Security Magic

Quick Summary A consolidated analysis of suspicious Microsoft Store utility apps, including WinDirStat and LightShot impersonators, that load a shared Go-based client.dll backconnect/proxy implant. Primary payload: client.dll Primary C2: mylabubus.shop Compiler: Go 1.24.9 Assessment: Backconnect / proxy malware Contents Executive Summary Key Findings Technical Analysis Evidence Summary Campaign Correlation Indicators of Compromise MITRE ATT&CK Mapping Responsible Disclosure Executive Summary I analyzed a suspicious Microsoft Store utility package, focusing in particular on a WinDirStat impersonator. The analysis combined manual reverse engineering and runtime testing with AI-assisted workflows using REMnux MCP, Malcat MCP with Claude, and automated sandbox analysis. The application presented itself as a normal Electron-based utility, but loaded a native Go DLL named client.dll through the Node.js FFI library koffi . Dynamic testing showed that this DLL regi...

YAPA (Yet Another PDF Application), EvilaAI, MediaArena, or whatever you want to call these, are continuously trying new tactics/techniques to evade detection. In this latest YAPA, I look at PDFizer, which uses Wix MSI installer to assist with making detection more difficult. I first posted a similar file,  FlyPDFy   on this  X post   PDFizer: MD5: 5843ff0c676bcf99039b2b46035fdf8e Signer: Shappi Corp Download: https://pdf-izer[.]com/ SandBox Run : File Extraction: Since this is a Wix installer, we can use Dark.exe to extract the MSI Then we can use a tool like less-msi to further extract all the remaining files: PDFCoreLibrary.dll  (.NET) PDFizer.exe  (.NET) PDFRefresh.exe (GO) It does appear that the .NET files are benign. However the MSI does create a scheduled task to run the PDFRefresh hourly. Interesting parts of the .NET: MessageBox.Show("Hello, I am just an ugly Test Update ...") public string GetHelloWorld()  {return "Hel...

The following is a test run of using Malcat with MCP . Malware Analysis Report — xchanger.exe Malware Analysis Report File: xchanger.exe  |  Analyzed: 2026-03-12  |  Tool: Malcat + .NET Disassembly MALICIOUS — Trojanized Installer / C2 Dropper File Metadata Filename xchanger.exe File Size 1,779,416 bytes (~1.7 MB) Type PE / .NET (DOTNET) Version 2.0.20.403 Internal Name XChanger.exe Copyright XChanger Copyright © 2026 SHA-256 356ca46f39b480d0ab523535f98e64ae0ec58fe1fdbb8ffc02f54b814445e9d0 Hardcoded XOR Key NetworkManager — Scramble / Unscramble Xt7Kp2Lm9Qw4Rv8Y-x1729583156 Length: 29 characters  |  Found at EA: 0xE771, 0xFB1A // Rolling XOR per character, then Base64-encoded for transmission byte lambda(char c, int i) { return (byte)(c ^ "Xt7Kp2Lm9Qw4Rv8Y-x1729583156"[i % 29]); } // Called by: PostPayloadAsync, SendConfigNotificationAsync, // TransmitProfileReportAsync, BeginSe...

In this series of YAPA (Yet Another PDF Application), I continue to document newly observed suspicious PDF converter applications. The latest one is DailyFile , which can be found on dailytapp[.]com.  The above image shows the a similar style to many other observed malicious pdf, document, and zip converter applications. Analysis: The analysis of this started by pivoting off of other known indicators, primarily the certificate signer: "Astras Novei LTD" which had also been observed with a malicious python based converter Ziply .  Additionally, "A1A Marketing Ltd." had been previously observed with other YAPA sites like pdf-star[.]com and powerdocapp[.]com. We also see "Sherlock Tech Ltd" which points to other YAPA samples as well. This is a .NET application, which makes it easy to load and observe in DnSpy. The YAPA here performs similar functions as previously observed instances. We can see simple obfuscation of "Google and Chrome", we can see i...

In this series of YAPA (Yet Another PDF Application), I continue to document newly observed suspicious PDF converter applications. The latest one is Zapdf , which can be found on zappdfapp[.]com. This site was also document on Northwave Cyber Security , and Nextron 's websites, both of which host numerous IOCs for similar applications. The above image shows the a similar style to many other observed malicious pdf, document, and zip converter applications. Analysis: app.any.run sandbox run  shows initial telemetry traffic POST, as well as the download of an updater binary.  Some interesting notes on this when running on a test VM. The initial application is a .NET staging application, it extracts the "benign" Zapdf.exe (also a .NET application), but not before sending some telemetry, fingerprinting the system, creating persistence, and downloading the suspicious ZapUpdater.exe .  This initial .NET loader looks very similar to other YAPAs observed in the past. Slight obfus...

GalacticPDF is another PDF reader/converter application I ran across that has the look and feel of EvilAI and YAPA programs I've observed over the past year. Many of these programs have websites that have a similar look and feel to the image below: Certificate Signer: As with many of these programs, there is a valid certificate signer "MONKEY DIGITAL LTD". These do tend to have interesting names. Also, as far as I can tell, this one has only been used with GalacticPDF. Google Ads: One place I've started looking with these is in Google's Ad Transparency to see if it looks a little off, or maybe to pivot to other programs being advertised by the same advertiser. GalacticPDF is adverstied by " Kiruguard Ltd ". This doesn't tell me much, but it does give me some visuals that again, look very similar to other EvilAI campaigns. Analysis: Honestly, at first this one had me a bit perplexed. It's a rust based program, which is something I don't have ...

Hello World. I have looked at a few interesting samples earlier this month that appear to fall into the same realm as many of the EvilAI PDF converters which have been reported last year.  The difference in this one is that instead of being inno packed, or an electron app, or a .NET application like some of the variations observed so far, this one is a python compiled application. The initial application observed was " PDFly ", which, after some pivoting on other information led to the discovery  Ziply , as well as PDFClick , and Rapidoc . These findings were shared on my X post as well. The challenge with these is that I am unable to use pyinstxtractor/pyinstxtractor-ng, there seems to be some level of customized pyinstaller magic here that I just don't know enough about. What I do know is that when running these applications they do drop an AppData\Local\Temp\_MEIXXXX directory, common with PyInstaller, and there is an embedded resource zip file with another EXE of th...