Wednesday, May 21, 2025
HomeBackdoorHackers Infect Windows With Backdoor Malware Via "Car For Sale" Ad

Hackers Infect Windows With Backdoor Malware Via “Car For Sale” Ad

Published on

SIEM as a Service

Follow Us on Google News

Fighting Ursa, a Russian APT, has employed a car sales phishing lure to distribute the HeadLace backdoor malware targeting diplomats since March 2024. This strategy mirrors previous campaigns by the group and other Russian threat actors. 

The attack leveraged public, free infrastructure services and exploited user clicks on malicious content within the car advertisement. 

Hackers exploited Webhook.site, a legitimate service for creating custom URLs used in development projects. On March 14th, 2024, a URL linked to a malicious infection chain was submitted to VirusTotal

- Advertisement - Google News

This Webhook.site URL didn’t host malicious content itself. Instead, it delivered a malicious HTML page when accessed, which abuses the service’s functionality of generating unique URLs for triggering custom actions based on visitor information. 

HTML code used in the attack was hosted on the Webhook.site service.

The HTML code employs a multi-stage attack by initially filtering visitors based on the operating system, redirecting non-Windows users to a decoy car advertisement hosted on ImgBB.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide 

For Windows users, it embeds Base64-encoded ZIP archive data, offers it for download, and attempts to automatically open it using JavaScript, suggesting a targeted attack designed to deliver a malicious payload to Windows systems under the guise of a legitimate car advertisement.

Diplomatic car for sale lure hosted on ImgBB.

The downloaded ZIP archive named IMG-387470302099.zip contains a malicious executable file disguised as a JPG image. 

The file IMG-387470302099.jpg.exe has the double extension .jpg.exe, but due to the default Windows configuration, only the .jpg extension is displayed, which is a social engineering tactic to trick users into thinking it’s a harmless image file and executing the malware.  

According to Unit 42, a malicious executable disguised as the Windows calculator sideloads the WindowsCodecs.dll file, a component of the modular HeadLace backdoor. 

The staged infection process leverages a legitimate application to introduce malicious code, likely aimed at evading detection and delaying analysis.

The DLL’s function, as depicted, is crucial to understanding the backdoor’s subsequent actions and overall operation. 

Code in the WindowsCodecs.dll file to run a file named zqtxmo.bat.

The ZIP archive contains a malicious batch file named zqtxmo.bat, which leverages Microsoft Edge (msedge) to execute a Base64-encoded iframe that retrieves content from a Webhook.site URL. Downloaded content is saved as a JPEG file (IMG387470302099.jpg) in the user’s downloads directory. 

The batch file then moves the downloaded file to the %programdata% directory and modifies the extension to .cmd (IMG387470302099.cmd). Finally, the script executes the .cmd file and deletes itself to erase evidence.  

Fighting Ursa, a persistent threat actor that leverages dynamic infrastructure and diverse lure sets to distribute HeadLace malware, continues to exploit legitimate web services for malicious purposes. 

Organizations should restrict access to such platforms and meticulously examine their usage to proactively identify and mitigate potential attack vectors associated with Fighting Ursa. 

A malicious campaign leverages a webhook site hosting a decoy car-for-sale image and a ZIP archive containing a legitimate calc.exe, a malicious DLL, and a batch file. 

Once extracted, calc.exe is abused to sideload the malicious DLL, which subsequently executes the batch file, indicating a potential malware infection or data theft operation. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement...

Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced...

More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads

The More_Eggs malware, operated by the financially motivated Venom Spider group (also known as...

RedisRaider Campaign Targets Linux Servers by Exploiting Misconfigured Redis Instances

Datadog Security Research has uncovered a formidable new cryptojacking campaign dubbed "RedisRaider," specifically targeting...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement...

Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced...

More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads

The More_Eggs malware, operated by the financially motivated Venom Spider group (also known as...