Microsoft Store Apps May Deliver Go Backconnect Proxy Malware
Analysis of fake utility installers delivering proxyware malware through Microsoft App Store. With findings related to Ghostsocks. Quick Summary A consolidated analysis of suspicious Microsoft Store utility apps, including WinDirStat and LightShot impersonators, that load a shared Go-based client.dll backconnect/proxy implant. Primary payload: client.dll Primary C2: mylabubus.shop Compiler: Go 1.24.9 Assessment: Backconnect / proxy malware Contents Executive Summary Key Findings Technical Analysis Evidence Summary Campaign Correlation Indicators of Compromise MITRE ATT&CK Mapping Responsible Disclosure Updates Executive Summary I analyzed a suspicious Microsoft Store utility package, focusing in particular on a WinDirStat impersonator. The analysis combined manual reverse engineering and runtime testing with AI-assisted workflows using REMnux MCP, Malcat MCP with Claude, and automated sandbox analysis. The application presented itself as a normal Electr...