Threat Research

Blitz Malware: A Tale of Game Cheats and Code Repositories

Unit42
Blitz Malware: A Tale of Game Cheats and Code Repositories

The article provides a comprehensive technical analysis of the Windows-based Blitz malware, detailing its distribution via backdoored game cheats, its two-stage architecture consisting of a downloader and bot payload, and its abuse of the Hugging Face platform for command and control (C2) infrastructure. It also discusses the malware operator’s social media activities, the infection distribution, and the eventual apparent abandonment of Blitz by its developer. #BlitzMalware #HuggingFace #sw1zzx

Keypoints

  • Blitz malware is a two-stage Windows-based malware composed of a downloader and a bot payload that performs keylogging, screenshot capturing, file operations, and denial-of-service attacks.
  • The latest Blitz malware versions (released in early 2025) were distributed through backdoored game cheats for the game Standoff 2 via Telegram channels operated by a Russian-speaking actor known as sw1zzx.
  • Blitz abuses Hugging Face Spaces, a platform for AI applications, to host its C2 infrastructure and payload files, including both the bot and an XMRig Monero cryptocurrency miner.
  • The malware employs anti-sandbox and anti-virtualization techniques to evade analysis, including CPU timing checks, environment checks for processors, screen resolution, device drivers, and registry keys.
  • The Blitz bot communicates with its C2 using a REST API built with FastAPI, registers victim system information, and supports commands such as keydump, screenshot, directory changes, DDoS, and arbitrary command execution.
  • By late April 2025, Blitz had infected at least 289 systems across 26 countries, with the highest concentration in Russia, Ukraine, Belarus, and Kazakhstan.
  • The malware operator announced leaving the project in May 2025 and released a cleaner tool to help users remove Blitz infections from their systems.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Blitz uses PowerShell one-liners to download the next malware stage. (‘PowerShell one-liner to download the next malware stage’)
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Blitz creates persistence by adding entries in Windows registry keys HKCUEnvironment and HKCUSoftwareMicrosoftWindowsCurrentVersionRun. (‘logon script entry in the Windows registry for persistence… HKCUEnvironment named UserInitMprLogonScript’)
  • [T1060] Registry Run Keys / Startup Folder – Additional persistence is achieved with registry entry EdgeUpdater under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. (‘creates an additional Windows registry entry at HKCUSoftwareMicrosoftWindowsCurrentVersionRun named EdgeUpdater’)
  • [T1105] Ingress Tool Transfer – Malware stages and C2 commands are downloaded from URLs hosted on Hugging Face Spaces and pastebin. (‘Blitz downloader retrieves the bot payload from a Hugging Face Space’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Blitz bot communicates with its C2 using HTTP REST API endpoints built on FastAPI over HTTPS. (‘Blitz bot sends the collected victim data with an HTTP POST request to… hf[.]space’)
  • [T1036] Masquerading – Blitz malware masquerades as cracked game cheats to disguise infection vectors. (‘The backdoored game cheats were distributed as cracked versions of commercial cheats’)
  • [T1057] Process Discovery – Blitz downloader checks for the RuntimeBroker.exe process to inject the bot payload. (‘Blitz downloader checks whether the Windows application RuntimeBroker.exe is running so it can inject the downloaded Blitz bot payload’)
  • [T1056] Input Capture – Blitz bot implements keylogging functionality to capture keystrokes on infected systems. (‘Blitz bot performs keylogging and constantly writes the logged keystrokes…’)
  • [T1113] Screen Capture – Blitz bot takes screenshots and stores/upload them to the C2. (‘screenshot command creates and uploads PNG screenshots’)
  • [T1499] Endpoint Denial of Service – Blitz bot can carry out denial-of-service attacks using the ‘strss’ command. (‘Do an HTTP GET request for a specified URL for a specific number of times (DDoS)’)

Indicators of Compromise

  • [SHA256 Hashes] Backdoored NerestPC game cheats – 14467edd617486a1a42c6dab287ec4ae21409a5dc8eb46d77b853427b67d16d6, 1bd55796ec712a98cf30fac404b29fcb2cdaa355cb596edcc12d8fbd918b4138, and more.
  • [SHA256 Hashes] Backdoored Elysium game cheats – 056fb07672dac83ef61c0b8b5bdc5e9f1776fc1d9c18ef6c3806e8fb545af78c, 1697daef685ce47578e44e2d19fa8e01c755de7fa297716b89e764ea046db1a0, and more.
  • [SHA256 Hashes] First-stage downloaders (ieapfltr.dll) – 0e80fe5636336b70b1775e94aaa219e6aa27fcf700f90f8a5dd73a22c898d646, cacc1f36b3817e8b48fabbb4b4bd9d2f1949585c2f5170e3d2d04211861ef2ac, and more.
  • [SHA256 Hashes] Blitz bot payloads – ae2f4c49f73f6d88b193a46cd22551bb31183ae6ee79d84be010d6acf9f2ee57, 88e2d0d59a9751e4ce5223951f5a75b1731b1ee82d18705aba83ba4bd7e8e5c1.
  • [SHA256 Hashes] XMRig cryptocurrency miner – 47ce55095e1f1f97307782dc4903934f66beec3476a45d85e33e48d63e1f2e15.
  • [Mutex Names] mutexes used by Blitz – 7611646b02ffd5de6cb3f41d0721f2ba, 9bdcf5f16cb8331241b2997ef88d2a67.
  • [Domains] Hugging Face Spaces for C2 and payload hosting – huggingface[.]co/spaces/e445a00fffe335d6dac0ac0fe0a5accc/9591beae439b860a9cf93b26b2dc97e0, huggingface[.]co/spaces/swizxx/blitz.net.
  • [URLs] Pastebin URLs used in the infection chain – pastebin[.]com/raw/FSziK5eW, pastebin[.]com/raw/RzLEd17Z.
  • [URLs] Telegram channel associated with malware operator – t[.]me/sw1zzx_dev.

Read more: https://unit42.paloaltonetworks.com/blitz-malware-2025/