DeerStealer’s Qihoo 360 Trojan Horse
Summary#
Analysis of a trojanized MSI installer revealed an atypical antivirus evasion technique. The malware did not merely bypass detection. It weaponized a legitimately signed component from Qihoo 360 Safe, one of China’s largest security suites, to establish persistence and attempt kernel-level access.
DeerStealer, a commodity infostealer sold for $200-$3,000/month on dark web forums, demonstrates how threat actors can turn trusted security software into an attack vector. The implications extend beyond this single malware family to the broader security software ecosystem.
DeerStealer Background#
DeerStealer surfaced in 2024 through ANY.RUN’s telemetry. The threat actor “LuciferXfiles” markets it as Malware-as-a-Service (MaaS) under the brand “XFiles Spyware.”
| Tier | Monthly Cost | Capabilities |
|---|---|---|
| Premium | $200 | Standard credential theft |
| Professional | $3,000 | Custom crypters, 24/7 support, rootkit-like file concealment |
The Professional tier provides credential theft targeting 50+ browsers, 800+ cryptocurrency extensions, and major VPN/FTP/RDP clients. Previous analyses focused on data exfiltration mechanisms and distribution through fake Google Authenticator sites. This analysis examines persistence and privilege escalation through security software hijacking.
CYFIRMA’s September 2025 Indicators of Compromise (IOCs) confirmed attribution. Hash 5ec174af8a18a5516b8a6e11d8a27481d70df14d1edb67c48b5458ff44df9146 for XPFix.exe appears in multiple infections with identical file paths and scheduled task names.
Initial Infection - py2exe and Reflective DLL Loading#
The infection chain begins with a py2exe-packed dropper named EchoManager32.exe (30KB). This executable wraps Python bytecode in a Windows PE format. Upon execution, it performs reflective DLL loading.
The dropper loads ForOps_v17.dll (1.2MB, 382 exports) directly into memory without writing to disk. This technique evades disk-based antivirus scanners. The DLL contains multiple anti-analysis mechanisms detailed in subsequent sections.
| File | Location | Description |
|---|---|---|
| EchoManager32.exe | C:\ProgramData\EXK8s_pro\ | py2exe loader, 30KB |
| ForOps_v17.dll | C:\ProgramData\EXK8s_pro\ | Malicious DLL, 1.2MB, 382 exports |
| Baing.whro | C:\ProgramData\EXK8s_pro\ | Encrypted payload, 3.4MB, 7.97 bits/byte entropy |
| Siemlickcreag.fj | C:\ProgramData\EXK8s_pro\ | Encrypted config, 25KB, 6.96 bits/byte entropy |
The non-standard file extensions (.whro, .fj) serve as obfuscation. Entropy values of 7.97 and 6.96 bits/byte respectively confirm encryption. Analysis focused on the signed binary component rather than payload decryption.
The 360 Safe Component - XPFix.exe#
Stage 2 drops XPFix.exe into %AppData%\Roaming\EXK8s_pro\. String extraction revealed the binary’s origin:
| |
Digital signature verification confirmed legitimacy. The certificate remains valid and unexpired. This is a genuine Qihoo 360 component extracted from their security suite and repurposed for malicious operations.
360 Safe Artifacts#
Static analysis revealed characteristic 360 Safe indicators:
| Artifact Type | Value |
|---|---|
| Mutex | Global//Q360XPFixMutex__ |
| Window Class | Q360HIPSClass |
| Device | \\.\360SelfProtection |
The device name indicates attempted communication with the 360SelfProtection kernel driver. On systems with Qihoo 360 AV installed, this provides potential kernel-level privilege access. On systems without 360, the driver call returns ERROR_MOD_NOT_FOUND (0x7E). The malware continues execution regardless through alternative persistence mechanisms.
