘7z.exe a “C:ProgramDataSetup[USERNAME]_[COMPUTERNAME].7z” “C:Users[USERNAME]AppDataRoamingTelegram Desktoptdata*”‘)
- [T1567] Exfiltration Over Web Service – Stolen data and collected info were sent to a Telegram bot acting as C2. (‘The malware sent the collected information to a Telegram bot, which acted as the C2 server.’)
- [T1083] File and Directory Discovery – The malware enumerated files and directories (including Telegram data). (‘The malware collected information about files and directories on a compromised host’)
- [T1057] Process Discovery – The malware gathered information about running processes to inform actions. (‘The malware gathered information about the victim’s computer’)
- [T1033] System Owner/User Discovery – The malware checked usernames/computer names and used them in environment checks. (‘Checking the environment. The malware terminates itself if the username matches…’)
- [T1497.001] Virtualization/Sandbox Evasion: System Checks – Environment checks (usernames, machine names, OS version, presence of specific files) were used to avoid analysis/sandboxes. (‘The malware terminates itself if any of the following conditions are true: … Windows XP’)
- [T1070.004] Indicator Removal on Host: File Deletion – A cleanup batch (delete.bat) was executed to remove traces after installation. (‘Creating and executing the script C:ProgramDatainstalldelete.bat to clean up the malware’s traces.’)
Indicators of Compromise
- [Domain] distribution / C2 / update infrastructure – topsoft.space, taskmgr.xyz, and other domains like rundll.xyz, unsecapp.xyz (and 6 more domains)
- [IP / FTP] download server with credentials – 193.32.188.10 (FTP access used with login ‘alex’ / password ‘easypassword’)
- [File paths / filenames] installed binaries and installers – C:ProgramDataReaItekHDtaskhost.exe, C:ProgramDatawindows tasks servicewinserv.exe, C:ProgramDatardpwinst.exe (RDP Wrapper installer), and other files like scupdate.exe
- [Executables / tools] bundled components and exploits – XMRig (miner), Eternalblue-2.2.0.exe and Doublepulsar-1.3.1.exe (extracted from scaner.dat), and Themida-packed AutoIt scripts
- [Archive / data exfiltration targets] Telegram data and C2 token usage – archived Telegram Desktop tdata (e.g., C:ProgramDataSetup[USERNAME]_[COMPUTERNAME].7z) and use of a Telegram bot token to receive stolen data
The following technical summary focuses on the infection and post-exploitation procedures used by the campaign.
The initial vector was a malicious installer bundled with pirated software distributed via the topsoft[.]space torrent; the installer deployed multiple AutoIt-based components obfuscated with Themida. On execution the payload performed environment/sandbox checks (usernames, machine names, OS version, presence of specific desktop files) and then prepared the system by setting SuperHidden attributes on attacker-controlled folders (e.g., C:ProgramDataWindowsTask, C:ProgramDataReaItekHD, C:ProgramDataSetup). Persistence was established using several scheduled tasks (e.g., MicrosoftWindowsWindowsBackupBackUpFiles, CheckUP, GlobalData) and registry modifications (including hiding a local ‘john’ account from the logon screen). The malware also attempted to create a local administrative user, installed an RMS client (C:ProgramDatawindows tasks servicewinserv.exe), and executed an RDP Wrapper installer (rdpwinst.exe) to enable remote access.
To evade and disable host defenses the malware added Windows Defender exclusions, modified Defender-related registry keys, removed AV-related services (e.g., Malwarebytes), changed firewall rules to permit attacker binaries, and altered file/folder permissions for many AV and system paths. It archived Telegram session data (tdata) using 7z and exfiltrated collected information to a Telegram bot acting as C2. Other active functionalities included deploying XMRig for cryptomining, continuously scanning and replacing clipboard contents with attacker-controlled cryptocurrency wallets fetched from taskmgr.xyz or rundll.xyz when the server indicated ‘ONLINE’, and retrieving additional payloads from FTP (193.32.188.10) where an encrypted executable (RC2 key provided in script) could be downloaded and executed. Investigators also recovered the Telegram bot token from samples, enumerated messages to identify the operator, and correlated AutoIt forum posts and code fragments to link the actor (splokk / cdjsend) to the malicious code.