Cyberattack On Web3 Support Staff Uses Fake Screenshots For Malware Delivery

1inch, a decentralized exchange, found a threat that was always aimed at their support staff This article explores attacks infrastructure. . Attackers pretended to be frustrated users who needed help with transactions and sent links that looked like harmless screenshots.

These links didn't just show a normal image; they started a complicated infection chain that was meant to damage workstations and give hackers permanent access. Security researchers have followed the tools and infrastructure and, with some confidence, linked the activity to APT-Q-27, a group that is motivated by money and is also known as GoldenEyeDog. This campaign shows a change in strategy for threat actors, who are now using direct social engineering to target customer-facing employees instead of passive watering-hole attacks. The infrastructure analysis of the last backdoor shows that it has hardcoded communication with 37 different command-and-control servers.

All outgoing traffic goes through TCP port 15628, and network communications are encrypted with a custom 16-byte rolling XOR cipher. In the Web3 space, system administrators should make sure that file extensions are visible on all workstations so that hidden executables can be found easily. Also, defenders of the zeroshadow network need to keep an eye out for unexpected outbound connections on port 15628 and the simultaneous zeroing of UAC registry keys.

The malware gets a payload manifest from a dead drop on AWS S3. It downloads a six-file package to a hidden staging folder. This directory path pretends to be the Windows Update cache on purpose to avoid casual security monitoring. It always adds a different @27 tag to the hidden folder name.

The hackers use a classic DLL sideloading method to run their payload.