{
	"id": "96d6f97e-2729-41fa-a3c8-2d8ecc3ae62e",
	"created_at": "2026-04-06T00:07:50.209559Z",
	"updated_at": "2026-04-10T13:13:06.086494Z",
	"deleted_at": null,
	"sha1_hash": "16bf878169581910fa504ac1be876c10871ae0c4",
	"title": "Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers | Rapid7 Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5579113,
	"plain_text": "Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma\r\nInfostealers | Rapid7 Blog\r\nBy Rapid7\r\nPublished: 2023-08-31 · Archived: 2026-04-05 16:58:02 UTC\r\nTechnical Analysis by: Thomas Elkins, Natalie Zargarov\r\nContributions: Evan McCann, Tyler McGraw\r\nRecently, Rapid7 observed the Fake Browser Update lure tricking users into executing malicious binaries. While analyzing\r\nthe dropped binaries, Rapid7 determined a new loader is utilized in order to execute infostealers on compromised systems\r\nincluding StealC and Lumma.\r\nThe IDAT loader is a new, sophisticated loader that Rapid7 first spotted in July 2023. In earlier versions of the loader, it was\r\ndisguised as a 7-zip installer that delivered the SecTop RAT. Rapid7 has now observed the loader used to deliver infostealers\r\nlike Stealc, Lumma, and Amadey. It implements several evasion techniques including Process Doppelgänging, DLL Search\r\nOrder Hijacking, and Heaven's Gate. IDAT loader got its name as the threat actor stores the malicious payload in the IDAT\r\nchunk of PNG file format.\r\nPrior to this technique, Rapid7 observed threat actors behind the lure utilizing malicious JavaScript files to either reach out\r\nto Command and Control (C2) servers or drop the Net Support Remote Access Trojan (RAT).\r\nThe following analysis covers the entire attack flow, which starts from a new ClearFake malware, spotted just several days\r\nago, and ends with the stolen information in threat actors’ hands.\r\nTechnical Analysis\r\nThreat Actors (TAs) are often staging their attacks in the way security tools will not detect them and security researchers will\r\nhave a hard time investigating them.\r\nhttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/\r\nPage 1 of 10\n\nStage 1 - ClearFake\r\nClearFake is a new malware first recognized just a few days ago. Its campaign started on July 19,2023 which aligns with the\r\ntime Rapid7 spotted a new IDAT loader distribution. We first attributed that initial attack flow to the SocGolish malware,\r\nhowever the ClearFake seems to be less sophisticated.\r\nIn this campaign, ClearFake malware uses base64 to obfuscate malicious Javascript, which can be easily deobfuscated by\r\nusing CyberChef. As spotted by Randy McEoin, the “One noticeable difference from SocGholish is that there appears to be\r\nno tracking of visits by IP or cookies. As an analyst you can you go back to the compromised site over and over coming\r\nfrom the same IP and not clearing your browser cache. This also means the site owner is more likely to see the infection as\r\nwell.”\r\nhttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/\r\nPage 2 of 10\n\nThis prompt falsely presents itself as a browser update, with the added layer of credibility coming from the fact that it\r\nappears to originate from the intended domain.\r\nOnce the user interacts with the “Update Chrome” button, the browser is redirected to another URL where a binary\r\nautomatically downloads to the user's default download folder. After the user double clicks the fake update binary, it will\r\nproceed to download the next stage payload. In this investigation, Rapid7 identified a binary called ChromeSetup.exe, the\r\nfile name widely used in previous SocGholish attacks and now adopted by ClearFake.\r\nStage 2 - MSI Downloader\r\nChromeSetup.exe downloads and executes the Microsoft Software Installer (MSI) package from:\r\nhxxps://ocmtancmi2c5t[.]xyz/82z2fn2afo/b3/update[.]msi.