{ "id": "fa861ce7-68d4-45c6-8559-319040f1d316", "created_at": "2026-04-06T00:10:03.94386Z", "updated_at": "2026-04-10T03:32:26.659385Z", "deleted_at": null, "sha1_hash": "b77405f967ae674b0b4dd32f2766624ab67a21e3", "title": "XRed Backdoor: The Hidden Threat in Trojanized Programs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1358994, "plain_text": "XRed Backdoor: The Hidden Threat in Trojanized Programs\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 16:55:35 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn early February, the eSentire Threat Response Unit (TRU) identified a malicious backdoor disguised as\r\nSynaptics.exe (MD5: 54efba3a1e800e0a0cccddc7950476c646935d28), which was detected and quarantined by\r\neSentire MDR. Synaptics (Synaptics Pointing Device Driver) is a software that enables the functionality of\r\ntouchpads on laptops and other devices.\r\nThe backdoor, known as “XRed,” has been in existence since at least 2019. This article highlights the\r\nidentification of the XRed backdoor, its delivery using trojanized software, and notable persistence and\r\npropagation capabilities.\r\nWhile doing additional research on the backdoor, we found a Twitter post from 2020 by The DFIR Report\r\nmentioning the backdoor, attributing it to njRAT (Figure 1). Considering that njRAT is written in C#, we decided\r\nto look further to confirm the accuracy.\r\nhttps://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nPage 1 of 12\n\nFigure 1: The mention of XRed backdoor on Twitter\r\nUpon further investigation, it was determined that the malicious binary we received originated from a file named\r\n\"Windows InstantView.exe\". Although the file itself could not be retrieved from the host system, we identified\r\nseveral similar samples on VirusTotal.\r\nWindows InstantView.exe is developed by SiliconMotion (the company that specializes in creating NAND flash\r\ncontrollers for SSDs and various solid-state storage devices) and comes with some USB docks.\r\nInterestingly enough, we found a review on Amazon on one of the USB-C hub products being sold, as shown in\r\nFigure 2. The user reported that the binary was flagged by Symantec AV with W32.Zorex and Backdoor.Graybird\r\nsignatures.\r\nFigure 2: Amazon review on the USB-C Hub being sold\r\nhttps://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nPage 2 of 12\n\nWe found a malicious sample named “Windows InstantView.exe” (MD5: 8fe9734738d9851113a7ac5f8f484d29)\r\non VirusTotal with the mentioned signature (Figure 3).\r\nFigure 3: VirusTotal results for Windows InstantView.exe\r\nThe trojanized “Windows InstantView.exe” is not signed and has “Synaptics Pointing Device Driver” for Product\r\nand Description names (Figure 4).\r\nFigure 4: Trojanized Windows InstantView.exe\r\nThe legitimate binary is signed by Silicon Motion, as shown in Figure 5.\r\nFigure 5: Legitimate Windows InstantView.exe binary\r\nUpon executing the trojanized binary, it downloads the legitimate copy of InstantView.exe from\r\nsiliconmotion[.]com and launches it as a decoy (Figures 6-7).\r\nhttps://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nPage 3 of 12\n\nFigure 6: Decoy InstantView.exe file\r\nFigure 7: Legitimate InstantView executables downloaded and executed as decoy\r\nThe trojanized version of Windows InstantView.exe drops Synaptics.exe payload under\r\nC:\\ProgramData\\Synaptics\\ that we have mentioned earlier. The folder was hidden to ensure stealthiness (Figure\r\n7).\r\nFigure 8: Hidden Synaptics folder and binary\r\nThe payload is embedded within the trojanized binary. The persistence is achieved via the Registry Run Key\r\n(HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) with the value name “Synaptics\r\nPointing Device Driver” and value data “C:\\ProgramData\\Synaptics\\Synaptics.exe”.\r\nLet’s look at Synaptics.exe binary, which is the XRed backdoor. The binary will terminate if the mutex\r\n“Synaptics2X” is found, which means only one instance of the binary can be run (Figure 8).\r\nhttps://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nPage 4 of 12\n\nFigure 9: Mutex check\r\nThe payload contains the functionality to retrieve additional payload from the URLs that can be hardcoded in the\r\nbinary as shown in Figure 8. The URLs are currently down.\r\nFigure 10: Additional payloads\r\nThe resource “EXEVSNX” contains the version of the payload, which is 106 (Figure 11).\r\nhttps://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nPage 5 of 12\n\nFigure 11: EXEVSNX resource (payload version)\r\nXRed collects system information, including the MAC address, username, and computer name, and transmits this\r\ndata to the attacker using SMTP to email addresses shown in Figure 12. Additionally, the backdoor features\r\nkeylogging functionality through keyboard hooking, as illustrated in Figure 13, with key mappings detailed in\r\nFigure 14.\r\nFigure 12: Attacker's email addresses\r\nhttps://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nPage 6 of 12\n\nFigure 13: Keyboard hooking\r\nFigure 14: Key mappings\r\nThe following remote commands can be executed from attacker’s server (Figure 15):\r\nGetCMDAccess – obtaining command prompt access.\r\nGetScreenImage – capture screenshot.\r\nListDisk – list existing disks.\r\nListDir – list directories.\r\nDownloadFile – download remote file.\r\nDeleteFile – delete file.\r\nhttps://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nPage 7 of 12\n\nFigure 15: Remote commands\r\nThe XRed backdoor also possesses worm-like USB propagation capabilities. It verifies the presence of an\r\n“autorun.inf” file on any inserted drive; if absent, it generates the file and includes the following:\r\n[autorun]\r\nopen=Synaptics.exe\r\nshellexecute= Synaptics.exe\r\nThe autorun.inf file is designed to automatically execute the specified payload when the USB drive is inserted into\r\na computer. This behavior leverages the AutoRun feature that was more prominently used in older versions of\r\nWindows to launch programs automatically from removable media.