{
	"id": "4c5cff1a-9dc7-4240-bbb2-721e7dea4a41",
	"created_at": "2026-04-06T00:19:46.765277Z",
	"updated_at": "2026-04-10T03:22:02.341368Z",
	"deleted_at": null,
	"sha1_hash": "c8569b4b5ddcba678eafff72d6a9557f6a3b8266",
	"title": "PRELUDE: Crypto Heist Causes HAVOC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5661360,
	"plain_text": "PRELUDE: Crypto Heist Causes HAVOC\r\nBy Dave Truman, Marc Messer\r\nPublished: 2025-05-02 · Archived: 2026-04-05 13:48:13 UTC\r\nOverview\r\nDuring the investigation of a large-scale cryptocurrency theft, with total losses significantly exceeding USD 1\r\nmillion spread across multiple currencies, Kroll researchers discovered two new pieces of malware. These pieces\r\nof malware ultimately led to deployment of Havoc C2’s agent, “Demon.”\r\nHavoc C2 is an open-source, post-exploitation command and control framework whose agent, Demon, includes\r\nfeatures such as indirect system calls and AMSI/ETW patching. The source code for Havoc C2 is available on\r\nGitHub. Once Demon is installed and running on the system, the threat actor has access to a wide set of features,\r\nincluding screenshots, file systems, data exfiltration, process manipulation and ability to extend with PowerShell,\r\noperating system commands and dotnet assemblies, giving them all the access they need over the victim machine\r\nto realize their theft.\r\nThe highly targeted campaign was initiated via social engineering over direct contact on the X platform from a\r\nsingle user. The actor then directed the interaction to a Discord server, where other individuals took part in the\r\nsocial engineering conversations.\r\nKroll believes the threat actor was targeting individuals of high net worth in the cryptocurrency space. The\r\ntargeting could be due to these individuals being easier targets for theft than organizations, due to the frequent lack\r\nof permitter and advanced host-based protections. The actor being able to directly target individuals via tools such\r\nas X and Discord may also have played a part in the targeting decision.\r\nDuring the investigation, Kroll found two pieces of malware we believe had not been previously documented, a\r\nbackdoor and a loader we named “PRELUDE” and “DELPHYS,” respectively.\r\nBecause new or open-source malware was used and C2 infrastructure appears to have been created specifically for\r\nthe campaign, attribution to a known actor is not possible. It is also possible that a new actor is responsible; as\r\nsuch, Kroll is tracking this activity under a new entity, KTA440.\r\nInitial Installer\r\nThe initially executed file is a signed.msi file over 700 megabytes in size. MSI files are a Windows installer\r\npackage file. This is a flexible file type that is typically used to bundle files for installation or updates. When\r\nan.msi package is executed, msiexec.exe unpacks the bundled files and potentially executes one or more of the\r\nchild files. At the time of execution and initial analysis, the file signature was valid. A valid signature and large\r\nfile size allow the execution to potentially bypass typical initial endpoint security checks, as many tools have file\r\nsize limits, and Authenticode signing assists to confirm the integrity of the installer. The signature information is\r\nbelow:\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 1 of 17\n\nFigure 1 – Valid digital signature\r\nSigning took place on January 30, 2025, and the signature is considered valid between the dates of September 12,\r\n2024, through September 12, 2025, unless revoked.\r\nWithin this installer, there are several different files bundled together, some of which appear to be duplicates, and\r\nsome are not observed by Kroll to be executed by the installer upon installation. This may be to pad the size of the\r\nbinary beyond limits for many tools, though it is possible the threat actor could have found a use for the files. The\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 2 of 17\n\nparent folder that the installer was created from is named “VcSQL Dashboard,” and the resulting package is\r\nnamed “setupdashboard.msi.”\r\nBelow are the executable files that are dropped when executed by msiexec.exe:\r\nFigure 2 – List of enclosed files\r\nWhile some of the files, such as dbmysql.exe, will be elaborated on further, observed execution of the installer\r\nwill be described first. DashboardClient.exe is a .Net binary that portrays a fake installation screen, appearing as\r\nbelow:\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 3 of 17\n\nFigure 3 – False install screen\r\nThis installation appears to hang or fail; however, the status bar operates based on a timer as well as a sequence of\r\nseveral fake installation steps, to give the installer the appearance of authenticity. The progress bar itself is based\r\non a timer and displays these installation statuses:\r\nFigure 4 – Progress bar sequence\r\nWhile there are not many strings of note within the binary, DashboardClient.exe did contain a Chinese character\r\nstring, which translates to “Are you out of your mind?”\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 4 of 17\n\nFigure 5 – Chinese character string\r\nWhile dbmysql.exe and oleview.exe are further described within this write-up, two batch files are also executed to\r\nestablish scheduled tasks for persistence for the PRELUDE backdoor as well as the DELPHYS loader, which is\r\nused to execute a HAVOC C2 Demon.\r\nThe first of these, “if_bat_file.bat,” creates a scheduled task to execute oleview.exe every two minutes with the\r\nhighest possible privileges. The task is named “Msdblq,” with the description “Msdblql Reference Telemetry.”\r\nThis allows for the PRELUDE backdoor to be executed repeatedly via Dynamic Link Library (DLL) sideloading\r\nwith the highest authority available to the executing account. This batch file is presented below, though it should\r\nbe noted that the comments within the code are not provided by Kroll analysis; the sample is presented as found.\r\nFollowing this task creation, the binaries used for sideloading are copied to the %TEMP% directory from the\r\ncurrent directory. The task name and description appear to attempt to hide the malicious binary as well as its\r\ncommunication under the guise of database telemetry.\r\nFigure 6 – oleviewer.exe persistence batch file\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 5 of 17\n\nThe second of these, “rif_bat_file.bat,” creates a scheduled task to execute the DELPHYS loader every two\r\nminutes with the highest possible privileges. The task is named “Msqdbl” and is similarly given a description of\r\n“Msqdbl Reference Telemetry.” This allows for the DELPHYS backdoor to be executed repeatedly via DLL\r\nsideloading with the highest authority available to the executing account. This batch file is also presented below,\r\nand the comments within the code are provided to us by the threat actors, not via Kroll analysis.\r\nThere are no further actions following task creation, and the task name as well as its description appear to attempt\r\nto disguise the behavior of the malicious binary similarly to the first sample.\r\nFigure 7 – DELPHYS persistence batch file\r\nPRELUDE Backdoor\r\nPRELUDE is a .NET-based backdoor likely written in C#. It is the first of the two malwares executed and runs via\r\nDLL sideloading. The malware makes use of a recent version of oleviewer.exe, a Microsoft signed binary from the\r\nWindows SDK that is susceptible to sideloading of the iviewers.dll file. A renamed copy of the original DLL is\r\nsupplied alongside the malicious version for function proxying so that oleviewer.exe performs normally and does\r\nnot alert the victim.\r\nThe use of oleviewer.exe for sideloading has been seen previously with a campaign attributed to a China-Nexus\r\ngroup. Kroll Threat Intelligence researched and tested various versions of oleviewer.exe from different Windows\r\nSDKs, including a Windows 8.1 SDK and the latest Windows 11 SDK; all versions tested were susceptible to\r\nsideloading.\r\nAs a.NET, this sample was the easier of the two malwares to analyze. The entry function for the malicious DLL\r\ncalls three suspicious functions before setting up handles to itself and a copy of the legitimate DLL for proxying\r\nfunction calls.\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 6 of 17\n\nFigure 8 – Source code of the main function of malicious DLL, with function calls and pointer to original DLL\r\nEach of the three suspicious functions starts a thread calling its own function.\r\nFigure 9 – The three main malicious threads of PRELUDE backdoor\r\nStartActMethod()\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 7 of 17\n\nThis the first function executed, and it creates a thread that runs WindowsProperties.QuerySelectors().\r\nFigure 10 – WindowsProperties.QuerySelectors() with decrypted values in comments added by Kroll\r\nOnce the two encrypted strings are decrypted (via XOR), it becomes clear that the function manipulates the\r\nWindows Defender exclusion list by adding the location of this program to it. Due to the nature of the executable\r\nbeing used in the sideloading, the malware is less lightly to be flagged as malicious by antivirus software. Since\r\nboth PRELUDE and DELPHYS share the same directory, this setting protects both malwares. Hence the name\r\nPRELUDE, taken from Sergei Rachmaninoff’s “Prelude in C Sharp Minor” because the malware is written in C#\r\nand is the first executed in order to prep the system for later stages.\r\nStartTestMethod()\r\nThis function creates a thread to run the function “TestMethod24.”\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 8 of 17\n\nFigure 11 – TestMethod24() source code\r\nTestMethod24() opens a Transmission Control Protocol (TCP) socket to a domain on port 443. It then launches\r\ncmd.exe and redirects StandardOutput, StandardError and StandardInput between the TCP object and cmd.exe\r\nprocess object. As such, this a classic TCP reverse shell, which was validated from packet capture in a simulated\r\nnetwork environment.\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 9 of 17\n\nFigure 12 – Data from packet capture showing remote shell traffic\r\nStartScreenMethod()\r\nThis function creates a thread to run the function “ScreenMethod,” which in turn calls a method\r\nWatch.SaveScreenshot.\r\nFigure 13 – StartScreenMethod() source code\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 10 of 17\n\nFigure 14 – SaveScreenshot() source code\r\nThe function Watch.SaveScreenshot performs a screen capture of the Windows desktop and encodes the result as a\r\nstring inside a dictionary object, which it passes to the SendErrorLog function alongside a variable containing a\r\nhardcoded URL resource.\r\nFigure 15 – SendErrorLog() source code\r\nFinally, the SendErrorLog function takes the screenshot, wraps it in a POST request and sends it to the C2 server\r\nover an HTTP. In short, StartScreenMethod() captures screenshots and sends them to the C2 server. This\r\nfunctionality was also validated via extracting an image payload from the package capture during a simulated\r\nnetwork dynamic test.\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 11 of 17\n\nFigure 16 – Screenshot taken by malware during dynamic analysis, extracted from the network packet capture\r\nPRELUDE Summary\r\nPRELUDE is a simple backdoor that provides a reverse shell and the ability to take screenshots. It also sets the\r\nstage for the following malware by modifying the Windows Defender exclusion lists.\r\nDELPHYS Loader\r\nDELPHYS is a 64-bit Delphi loader distributed in EXE form. A 64-bit Delphi is not well supported in common\r\nreverse engineering tools. While DELPHYS does not display a graphical user interface (GUI), it was created as a\r\nGUI application, meaning the compiler included a large amount of effectively redundant code that would normally\r\nbe used for rendering and behaving as a GUI application. This extra code makes it harder to find the\r\ncomparatively small amount of malicious code that lies within.\r\nInitial Identification\r\nDoing an initial “strings” on the binary indicated that we were dealing with a higher-level language due to the\r\namount of class names that were easily visible. This combined with the amount of those class names that began\r\nwith the letter “T,” meant that the higher-level language was likely to be Delphi. This theory was easily tested by\r\nlooking for the string with “Delphi,” which provided us with the Delphi compiler version: 29.0, indicating this\r\nsample was compiled with Delphi XE8 from 2015.\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 12 of 17\n\nFigure 17 – Screenshot showing “T” classes and other indicative Delphi strings\r\nPayload Extraction Routine\r\nWhen looking at the sample in a static analysis tool, we found some code that the tool had not automatically\r\ndetected as a function but appeared to be such.