DLL Sideloading Vector#
XPFix.exe imports from the following DLLs in its directory:
| Required DLL | Purpose |
|---|---|
| 360util.dll | Utility functions |
| 360base.dll | Base functionality |
| 360ver.dll | Version information |
This creates a DLL search order hijacking opportunity. Malicious versions of these DLLs execute with the privileges and signed binary reputation of a legitimate security tool. Windows Defender and SmartScreen permit execution based on the valid 360 Safe signature.
Scheduled Task Persistence#
DeerStealer establishes persistence via three scheduled tasks with ambiguous naming conventions:
| Task Name | Trigger | Action |
|---|---|---|
| \zceWriter | User logon | C:\ProgramData\EXK8s_pro\EchoManager32.exe |
| \dyApp | User logon | C:\ProgramData\EXK8s_pro\EchoManager32.exe |
| \Pluginsecurity_dbg | System startup | %AppData%\Roaming\EXK8s_pro\XPFix.exe |
The task name “Pluginsecurity_dbg” mimics legitimate debugging infrastructure naming conventions. Combined with the signed 360 Safe binary, this likely evades casual forensic inspection.
UAC Bypass via Elevated COM Object#
XPFix.exe elevates privileges using an auto-elevating COM interface. MITRE ATT&CK documents this as technique T1548.002, which leverages Windows administrative tools for privilege escalation.
| Component | Value |
|---|---|
| Technique | Auto-elevating COM object instantiation |
| MITRE ATT&CK | T1548.002 - Bypass User Account Control |
| Common Interfaces | ICMLuaUtil, IFileOperation, CMSTPLUA |
Auto-elevating COM objects enable execution of elevated processes without triggering User Account Control (UAC) prompts. Combined with a legitimately signed binary, this significantly reduces detection probability. Detection requires behavioral analytics monitoring COM object instantiation patterns correlated with scheduled task creation from non-standard paths.
Anti-Debugging Mechanisms#
ForOps_v17.dll implements multiple anti-debugging techniques to impede dynamic analysis.
Fake DLL Error#
Upon debugger detection, the DLL displays a MessageBox claiming PYTHON27.DLL not found. This is misdirection. The DLL exists and is not required for execution. The error message causes analysts to incorrectly assume the sample is corrupted.
INT3 Detection#
The malware scans its own memory for software breakpoints (0xCC bytes, the INT3 instruction opcode). When breakpoints are detected, execution aborts. Bypass requires hardware breakpoints via x64dbg with ScyllaHide using the Themida profile. Hardware breakpoints utilize CPU debug registers rather than memory modification, evading INT3 detection.
Process Environment Block Checks#
The malware performs standard PEB-based anti-debugging checks:
| Check | Indicator |
|---|---|
| BeingDebugged flag | Non-zero value in PEB |
| NtGlobalFlag | Heap flags value 0x70 indicates debugger presence |
These techniques combined create layered anti-analysis defenses. Instrumentation frameworks such as Frida or Intel PIN provide API-level bypass mechanisms.
API Hooking Analysis#
PE-sieve analysis of the infected process revealed extensive API hooking:
| DLL | Patches | Function |
|---|---|---|
| rasapi32.dll | 1,938 | Remote Access Service API |
| evr.dll | 658 | Enhanced Video Renderer |
The rasapi32.dll hooks intercept Remote Access Service API calls. This includes VPN connections, RAS configurations, and credential storage. The 1,938 patches indicate near-complete function interception. All VPN credentials and RAS configurations pass through malware-controlled code.
The evr.dll hooks target the Enhanced Video Renderer, which handles DirectShow and Media Foundation video frame rendering. This enables interception of rendered video content, potentially capturing media streams or application windows displaying one-time passwords (OTP), two-factor authentication (2FA) prompts, or cryptocurrency wallet interfaces.
Security Software as Attack Vector#
This technique has implications beyond DeerStealer.
Trusted Compute Base Expansion#
Security software requires elevated privileges for file scanning, memory inspection, and process blocking. Each privileged component expands the Trusted Compute Base (TCB). Hijacking these components transfers their privileges to attackers.
Qihoo 360 Safe has hundreds of millions of users, primarily in China. XPFix.exe represents one weaponizable component. This systemic risk applies to the security software model broadly, not specifically to Qihoo 360.
Signed Binary Reputation#
Windows, enterprise environments, and security tools whitelist signed binaries. XPFix.exe carries a legitimate Qihoo 360 signature. The certificate is not compromised. The signature is not forged. The component was extracted from the security suite and repurposed.
| Security Control | Result |
|---|---|
| Microsoft SmartScreen | Pass |
| Windows Defender | Pass |
| Enterprise application whitelisting | Likely pass without granular path-based policies |
Kernel Driver Access#
The \\.\360SelfProtection device interface provides potential kernel-mode execution. On systems with 360 Safe installed, this driver operates with SYSTEM privileges at Ring 0. Kernel drivers bypass user-mode security boundaries, enabling process hiding, system call interception, and kernel memory modification.
The driver interaction fails on systems without 360 installed. However, the attempt demonstrates sophisticated understanding of Windows driver architecture and targeted exploitation of security vendor implementations.
Detection Engineering#
Hash-based IOCs provide limited value for this malware class. Behavioral detection offers more durable coverage.
Supply Chain Implications#
DeerStealer’s 360 Safe abuse represents a broader trend in threat actor tradecraft.
Living off Trusted Binaries (LOTB)#
Threat actors have progressed beyond Living off the Land Binaries (LOLBins) to Living off Trusted Binaries (LOTB). This involves hijacking security software, driver utilities, and signed system components. Trusted binaries evade Endpoint Detection and Response (EDR) solutions that explicitly whitelist them.
Security Software Privilege Escalation Vectors#
Security products create multiple privilege escalation opportunities:
| Vector | Risk |
|---|---|
| Kernel drivers | IOCTL interfaces accessible to user-mode processes |
| Signed binaries | Execute with elevated privileges |
| Service executables | Run as SYSTEM |
| DLL search order | Sideloading vulnerabilities |
Code signing alone is insufficient. Runtime behavioral verification is required.
Regional AV Ecosystem Targeting#
Qihoo 360 Safe is deployed on hundreds of millions of endpoints, primarily in China. Malware targeting Chinese users can weaponize 360 components with high confidence of their presence on victim systems.
This technique generalizes to other antivirus vendors. Security researchers should audit vendor binaries with the same rigor applied to Windows system binaries.
Path-Based Application Whitelisting#
Application whitelisting should enforce both hash and path constraints. XPFix.exe should only execute from C:\Program Files\360\360Safe\. Execution from %AppData%\Roaming\ indicates malicious activity regardless of signature validity.
Scheduled Task Auditing#
Enable Microsoft-Windows-TaskScheduler/Operational logging. Alert on task creation events matching these criteria:
| Criterion | Alert Condition |
|---|---|
| Parent process | msiexec.exe |
| Task path | Does not start with \Microsoft\ |
| Action executable | Located in %AppData% or C:\ProgramData\ |
DLL Load Order Hardening#
Implement SetDllDirectory API or Current Working Directory (CWD) isolation to prevent DLL sideloading. Audit security software installation directories for missing or unexpected DLLs. Pre-creating placeholder DLLs with no exports prevents sideloading attacks.
Kernel Driver Access Monitoring#
Monitor for non-360 processes opening handles to \\.\360SelfProtection. Legitimate 360 processes represent a known baseline. Other processes attempting driver communication indicate compromise.
Standard Sysmon does not provide device handle monitoring. Driver access telemetry requires:
| Method | Implementation |
|---|---|
| ETW providers | Microsoft-Windows-Kernel-File provider for IRP monitoring |
| Minifilter drivers | Custom driver monitoring IRP_MJ_CREATE to device objects |
| EDR telemetry | Commercial EDR solutions with kernel-mode sensors |
| API monitoring | Hook NtCreateFile/NtOpenFile for device path access |
For environments with EDR, configure alerts for processes accessing \\.\360SelfProtection where the process is not a known 360 Safe component.
Attribution Analysis#
Initial analysis suggested potential APT-Q-27 (Dragon Breath) involvement based on 360 Safe component abuse patterns. Hash matching with CYFIRMA’s IOCs confirmed DeerStealer attribution, a commodity MaaS offering.
This demonstrates capability democratization. Techniques previously associated with nation-state actors—rootkit-like concealment, kernel driver abuse, signed binary hijacking—are now available for $200/month on darknet forums. The distinction between advanced persistent threats and commodity malware continues to erode.
Conclusion#
Effective defenses require:
| Control | Implementation |
|---|---|
| Behavioral analytics | Detect technique combinations, not individual indicators |
| Application control | Enforce path + hash constraints, not signatures alone |
| Audit logging | Capture scheduled tasks, COM instantiation, driver interactions |
| Threat hunting | Assume attacker presence rather than waiting for alerts |
The signature-based trust model is insufficient. Attackers weaponize that trust. Security software components become attack vectors. Defenders must apply the same scrutiny to security tools as to potential threats.
Indicators of Compromise#
File Hashes (SHA256)#
| File | SHA256 | Description |
|---|---|---|
| XPFix.exe | 5ec174af8a18a5516b8a6e11d8a27481d70df14d1edb67c48b5458ff44df9146 | Confirmed DeerStealer component |
| EchoManager32.exe | 630ca44e73923584ac7e482cc8626ff0bf2a69e1a3bf3c0a71e35bcb183dcaa5 | py2exe loader |
| ForOps_v17.dll | 85d259873d61ed55196c823d2d2844c5f3f23fc911b9543e3c0056c1bbf779f0 | Malicious DLL |
| Baing.whro | 4e587fc4977f46d96714a233f1e06be27a615273f6fc49c981c3b02d5c95d4a1 | Encrypted payload |
| Siemlickcreag.fj | a26be39a4a22c565ecea175e03926fb3646245e83badda446c5c0b2f22f0d3e5 | Encrypted config |
Host-Based Indicators#
| Type | Value |
|---|---|
| Mutex | Global//Q360XPFixMutex__ |
| Window Class | Q360HIPSClass |
| Device | \\.\360SelfProtection |
| Scheduled Task | \zceWriter |
| Scheduled Task | \dyApp |
| Scheduled Task | \Pluginsecurity_dbg |
| Directory | C:\ProgramData\EXK8s_pro\ |
| Directory | %AppData%\Roaming\EXK8s_pro\ |
Network Indicators#
| Type | Value |
|---|---|
| C2 Domain | telluricaphelion[.]com |
| C2 Domain | loadinnnhr[.]today |
| C2 Domain | nacreousoculus[.]pro |
| C2 IP | 104.21.112[.]1 |
| C2 IP | 103.246.144[.]118 |
| C2 IP | 172.67.195[.]171 |
References#
- CYFIRMA. “DeerStealer Malware Campaign: Stealth, Persistence, and Rootkit-Like Capabilities.” September 2025.
- ANY.RUN. “Brief Overview of the DeerStealer Distribution Campaign.” August 2024.
- eSentire TRU. “Don’t Get Caught in the Headlights - DeerStealer Analysis.” July 2025.
- MITRE ATT&CK. “T1548.002: Bypass User Account Control.” https://attack.mitre.org/techniques/T1548/002/
- Microsoft. “Microsoft Defender Application Control (WDAC) Design Guide.” https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/
- Hex-Rays. “IDA Pro Disassembler and Debugger.” https://hex-rays.com/ida-pro/
- PE-sieve. “Scans for Hooks, Implants, Replaced Modules.” https://github.com/hasherezade/pe-sieve