\r\nThe presence of both open=Synaptics.exe and shellexecute=Synaptics.exe commands in an autorun.inf file\r\nindicates an intention to execute system.exe automatically.\r\nIt's also worth mentioning that the backdoor has an embedded password-protected VBA script. The script creates a\r\ncopy of already existing XLSM files on the disk and injects the malicious VBA code into them. The malicious\r\nVBA script disables security warnings for VBA macros via the registry, as shown in Figure 16.\r\nFigure 16: VBA script snipper responsible for disabling security warnings\r\nThe script then copies Synaptics.exe from %USERPFORILE%/Synaptics and places it under the directory where\r\nthe legitimate XLSM file exists with a hidden file attribute under the “~$cache1” name (Figure 17).\r\nhttps://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nPage 8 of 12\n\nFigure 17: Snippet that copies malicious Synaptics.exe binary to the directory where XLSM files\r\nreside\r\nIf none of the specified files are found locally (Figure 18), the macro attempts to download a file from one of the\r\nprovided URLs (Figure 19). At the moment of writing this article, all of the URLs are offline.\r\nFigure 18: Snippet that checks if Synaptics.exe exists in the specified paths\r\nFigure 19: URLs to retrieve the backdoor from\r\nWe assess with high confidence that the developer of the backdoor is a native Turkish speaker, as evidenced by the\r\npresence of the Turkish language within the code. We also found multiple payloads potentially related to the same\r\nmalware developer, you can access the indicators in the Indicators of Compromise section.\r\nWhat did we do?\r\neSentire MDR for Endpoint, our Endpoint Detection and Response (EDR) tool, prevented the execution of\r\nthe XRed backdoor and quarantined it.\r\nOur 24/7 SOC Cyber Analysts team then notified the customer.\r\nWhat can you learn from this TRU Positive?\r\nThe case illustrates the complexity of initial infection methods, such as the trojanized \"Windows\r\nInstantView.exe\" file, emphasizing the importance of scrutinizing software sources.\r\nIt highlights the necessity for organizations to implement robust security measures to scan and\r\nauthenticate the legitimacy of all software installations, especially those that come bundled with\r\nhttps://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nPage 9 of 12\n\nhardware components or are downloaded from the internet.\r\nThe backdoor’s method of dropping a malicious payload while simultaneously downloading and executing\r\na legitimate file as a decoy showcases deception techniques used by malware developers.\r\nThe use of hidden directories and Registry Run Keys for persistence, along with the creation of autorun.inf\r\nfiles for USB propagation, demonstrates the malware's intention to move laterally, remain undetected and\r\nmaintain long-term access to the infected systems. This emphasizes the importance of regular system\r\naudits, including registry and startup items checks, to detect and remove unauthorized persistence\r\nmechanisms.\r\nThe malware's use of autorun.inf to exploit the AutoRun feature in older versions of Windows for USB\r\npropagation points to the continued relevance of securing older systems and disabling legacy features that\r\ncan be abused for malware spread. It highlights the need for comprehensive security policies that include\r\ndisabling unnecessary legacy features on modern systems.\r\nThe embedded password-protected VBA script that manipulates existing XLSM files and injects malicious\r\ncode while disabling security warnings showcases the use of social engineering tactics by attackers. This\r\nreinforces the importance of continuous user education and awareness programs to recognize and avoid\r\nsuspicious files and activities, reducing the risk of malware infection through social engineering tactics.\r\nRecommendations from our Threat Response Unit (TRU):\r\nConfigure Microsoft Office's Trust Center settings to disable all macros with notifications or to only allow\r\nmacros from trusted locations. This minimizes the risk of malicious macro execution.\r\nFor organization-wide settings, use Group Policy templates for Office to manage macro settings,\r\nensuring that macros are disabled or strictly controlled across all user workstations.\r\nEnsure that all endpoints are protected with up-to-date antivirus software or an Endpoint Detection and\r\nResponse (EDR) tool capable of detecting and blocking known USB worms and other malware.\r\nEducate users about the risks associated with USB drives and the potential dangers of enabling macros in\r\ndocuments.\r\nRegularly conduct Phishing and Security Awareness Training (PSAT) sessions to inform users about the\r\nlatest tactics used by attackers, such as USB worm propagation and malicious macros.\r\nDetection Rules\r\nYou can access the detection rules here.\r\nIndicators of Compromise\r\nYou can access the indicators of compromise here.\r\nReferences\r\nhttps://x.com/TheDFIRReport/status/1329123402922201089?s=20\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nPage 10 of 12\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nPage 11 of 12\n\nSource: https://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nhttps://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs" ], "report_names": [ "xred-backdoor-the-hidden-threat-in-trojanized-programs" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434203, "ts_updated_at": 1775791946, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b77405f967ae674b0b4dd32f2766624ab67a21e3.pdf", "text": "https://archive.orkl.eu/b77405f967ae674b0b4dd32f2766624ab67a21e3.txt", "img": "https://archive.orkl.eu/b77405f967ae674b0b4dd32f2766624ab67a21e3.jpg" } }