Hackers Compromised Official Gaming Mouse Software to Deliver Windows-based Xred Malware

Gaming peripheral manufacturer Endgame Gear has confirmed that hackers successfully compromised its official software distribution system, using the company’s OP1w 4K V2 mouse configuration tool to spread dangerous Xred malware to unsuspecting customers for nearly two weeks.

The security breach, which occurred between June 26 and July 9, 2025, represents a troubling example of supply chain attacks targeting the gaming industry. The malware-infected software was distributed directly from Endgame Gear’s official product page, making it particularly difficult for users to detect the threat.

The incident came to light when Reddit users in the MouseReview community reported suspicious behavior after downloading the legitimate-looking configuration tool. User Admirable-Raccoon597, who first identified the compromise, noted that the infected file came “from the official vendor page” rather than any third-party source.

Gaming Mouse Software Compromise

The malware payload was identified as Xred, a sophisticated Windows-based backdoor that has been circulating since at least 2019. This remote access trojan possesses extensive capabilities designed to compromise victim systems comprehensively.

Xred collects sensitive system information, including MAC addresses, usernames, and computer names, transmitting this data to attackers via SMTP email addresses hardcoded into the malware.

The malware’s persistence mechanisms are particularly concerning. Once executed, Xred creates a hidden directory at C:ProgramDataSynaptics and establishes a Windows Registry Run key to maintain a permanent presence on infected systems. It masquerades as legitimate Synaptics trackpad driver software, making detection more challenging for users.

Beyond basic data theft, Xred includes keylogging functionality through keyboard hooking techniques, potentially capturing banking credentials and other sensitive information.

The malware also demonstrates worm-like behavior, spreading through USB drives by creating an autorun.inf files and infecting Excel files with malicious VBA macros.

Endgame Gear replaced the infected files with clean versions on July 17 without issuing public warnings or acknowledging the breach.

The company released an official security statement confirming the incident. The company stated that “access to our file servers was not compromised, and no customer data was accessible or affected on our servers at any time”.

The manufacturer has since implemented several security enhancements, including additional malware scanning procedures, reinforced anti-malware protections on hosting servers, and plans to add digital signatures to all software files.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now