\r\nIn similar investigations, Rapid7 observed that the initial dropper executable appearance and file name may vary depending\r\non the user’s browser when visiting the compromised web page. In all instances, the executables contained invalid\r\nsignatures and attempted to download and install an MSI package.\r\nRapid7 determined that the MSI package executed with several switches intended to avoid detection:\r\n/qn to avoid an installation UI\r\n/quiet to prevent user interaction\r\n/norestart to prevent the system from restarting during the infection process\r\nWhen executed, the MSI dropper will write a legitimate VMwareHostOpen.exe executable, multiple legitimate\r\ndependencies, and the malicious Dynamic-Link Library (DLL) file vmtools.dll. It will also drop an encrypted vmo.log file\r\nhttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/\r\nPage 3 of 10\n\nwhich has a PNG file structure and is later decrypted by the malicious DLL.\r\nRapid7 spotted an additional version of the attack where the MSI dropped a legitimate pythonw.exe, legitimate\r\ndependencies, and the malicious DLL file python311.dll. In that case, the encrypted file was named pz.log, though the\r\nexecution flow remains the same.\r\nStage 3 - Decryptor\r\nWhen executed, the legitimate VMWareHostOpen.exe loads the malicious vmtools.dll from the same directory as from\r\nwhich the VMWareHostOpen.exe is executed. This technique is known as DLL Search Order Hijacking.\r\nDuring the execution of vmtools.dll, Rapid7 observed that the DLL loads API libraries from kernel32.dll and ntdll.dll using\r\nAPI hashing and maps them to memory. After the API functions are mapped to memory, the DLL reads the hex string 83 59\r\nEB ED 50 60 E8 and decrypts it using a bitwise XOR operation with the key F5 34 84 C3 3C 0F 8F, revealing the string\r\nvmo.log. The file is similar to the Vmo\\log directory, where Vmware logs are stored.\r\nThe DLL then reads the contents from vmo.log into memory and searches for the string …IDAT. The DLL takes 4 bytes\r\nfollowing …IDAT and compares them to the hex values of C6 A5 79 EA. If the 4 bytes following …IDAT are equal to the\r\nhex values C6 A5 79 EA, the DLL proceeds to copy all the contents following …IDAT into memory.\r\nhttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/\r\nPage 4 of 10\n\nOnce all the data is copied into memory, the DLL attempts to decrypt the copied data using the bitwise XOR operation with\r\nkey F4 B4 07 9A. Upon additional analysis of other samples, Rapid7 determined that the XOR keys were always stored as 4\r\nbytes following the hex string C6 A5 79 EA.\r\nOnce the DLL decrypts the data in memory, it is decompressed using the RTLDecompressBuffer function. The parameters\r\npassed to the function include:\r\nCompression format\r\nSize of compressed data\r\nSize of compressed buffer\r\nSize of uncompressed data\r\nSize of uncompressed buffer\r\nThe vmtools.dll DLL utilizes the compression algorithm LZNT1 in order to decompress the decrypted data from the vmo.log\r\nfile.\r\nhttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/\r\nPage 5 of 10\n\nAfter the data is decompressed, the DLL loads mshtml.dll into memory and overwrites its .text section with the\r\ndecompressed code. After the overwrite, vmtools.dll calls the decompressed code.\r\nStage 4 - IDAT Injector\r\nSimilarly to vmtools.dll, IDAT loader uses dynamic imports. The IDAT injector then expands the %APPDATA%\r\nenvironment variable by using the ExpandEnvironmentStringsW API call. It creates a new folder under %APPDATA%,\r\nnaming it based on the QueryPerformanceCounter API call output and randomizing its value.\r\nAll the dropped files by MSI are copied to the newly created folder. IDAT then creates a new instance of\r\nVMWareHostOpen.exe from the %APPDATA% by using CreateProcessW and exits.