APT Group Targets Web3 Support Teams With Malware Hidden as Customer Screenshots

On 17 April 2026, the threat intelligence community received a new threat report from CODERED_VTA titled Working the Queue: APT‑Q‑27 Malware Targets Web3 Customer Support. The report details a highly targeted campaign that exploits the human element of customer support teams in the Web3 and cryptocurrency sectors.

Unlike traditional APT operations that focus on open ports or software vulnerabilities, this campaign is engineered to coerce a support agent into executing a seemingly innocuous image file. The attacker’s lure is a shortlink that presents itself as a screenshot of a user’s problem. The link contains the word Google – a familiar name that lowers suspicion – and when clicked it downloads a file with a name that looks like a photo. On Windows, the .exe suffix is hidden by default, so the victim sees only the image extension.

The file is actually a .pif executable, a legacy Windows format that runs like any other program but is rarely recognized by users. Upon execution, the file opens Microsoft Paint to display a fake 503 error page, reinforcing the illusion that the link failed. Behind the scenes, the malware begins a multi‑stage infection chain.

First, the loader fetches a manifest from an AWS S3 dead‑drop. The manifest lists several DLLs and an executable that are downloaded to a staging directory that mimics the Windows Update cache. The directory is hidden and not indexed by Windows Search, making it invisible in Explorer. The loader then launches a legitimate signed binary, updat.exe, from the staging directory with the working directory set to the hidden path. Because updat.exe imports vcruntime140.dll and msvcp140.dll, Windows loads the malicious copies dropped in the staging directory, sideloading the payload without raising an alert.

After the DLLs are loaded, the backdoor decrypts an embedded log file, yyext.log, which contains raw x86 shellcode. The shellcode is compressed with LZNT1 and has no standard PE header, preventing signature‑based detection. Once decompressed, it creates a 32‑bit DLL that acts as a persistent backdoor. The final implant communicates with 37 hardened C2 servers over TCP port 15628, a port that is not associated with any legitimate service.

APT‑Q‑27, also known as GoldenEyeDog, originated from China and has a long history of targeting the gambling and cryptocurrency industries. Their use of legitimate software (YY platform binaries) and sophisticated obfuscation (runtime string decryption, double‑Base64 encoding, and custom XOR keys) demonstrates a high level of operational security. The campaign’s infrastructure includes AWS S3 buckets, a variety of IP addresses across Hong Kong, Japan, the US, and the Philippines, and a consistent use of the non‑standard port 15628.

Security analysts should monitor for the following indicators of compromise (IOCs):

Mitigation recommendations include:

  • Enable file extension visibility on all workstations to prevent disguised executables.
  • Deploy host‑based intrusion detection that watches for DLL sideloading from non‑standard directories.
  • Block outbound traffic on TCP port 15628 and whitelist only known legitimate services.
  • Implement a change‑management policy that audits the creation of hidden directories in user profiles.
  • Use application whitelisting to restrict execution of unknown binaries, especially those with cryptic names.

In summary, the APT‑Q‑27 campaign demonstrates a shift from passive watering holes to active exploitation of human trust in support channels. By blending malicious payloads with legitimate software and leveraging sophisticated obfuscation, the threat actors can bypass many conventional defenses. Continuous monitoring of the indicators above, combined with user education and stricter file‑type policies, will reduce the attack surface and help defenders detect and respond to this threat more effectively.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading