Friday, May 9, 2025
HomeMalwareChinese PUPs distributing Backdoored Drivers which affect Windows operating system

Chinese PUPs distributing Backdoored Drivers which affect Windows operating system

Published on

SIEM as a Service

Follow Us on Google News

PUP(potentially unwanted program) packages that install’s along with Chinese software’s consist of backdoors targeting English speakers. The backdoor was uncovered by Malware bytes research team by analyzing a China-developed WiFi hotspot application.

Distribution of Backdoor

These backdoors are being dropped by one of the major PUP bundler networks and then the bundler runs the installation hidden with argument /silent.

Installer SHA-256 Hash : B89017C2627CA80C68292453440CFCAE07A12798422737915F80F0720879C3D4

Installer will drop a set of 7zip files, in the middle of those files there are two driver files with same functionality one for 32-bit windows and other for 64-bit Windows.

- Advertisement - Google News
SHA-256 for Windows 32bit:E6427DF5D439EE854485C1C1BC8747487B5F0848D5EBA98838BD8F377F9E8DBE SHA-256 for Windows 64bit: E5BC7CC800866C749FC588F5FC2F31D8B3202DD9EE3F40D450528AC08B08F311

Malicious backdoor Targets

According to Malware bytes at the entry point, drivers will check for the operating system types, if that dosen’t fall in it’s compatibility list then the driver will not load.

Targetted Windows Versions

Windows 2000
Windows XP
Windows XP x64
Windows Vista /
Windows 7
Windows 8
Windows 8.1
Windows 10 v1507, v1511, v1607
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016

This driver will not load if your windows version v1607.

Application packed with backdoor

Clearly, some Chinese developer really didn’t want their backdoor to be discovered, said by Zammis Clark.

Searching on VirusTotal enabled me to find several Chinese applications with similar drivers including the very same backdoor Zammis Clark.

A Chinese Android rooting toolkit
A Chinese WiFi hotspot application
A Chinese USB drive helper utility
A Chinese calendar application (latest version doesn’t include the backdoored driver)
A Chinese driver updater (the English version of this app doesn’t include the backdoored driver)
Chinese PUPs distributing Backdoored Drivers which affect Windows operating system
Malware Bytes

The latest version of the mentioned Chinese calendar application no longer has the driver.

Proof of concept

POC for this HelpDetectWz functionality to load an unsigned driver is available. It includes binaries for both X86 and X64 systems which will bug check the system when loaded.

Chinese PUPs distributing Backdoored Drivers which affect Windows operating system

Also Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Cyberattackers Targeting IT Help Desks for Initial Breach

Cybercriminals are increasingly impersonating IT support personnel and trusted authorities to manipulate victims into...

New Stealthy .NET Malware Hiding Malicious Payloads Within Bitmap Resources

Cybersecurity researchers at Palo Alto Networks' Unit 42 have uncovered a novel obfuscation method...

Hackers Weaponizing Facebook Ads to Deploy Multi-Stage Malware Attacks

A persistent and highly sophisticated malvertising campaign on Facebook has been uncovered by Bitdefender...

Threat Actors Target Job Seekers with Three New Unique Adversaries

Netcraft has uncovered a sharp rise in recruitment scams in 2024, driven by three...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New Stealthy .NET Malware Hiding Malicious Payloads Within Bitmap Resources

Cybersecurity researchers at Palo Alto Networks' Unit 42 have uncovered a novel obfuscation method...

Hackers Weaponizing Facebook Ads to Deploy Multi-Stage Malware Attacks

A persistent and highly sophisticated malvertising campaign on Facebook has been uncovered by Bitdefender...

Scattered Spider Malware Targets Klaviyo, HubSpot, and Pure Storage Platforms

Silent Push researchers have identified that the notorious hacker collective Scattered Spider, also known...