\r\nThe second instance of VMWareHostOpen.exe behaves the same up until the stage where the IDAT injector code is called\r\nfrom mshtml.dll memory space. IDAT immediately started the implementation of the Heaven’s Gate evasion technique,\r\nwhich it uses for most API calls until the load of the infostealer is completed.\r\nHeaven's Gate is widely used by threat actors to evade security tools. It refers to a method for executing a 64-bit process\r\nwithin a 32-bit process or vice versa, allowing a 32-bit process to run in a 64-bit process. This is accomplished by initiating\r\na call or jump instruction through the use of a reserved selector. The key points in analyzing this technique in our case is to\r\nchange the process mode from 32-bit to 64-bit, the specification of the selector “0x0033” required and followed by the\r\nexecution of a far call or far jump, as shown in Figure 8.\r\nThe IDAT injector then expands the %TEMP% environment variable by using the ExpandEnvironmentStringsW API call.\r\nIt creates a string based on the QueryPerformanceCounter API call output and randomizes its value.\r\nNext, the IDAT loader gets the computer name by calling GetComputerNameW API call, and the output is randomized by\r\nusing rand and srand API calls. It uses that randomized value to set a new environment variable by using\r\nSetEnvironmentVariableW. This variable is set to a combination of %TEMP% path with the randomized string created\r\npreviously.\r\nNow, the new cmd.exe process is executed by the loader. The loader then creates and writes to the %TEMP%\\89680228 file.\r\nNext, the IDAT injects code into cmd.exe process by using NtCreateSection + NtMapViewOfSection Code Injection\r\ntechnique. Using this technique the malware:\r\nCreates a new memory section inside the remote process by using the NtCreateSection API call\r\nhttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/\r\nPage 6 of 10\n\nMaps a view of the newly created section to the local malicious process with RW protection by using\r\nNtMapViewOfSection API call\r\nMaps a view of the previously created section to a remote target process with RX protection by using\r\nNtMapViewOfSection API call\r\nFills the view mapped in the local process with shellcode by using NtWriteVirtualMemory API call\r\nIn our case, IDAT loader suspends the main thread on the cmd.exe process by using NtSuspendThread API call and\r\nthen resumes the thread by using NtResumeThread API call\r\nAfter completing the injection, the second instance of VMWareHostOpen.exe exits.\r\nStage 5 - IDAT Loader:\r\nThe injected loader code implements the Heaven’s Gate evasion technique in exactly the same way as the IDAT injector did.\r\nIt retrieves the TCBEDOPKVDTUFUSOCPTRQFD environment variable, and reads the %TEMP%\\89680228 file data\r\ninto the memory. The data is then recursively XORed with the 3D ED C0 D3 key.  \r\nThe decrypted data seems to contain configuration data, including which process the infostealer should be loaded, which\r\nAPI calls should be dynamically retrieved, additional code,and more. The loader then deletes the initial malicious DLL\r\n(vmtools.dll) by using DeleteFileW. The loader finally injects the infostealer code into the explorer.exe process by using the\r\nProcess Doppelgänging injection technique.\r\nThe Process Doppelgänging method utilizes the Transactional NTFS feature within the Windows operating system. This\r\nfeature is designed to ensure data integrity in the event of unexpected errors. For instance, when an application needs to\r\nwrite or modify a file, there's a risk of data corruption if an error occurs during the write process. To prevent such issues, an\r\napplication can open the file in a transactional mode to perform the modification and then commit the modification, thereby\r\npreventing any potential corruption. The modification either succeeds entirely or does not commence.\r\nProcess Doppelgänging exploits this feature to replace a legitimate file with a malicious one, leading to a process injection.\r\nThe malicious file is created within a transaction, then committed to the legitimate file, and subsequently executed. The\r\nProcess Doppelgänging in our sample was performed by:\r\nInitiating a transaction by using NtCreateTransaction API call\r\nCreating a new file by using NtCreateFile API call\r\nWriting to the new file by using NtWriteFile API call\r\nWriting malicious code into a section of the local process using NtCreateSection API call\r\nDiscarding the transaction by using NtRollbackTransaction API call\r\nRunning a new instance of explorer.exe process by using NtCreateProcessEx API call\r\nRunning the malicious code inside explorer.exe process by using NtCreateThreadEx API call\r\nIf the file created within a transaction is rolled back (instead of committed), but the file section was already mapped into the\r\nprocess memory, the process injection will still be performed.\r\nThe final payload injected into the explorer.exe process was identified by Rapid7 as Lumma Stealer.\r\nThroughout the whole attack flow, the malware delays execution by using NtDelayExecution, a technique that is usually\r\nused to escape sandboxes.\r\nAs previously mentioned, Rapid7 has investigated several IDAT loader samples. The main differences were:\r\n1. The legitimate software that loads the malicious DLL.\r\n2. The name of the staging directory created within %APPDATA%.\r\n3. The process the IDAT injector injects the Loader code to.\r\n4. The process into which the infostealer/RAT loaded into.\r\n5. Rapid7 observed the IDAT loader has been used to load the following infostealers and RAT: Stealc, Lumma and\r\nAmadey infostealers and SecTop RAT.\r\nhttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/\r\nPage 7 of 10\n\nConclusion\r\nIDAT Loader is a new sophisticated loader that utilizes multiple evasion techniques in order to execute various commodity\r\nmalware including InfoStealers and RAT’s. The Threat Actors behind the Fake Update campaign have been packaging the\r\nIDAT Loader into DLLs that are loaded by legitimate programs such as VMWarehost, Python and Windows Defender.\r\nRapid7 Customers\r\nFor Rapid7 MDR and InsightIDR customers, the following Attacker Behavior Analytics (ABA) rules are currently deployed\r\nand alerting on the activity described in this blog:\r\nAttacker Technique - MSIExec loading object via HTTP\r\nSuspicious Process - FSUtil Zeroing Out a File\r\nSuspicious Process - Users Script Spawns Cmd And Redirects Output To Temp File\r\nSuspicious Process - Possible Dropper Script Executed From Users Downloads Directory\r\nSuspicious Process - WScript Runs JavaScript File from Temp Or Download Directory\r\nMITRE ATT\u0026CK Techniques:\r\nInitial\r\nAccess\r\nDrive-by\r\nCompromise (T1189)\r\nThe ClearFake Uses Drive-by Compromise technique to target user’s web browser\r\nDefense\r\nEvasion\r\nSystem Binary Proxy\r\nExecution: Msiexec\r\n(T1218.007)\r\nThe ChromeSetup.exe downloader\r\n(C9094685AE4851FD5A5B886B73C7B07EFD9B47EA0BDAE3F823D035CF1B3B9E48)\r\ndownloads and executes .msi file\r\nExecution\r\nUser Execution:\r\nMalicious File\r\n(T1204.002)\r\nUpdate.msi\r\n(53C3982F452E570DB6599E004D196A8A3B8399C9D484F78CDB481C2703138D47) drops and\r\nexecutes VMWareHostOpen.exe\r\nDefense\r\nEvasion\r\nHijack Execution\r\nFlow: DLL Search\r\nOrder Hijacking\r\n(T1574.001)\r\nVMWareHostOpen.exe loads a malicious vmtools.dll\r\n(931D78C733C6287CEC991659ED16513862BFC6F5E42B74A8A82E4FA6C8A3FE06)\r\nDefense\r\nEvasion\r\nDeobfuscate/Decode\r\nFiles or Information\r\n(T1140)\r\nvmtools.dll\r\n(931D78C733C6287CEC991659ED16513862BFC6F5E42B74A8A82E4FA6C8A3FE06) decrypts\r\nvmo.log(51CEE2DE0EBE01E75AFDEFFE29D48CB4D413D471766420C8B8F9AB08C59977D7)\r\nfile\r\nDefense\r\nEvasion Masquerading (T1036)\r\nvmo.log(51CEE2DE0EBE01E75AFDEFFE29D48CB4D413D471766420C8B8F9AB08C59977D7)\r\nfile masqueraded to .png file\r\nExecution Native API (T1106) The IDAT injector and IDAT loader are using Heaven’s Gate technique to evade detection\r\nhttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/\r\nPage 8 of 10\n\nInitial\r\nAccess\r\nDrive-by\r\nCompromise (T1189)\r\nThe ClearFake Uses Drive-by Compromise technique to target user’s web browser\r\nDefense\r\nEvasion\r\nProcess Injection\r\n(T1055)\r\nIDAT injector implements NtCreateSection + NtMapViewOfSection Code Injection technique to\r\ninject into cmd.exe process\r\nDefense\r\nEvasion\r\nProcess Injection:\r\nProcess\r\nDoppelgänging\r\n(T1055.013)\r\nIDAT loader implements Process Doppelgänging technique to load the InfoStealer\r\nDefense\r\nEvasion\r\nVirtualization/Sandbox\r\nEvasion: Time Based\r\nEvasion (T1497.003)\r\nExecution delays are performed by several stages throughout the attack flow\r\nIOCs\r\nIOC SHA-256 Notes\r\nInstaIIer.exe A0319E612DE3B7E6FBB4B71AA7398266791E50DA0AE373C5870C3DCAA51ABCCF MSI dow\r\nChromeSetup.exe C9094685AE4851FD5A5B886B73C7B07EFD9B47EA0BDAE3F823D035CF1B3B9E48 MSI dow\r\nMlcrоsоftЕdgеSеtuр.exe 3BF4B365D61C1E9807D20E71375627450B8FEA1635CB6DDB85F2956E8F6B3EC3 MSI dow\r\nupdate.msi 53C3982F452E570DB6599E004D196A8A3B8399C9D484F78CDB481C2703138D47\r\nMSI dro\r\npythonw\r\npython3\r\nfiles\r\nupdate.msi D19C166D0846DDAF1A6D5DBD62C93ACB91956627E47E4E3CBD79F3DFB3E0F002\r\nMSI dro\r\nVMWar\r\nvmtools\r\nfiles\r\nDirectX12AdvancedSupport.msi B287C0BC239B434B90EEF01BCBD00FF48192B7CBEB540E568B8CDCDC26F90959\r\nMSI dro\r\nMpCopy\r\nMpClien\r\nvirginiu\r\npython311.dll BE8EB5359185BAA8E456A554A091EC54C8828BB2499FE332E9ECD65639C9A75B\r\nMaliciou\r\npythonw\r\nvmtools.dll 931D78C733C6287CEC991659ED16513862BFC6F5E42B74A8A82E4FA6C8A3FE06\r\nMaliciou\r\nVMWar\r\nMpClient.dll 5F57537D18ADCC1142294D7C469F565F359D5FF148E93A15CCBCEB5CA3390DBD\r\nMaliciou\r\nMpCopy\r\nvmo.log 51CEE2DE0EBE01E75AFDEFFE29D48CB4D413D471766420C8B8F9AB08C59977D7\r\nEncrypt\r\ndecrypte\r\npz.log 8CE0901A5CF2D3014AAA89D5B5B68666DA0D42D2294A2F2B7E3A275025B35B79\r\nEncrypt\r\ndecrypte\r\npython3\r\nvirginium.flac B3D8BC93A96C992099D768BEB42202B48A7FE4C9A1E3B391EFBEEB1549EF5039\r\nEncrypt\r\ndecrypte\r\nMpClien\r\nocmtancmi2c5t[.]xyz Host of\r\nlazagrc3cnk[.]xyz Host of\r\nomdowqind[.]site Domain\r\ndownloa\r\nhttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/\r\nPage 9 of 10\n\nIOC SHA-256 Notes\r\ndownloa\r\nweomfewnfnu[.]site\r\nDomain\r\ndownloa\r\ndownloa\r\nwinextrabonus[.]life\r\nDomain\r\ndownloa\r\ndownloa\r\nbgobgogimrihehmxerreg[.]site\r\nDomain\r\ndownloa\r\ndownloa\r\npshkjg[.]db[.]files[.]1drv[.]com\r\nDomain\r\ndownloa\r\ndownloa\r\nooinonqnbdqnjdnqwqkdn[.]space\r\nDomain\r\ndownloa\r\ndownloa\r\nhello-world-broken-dust-1f1c[.]brewasigfi1978[.]workers[.]dev\r\nDomain\r\ndownloa\r\ndownloa\r\ndoorblu[.]xyz C\u0026C se\r\ncostexcise[.]xyz C\u0026C se\r\nbuyerbrand[.]xyz C\u0026C se\r\n94.228.169[.]55 C\u0026C se\r\ngapi-node[.]io C\u0026C se\r\ngstatic-node[.]io C\u0026C se\r\nSource: https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/\r\nhttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/"
	],
	"report_names": [
		"fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434070,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16bf878169581910fa504ac1be876c10871ae0c4.pdf",
		"text": "https://archive.orkl.eu/16bf878169581910fa504ac1be876c10871ae0c4.txt",
		"img": "https://archive.orkl.eu/16bf878169581910fa504ac1be876c10871ae0c4.jpg"
	}
}