• Home
  • cyber
  • 1inch: Cyberattack On Web3 Support Staff Uses Fake Screenshots For Malware Delivery
cyber Cyber Attack

1inch: Cyberattack On Web3 Support Staff Uses Fake Screenshots For Malware Delivery

Jun 2, 2025 2 min read
1inch: Cyberattack On Web3 Support Staff Uses Fake Screenshots For Malware Delivery

Sophisticated Malware Campaign Targets Web3 Support Teams via Fake Screenshots

A highly targeted malware campaign is exploiting customer support channels of Web3 platforms, with decentralized exchange 1inch recently identifying a persistent threat aimed at its staff. Attackers masquerade as frustrated users seeking transaction assistance, sharing links disguised as innocuous screenshots. Instead, these links trigger a multi-stage infection chain designed to compromise workstations and establish persistent backdoor access.

This shift marks a tactical evolution for threat actors, moving from passive watering-hole attacks to direct social engineering against customer-facing employees. Security researchers have attributed the activity with moderate confidence to APT-Q-27 (GoldenEyeDog), a financially motivated Chinese-nexus group active since at least 2022. The group has a documented history of targeting the global cryptocurrency and gambling sectors.

Attack Anatomy

The malware employs a custom runtime encryption scheme to conceal strings, preventing plaintext URLs or file paths from being stored on disk. Upon execution, the initial loader performs anti-debugging and sandbox-evasion checks before retrieving a payload manifest from an AWS S3 dead drop. The malware then downloads a six-file package into a hidden staging directory, impersonating the Windows Update cache (with a unique @27 tag) to evade detection.

The attack leverages DLL sideloading, using a legitimately signed executable (updat.exe) from the YY platform. Since Windows prioritizes local directory dependencies, the malicious vcruntime140.dll and msvcp140.dll files are loaded instead, executing within the context of a trusted application and bypassing signature verification.

Infrastructure & Attribution

The final backdoor communicates with 37 distinct command-and-control (C2) servers over TCP port 15628, using a 16-byte rolling XOR cipher to encrypt traffic. Several C2 IPs reside on autonomous systems previously linked to APT-Q-27, with geolocation obfuscation masking their origins.

Key indicators include:

  • Initial loader (photo2025060268jpg.exe) – Disguised as an image file.
  • Primary loader (Feedback.exe) – .NET dropper.
  • Legitimate binary (updat.exe) – Used for sideloading.

The campaign underscores the growing sophistication of threats targeting Web3 infrastructure, where social engineering and evasion techniques are increasingly refined.

Source: https://cyberpress.org/fake-screenshots-infect-web3-support/

1inch cybersecurity rating report: https://www.rankiteo.com/company/1inchcom

"id": "1IN1774607100",
"linkid": "1inchcom",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Cryptocurrency/Web3',
                        'name': '1inch',
                        'type': 'Decentralized Exchange'}],
 'attack_vector': 'Social Engineering (Fake Screenshots), DLL Sideloading',
 'description': 'A highly targeted malware campaign is exploiting customer '
                'support channels of Web3 platforms, with decentralized '
                'exchange 1inch recently identifying a persistent threat aimed '
                'at its staff. Attackers masquerade as frustrated users '
                'seeking transaction assistance, sharing links disguised as '
                'innocuous screenshots. These links trigger a multi-stage '
                'infection chain designed to compromise workstations and '
                'establish persistent backdoor access.',
 'impact': {'operational_impact': 'Persistent backdoor access established',
            'systems_affected': 'Workstations of Web3 support teams'},
 'initial_access_broker': {'backdoors_established': 'Persistent backdoor '
                                                    'access',
                           'entry_point': 'Customer support channels via fake '
                                          'screenshots',
                           'high_value_targets': 'Web3 support teams'},
 'motivation': 'Financial Gain',
 'post_incident_analysis': {'root_causes': 'Social engineering, DLL '
                                           'sideloading, evasion techniques'},
 'references': [{'source': '1inch Security Report'}],
 'threat_actor': 'APT-Q-27 (GoldenEyeDog)',
 'title': 'Sophisticated Malware Campaign Targets Web3 Support Teams via Fake '
          'Screenshots',
 'type': 'Malware Campaign',
 'vulnerability_exploited': "DLL Sideloading via YY platform's updat.exe"}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.