A sophisticated Windows Trojan that compromises software development projects to distribute a multi-stage backdoor, data stealer, clipboard hijacker, cryptominer, and file infector.
Documented by Doctor Web researchers and first observed in the final quarter of 2025, the malware has continued to develop and now targets C++ and C# development environments.
By infecting Visual Studio project files and components used during application compilation, the operation turns compromised developer workstations into distribution points in the supply chain.
Hackers Infect C++ and C# Project Files
The campaign begins with trojanized executable files or malicious Python scripts tracked as Python.Downloader.255. In compromised executables, attackers insert a global object that runs when the application launches.

The malware uses Process Environment Block walking to resolve Windows APIs, then abuses the C runtime’s initterm initialization mechanism to execute a concealed PowerShell downloader.
Doctor Web identifies this first-stage component as Trojan.DownLoader49.35384. Its purpose is to retrieve and execute the next loader stage, Trojan.DownLoader49.35687.
Malicious Python files perform a similar function, with their code encrypted using Fernet and obscured with excessive whitespace. During the second phase, the malware checks for prior execution and sandbox-like environments using a mutex named GlobalPFNMX.
It retrieves command-and-control infrastructure from attacker-controlled content hosted on public services, including GitHub and Steam. Doctor Web found Steam accounts containing C2 domains in plain text, while GitHub-hosted raw files stored encrypted server addresses protected with Base64, XOR, and ZwFlushKey-based routines.
The downloader then injects malicious code into one of 41 predefined executables in the C:WindowsSystem32 directory. It passes the victim identifier and C2 information to the final payload through a named pipe called VccFrameworkchannel.
The third stage, BackDoor.Siggen2.5906, establishes persistence by replacing selected DLLs, including Discord’s profapi.dll, Microsoft Edge-related DLLs, and C:Windowsomadmapi.dll.
It can also hijack Windows registry settings, causing opening archives with WinRAR to trigger malicious execution. For elevated access, the malware uses a User Account Control bypass involving ms-settings registry keys and ComputerDefaults.exe.
Once active, the backdoor steals Discord tokens, browser passwords, cookies, Telegram Desktop data, and Exodus cryptocurrency wallet files. It can inject into browser processes to capture credentials and modify Exodus wallet application files to intercept recovery phrases.
The malware also continuously monitors the clipboard for payment-card data and replaces copied cryptocurrency wallet addresses with attacker-provided alternatives.

Its remote-control features support command execution, file uploads, directory enumeration, payload downloads, reverse proxy deployment, and disruptive “troll” functions such as audio manipulation and scareware effects.
In addition, the operation deploys cryptocurrency miners using publicly available tools such as XMRig, T-Rex, and TeamRedMiner. Mining begins only after the victim system remains idle for a defined period.
Most notably, the trojan infects .vcxproj and .csproj project files by adding malicious pre-build events. It also targets Visual Studio .suo files, imgui_impl_win32.cpp, Windows SDK header winnetwk.h, and executable files.
By injecting pre-build events into Visual Studio project files, the malware ensures malicious code runs automatically whenever a developer builds their project, meaning compromised open-source repositories can silently infect anyone who compiles them.
Later versions use YouTube video descriptions and Steam profiles as covert channels to relay Base64-encrypted C2 addresses, making detection harder.
Mitigation
This Trojan’s blend of credential theft, financial fraud, remote access, and critical supply chain propagation through developer tooling makes it a serious threat to both individual users and software supply chains.
Organizations should audit third-party code dependencies, monitor build pipelines for unauthorized pre-build events, and keep antivirus databases up to date. Detect and remove this threat, including disinfecting affected .vcxproj, .csproj, and ImGui source files.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

