A newly analyzed Windows backdoor, called the Siggen backdoor “BackDoor.Siggen2.5906”, targets software developers by modifying C++ and C# projects, allowing malicious code to spread through source files, compiled applications, and development environments.
Doctor Web researchers said the malware can steal passwords, browser cookies, Discord tokens, Telegram data, and cryptocurrency wallet information. It also monitors clipboard activity, provides remote access to infected computers, installs cryptocurrency miners, and inserts malicious code into developer files.
Researchers first identified the malware during the final quarter of 2025, and since then its operators have continued updating the code, adding new execution methods and making the malware harder to detect.
The Infection Chain
The attack begins with infected executable files or malicious Python scripts. In compromised Windows applications, the attackers add a function that runs during the normal startup process and launches PowerShell in the background. PowerShell then downloads the next malware component, allowing the infection to continue.
Malicious Python files use a similar process. Their embedded code is encrypted with Fernet, a symmetric encryption method, and hidden behind a long sequence of whitespace characters. Once executed, the scripts decrypt and run code that installs the next malware stage.
After reaching a Windows computer, the downloader checks for analysis environments and creates a mutex to prevent duplicate instances from running. It then searches public online services for current command-and-control server information.
According to Dr Web’s blog post, attackers also placed server domains inside Steam profiles and stored encrypted address data in public GitHub files. Using established platforms like Steam gives the operators a way to update server information without placing permanent addresses directly inside every malware sample.
Once a working server is found, the downloader injects malicious code into one of 41 predefined executables located in the Windows System32 directory. The active server address and malware identifier are then passed to the main backdoor through a named pipe (pipeVccFrameworkchannel), a Windows communication channel that allows separate processes to exchange data.
Backdoor Steals Browser Data, Cryptocurrency Wallet Information and Installs Crypto Miners
Once active, the Siggen backdoor lets attackers control the infected computer remotely. They can run commands, download and execute files, search directories, steal selected data, and route traffic through the device using a reverse proxy.
The malware also collects account and application data from several common services. Targeted information includes Discord authentication tokens, Telegram Desktop folders, browser passwords, and cookies from Chromium-based browsers including:
- Brave
- Edge
- Opera
- Chrome
- Yandex Browser and other
It is worth noting that the malware can steal browser credentials in two ways. It either extracts saved data directly or injects code into an active browser process to intercept passwords. The stolen credentials are then stored in local text files before being sent to the attackers.
Furthermore, Exodus wallet users face a separate risk. The backdoor locates the wallet’s app.asar file and replaces it with a modified version downloaded from an attacker-controlled server. Malicious JavaScript in that file can intercept recovery phrases when the wallet is unlocked.
For context, the app.asar file is an archive used by Electron applications to store much of the app’s code and resources, including JavaScript files, interface components, and application logic.
In Exodus, modifying app.asar allows the backdoor to alter how the wallet application behaves. By replacing the legitimate archive with a malicious version, the attackers can insert JavaScript that intercepts a recovery phrase when the wallet is unlocked and sends it to their server.
The backdoor also monitors clipboard activity for bank card details and cryptocurrency addresses. When a copied wallet address is found, the malware can replace it with one supplied by the command-and-control server, redirecting any payment to the attackers.
Another threat embedded with the Siggen backdoor is that it also runs cryptocurrency mining on a compromised device. This is done when the malware downloads a separate component that installs mining software based on XMRig, T-Rex, or TeamRedMiner.
Visual Studio Files Become Malware Carriers
Since developers are the primary target of this malware campaign, their workstations undergo additional modifications designed to spread the infection to other projects and computers.
The backdoor searches available drives for executable files, Visual Studio configuration data, C++ and C# project files, Windows SDK headers, and Dear ImGui source code. The targeted file types identified by researchers include:
.suo.exe.vcxproj.csprojwinnetwk.himgui_impl_win32.cpp

If you are a developer, you should inspect unexpected project-file changes, review pre-build commands, scan downloaded source code and binaries, and verify development environments before compiling third-party projects.
Although Dr.Web did not identify the initial delivery method, Windows users should avoid downloading files from untrusted third-party sites or opening attachments from unknown senders. Keeping Windows and installed software updated, along with checking suspicious links and files through VirusTotal, can reduce the risk of infection.

