An active malware distribution campaign employs a fake X-VPN installer to deploy the STX RAT in memory and steal credentials from victims.
The campaign was documented by Cyderes threat researchers, who say the operation remained active after earlier disclosures, with the perpetrators rotating infrastructure and continuing the distribution of new malware-laced software packages.
The investigation began with previously identified trojanized versions of HWMonitor, CPU-Z, FileZilla, and LibreOffice. Additional threat hunting and reverse engineering uncovered seven more malicious packages tied to the same operation, bringing the total to 11.
Researchers traced several samples to a Bitbucket repository named amos-trading/dist-internal, allegedly maintained by an actor using the alias “Leda Elacoate” and the email address pufferfish11@firemail.cc. The repository hosted trojanized installers for Binance, Bybit, MEXC, MetaTrader 5, Exodus, Steam, and later X-VPN.
The threat actor initially focused on cryptocurrency traders and investors, likely seeking access to exchange accounts, wallets, and financial credentials. The campaign later expanded beyond crypto-focused targets with a fake Steam installer and eventually a trojanized X-VPN package.
All identified samples used the same infection chain. A malicious CRYPTBASE.dll file is bundled with legitimate software and loaded through DLL sideloading, launching a multi-stage process that injects STX RAT directly into memory while allowing the legitimate application to continue functioning normally.
STX RAT combines remote access capabilities with credential theft. Researchers say it can harvest browser passwords and session tokens, collect system information and clipboard contents, execute commands remotely, and communicate with command-and-control servers over HTTPS.
The campaign's infrastructure remained consistent throughout multiple waves. Researchers linked all samples to the supp0v3[.]com domain, although the operators rotated callback infrastructure from helloworld.supp0v3[.]com to welcome.supp0v3[.]com during the investigation.
The most notable addition to the campaign was a trojanized X-VPN installer; however, the report stresses that X-VPN itself was not compromised. The company's servers, infrastructure, and official distribution channels were unaffected, and only users who downloaded the malicious installer from attacker-controlled sources were at risk.
According to Howler Cell, the attackers abused a Windows DLL search-order weakness by packaging a malicious CRYPTBASE.dll alongside legitimate X-VPN application files.
The researchers disclosed the issue to X-VPN on May 18, 2026. The company acknowledged the report within two business days and released Windows version 77.5.3 on May 28, adding stricter DLL loading controls, startup integrity checks, and hardened DLL load policies.
Users should only download software from official vendor sources and avoid installers hosted on third-party repositories. Security teams are advised to monitor for CRYPTBASE.dll sideloading activity and block communications with the supp0v3[.]com infrastructure identified in the campaign.
Leave a Reply