\r\nFigure 18 – Code looking like a function, but undetected as such by automated analysis of static analyzer\r\nThis code appeared interesting as it contained calls to VirtualAlloc:\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 13 of 17\n\nFigure 19 - Section of code calling VirtualAlloc\r\nDecompiling that section with Ghidra results in a function with interesting behavior:\r\nFigure 20 – Suspicious function decompiled\r\nFirst, the code loads a resource from the binary by using a string identifier.\r\nThen it allocates two memory areas with protection set to 0x40 (PAGE_EXECUTE_READWRITE), allowing\r\nexecution of these areas.\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 14 of 17\n\nThen it processes from the resource into the memory areas.\r\nThen it proceeds to code that modifies the memory in a way that looks like a decryption routine. (The StrokePath\r\ncall always returns zero, so its purpose seems unclear; it is possibly there to make the loop look like it has a\r\nlegitimate purpose.)\r\nFinally, it calls another function with no parameters before returning.\r\nThe function called just before the return simply loads an address located in memory into a register and does an\r\nunconditional jump (JMP) to it.\r\nFigure 21 – Function that unconditionally jumps to memory location\r\nGoing back to our original function, we can see that same memory location being set with a location at an offset\r\nwithin one of the executable memory sections.\r\nFigure 22 – Setting of memory location for unconditional jump\r\nRunning the sample in a debugger with a break point set to just before the unconditional jump instruction, we can\r\nsee that the executable buffer contains a Portable Executable (PE) file, and the program is about to jump execution\r\nto and offset within that executable file. Hence, the name DELPHYS because the loader is written in Delphi and\r\nanother malicious executable is nested inside it.\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 15 of 17\n\nFigure 23 – Screenshot debugger running DELPHYS showing execution about to pass to nested PE file\r\nKroll dumped the memory containing the PE file to disk and determined this file to be Demon, the agent for the\r\nopen-source HAVOC C2 framework.\r\nDELPHYS Summary\r\nWhile DELPHYS is a larger file size, its main purpose appears to be to extract into memory and execute an\r\nexecutable nested within it. The fact that it is written in 64-bit Delphi makes it harder to statically analyze due to\r\nthe volume of excess code and less out-of-the-box support in static analysis tools.\r\nThis investigation revealed the lengths a dedicated threat actor, KTA440, went through to target an individual,\r\nlikely after significant amounts of recognisance on the intended target, and a social engineering campaign that led\r\nto deployment of novel malware to the victim’s device. KTA440 displays skills and capabilities consistent with\r\nactors familiar with defense evasion, the capabilities of endpoint detection and response tools and antivirus, and a\r\nclear path to chain exploitation of the target device.\r\nAn additional sign of sophistication is the presence of multiple technologies for each step in the attack chain.\r\nDelphi binaries are a lesser-used language. This means that many tools and detections are not written to enable\r\nrapid analysis of Delphi binaries. Delphi binaries also do not tend to have a high number of dependencies,\r\nresulting in a larger binary that often becomes more time-consuming to analyze. Any compiled software can be\r\nanalyzed given enough time and effort. If an actor is confident this will be time-consuming, they may have more\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 16 of 17\n\ntime for actions on objectives and a slower reverse engineering process of their tooling during the incident\r\nresponse. For theft, this can result in valuable time to tumble currencies and clean up their tracks.\r\nSource: https://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nhttps://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc"
	],
	"report_names": [
		"prelude-crypto-heist-causes-havoc"
	],
	"threat_actors": [],
	"ts_created_at": 1775434786,
	"ts_updated_at": 1775791322,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8569b4b5ddcba678eafff72d6a9557f6a3b8266.pdf",
		"text": "https://archive.orkl.eu/c8569b4b5ddcba678eafff72d6a9557f6a3b8266.txt",
		"img": "https://archive.orkl.eu/c8569b4b5ddcba678eafff72d6a9557f6a3b8266.jpg"
	}
}