New Blitz Malware Targets Windows Servers to Deploy Monero Miner
A new Windows-based malware named Blitz has been identified in 2024, with an updated version detected in early 2025.
This malware, actively developed and distributed through deceptive game cheats, poses a significant threat by deploying a Monero cryptocurrency miner alongside information-stealing and denial-of-service (DoS) capabilities.
Detailed analysis by Palo Alto Networks’ Unit 42 reveals that Blitz operates in two stages a downloader and a bot payload leveraging unconventional platforms like Hugging Face Spaces for its command and control (C2) infrastructure.
This strategic abuse of legitimate AI code repositories highlights the evolving tactics of cybercriminals aiming to evade detection while targeting unsuspecting users, particularly in the gaming community.
Technical Intricacies
Blitz malware primarily spreads through backdoored game cheats for the popular mobile game Standoff 2, which boasts over 100 million downloads by April 2025.
These malicious packages, named Elysium_CrackBy@sw1zzx_dev.zip and Nerest_CrackBy@sw1zzx_dev.zip, are distributed via a Telegram channel operated by a Russian-speaking individual using the moniker sw1zzx.
Once executed, the backdoored executables deploy the Blitz downloader, which subsequently retrieves and installs the Blitz bot.
This bot is equipped with advanced features like keylogging, screenshot capture, and DoS attacks against web servers.
Furthermore, the malware employs sophisticated anti-sandbox techniques, such as timing loop iterations and floating-point instruction checks, to avoid detection in virtual environments.
The use of Hugging Face Spaces as a C2 host is particularly notable, as it stores the bot payload and an XMRig miner, which is injected into explorer.exe to mine Monero cryptocurrency.
The malware communicates via a REST API built on the FastAPI framework, with endpoints facilitating victim registration and command execution across 289 infections in 26 countries by late April 2025, predominantly in Russia, Ukraine, and Belarus.
Implications
The implications of Blitz are severe, especially given its ability to persist through Windows registry entries and inject payloads into legitimate processes like RuntimeBroker.exe.
The malware operator’s alleged departure in early May 2025, accompanied by a partially effective removal tool, raises questions about the future of this threat.
However, the historical evolution of Blitz, including a previous version from late 2024 that spread via trojanized installers and Discord channels, suggests that such threats may resurface under new guises.
Palo Alto Networks has fortified defenses through products like Advanced WildFire, Advanced Threat Prevention, and Cortex XDR, which detect and mitigate Blitz-related activities.
Organizations are urged to avoid cracked software and remain vigilant against social engineering tactics targeting gaming communities.
Indicators of Compromise (IOC)
| Type | Indicator |
|---|---|
| SHA256 (Backdoored Cheats) | 14467edd617486a1a42c6dab287ec4ae21409a5dc8eb46d77b853427b67d16d6, etc. |
| SHA256 (Downloader) | 0e80fe5636336b70b1775e94aaa219e6aa27fcf700f90f8a5dd73a22c898d646, etc. |
| SHA256 (Blitz Bot) | ae2f4c49f73f6d88b193a46cd22551bb31183ae6ee79d84be010d6acf9f2ee57, etc. |
| SHA256 (XMRig Miner) | 47ce55095e1f1f97307782dc4903934f66beec3476a45d85e33e48d63e1f2e15 |
| Hugging Face C2 Domains | e445a00fffe335d6dac0ac0fe0a5accc-9591beae439b860-b5c7747.hf[.]space, etc. |
| Telegram Channel | t[.]me/sw1zzx_dev |
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
Source link
