STORESOCKS – Microsoft Store Apps Deliver a Go Backconnect Proxy

Executive Summary

Hexastrike uncovered an ongoing backconnect proxy campaign distributed through trojanized Microsoft Store applications. We track this activity as STORESOCKS.

Since at least October 2025, an unknown actor has published trojanized free utility applications to the Microsoft Store. The applications impersonate common desktop tools, including WinDirStat, Lightshot, screen recorders, memory cleaners, and auto-clickers. They are not broken decoys or simple launchers. Each analyzed Store package contains a working Electron-based utility interface that matches the advertised purpose of the application. In the background, the same application loads a native Go DLL through a Node FFI bridge and enrolls the victim host as a TCP and UDP proxy node.

The delivery path is central to the campaign. The applications are packaged as MSIX and are validly signed through Microsoft’s Store signing pipeline. This gives the packages a trust signal that many users and organizations associate with safer software distribution. The malicious behavior is not introduced by an unsigned installer or a visible second-stage dropper. It is bundled inside the Store-delivered package and executed by the packaged application itself.

The payload is a Go backconnect proxy. It registers the victim host with helper servers, receives relay instructions, establishes encrypted relay sessions, and tunnels proxy streams through the victim system. The recovered protocol supports SOCKS5-style target addressing for IPv4, domain names, and IPv6. The implant supports both TCP and UDP proxying.

The campaign has evolved across multiple waves. Earlier Store packages used client.dll and the Node FFI library koffi. The live June 2026 wave uses telemetry.dll or lib3Z7.dll, switches to @yuuang/ffi-rs, and inflates the payload size to approximately 68 MB. Hexastrike assesses that the live payloads contain the same backconnect module re-hosted inside a larger Go application tree associated with Gogs, an open-source Git service. This changes how the binary presents itself to tooling and makes simple provenance checks less reliable.

At the time of analysis on 27 June 2026, earlier Store listings had already been removed. The campaign was still active. Hexastrike confirmed at least four armed Microsoft Store applications across two seller accounts live on 27 June 2026.

Microsoft Store utility naming and homoglyph-style branding used by STORESOCKS applications.
Microsoft Store utility naming and homoglyph-style branding used by STORESOCKS applications.

Key Findings

  • STORESOCKS is an ongoing Microsoft Store abuse campaign that distributes trojanized utility applications as signed MSIX packages.
  • The campaign has been active since at least October 2025 and remained active on 27 June 2026.
  • The actor impersonated or reused common utility themes, including WinDirStat, Lightshot, screen recorders, memory cleaners, and auto-clickers.
  • Each observed Store package contains a functional Electron decoy application that loads a native Go backconnect proxy in the background.
  • The campaign uses MSIX-native windows.startupTask persistence with the -start argument, causing the application to run headless at logon.
  • Earlier Store waves used koffi with client.dll. The live June 2026 wave uses @yuuang/ffi-rs with telemetry.dll or lib3Z7.dll.
  • The proxy registers the victim host with helper infrastructure and can use the host as a TCP and UDP proxy node through encrypted relay sessions.
  • The proxy protocol supports SOCKS5-style target addressing, including IPv4, domain name, and IPv6 destination formats.
  • The live payloads are approximately 68 MB and are assessed to be re-hosted inside a larger Gogs-based Go build. This obscures provenance and weakens simple size and source-path assumptions.
  • At least two seller accounts, PersonalUtilities and SOFTWARE MARKETPLACE, operated four live armed Store applications on 27 June 2026.
  • Detection should focus on the full chain: Store-delivered MSIX, Electron runtime, Node FFI bridge, native DLL in the application directory, startup task with -start, helper registration, and relay proxying.

Targeting and Victimology

STORESOCKS targets users searching for free desktop utilities. The observed application themes are broad and high-volume rather than organization-specific. Disk usage tools, screenshot utilities, screen recorders, memory cleaners, and auto-clickers are common search targets for users who need a quick tool and may not have a preferred trusted vendor.

This targeting pattern is consistent with proxy monetization rather than targeted espionage. A successful infection does not require privileged credentials, domain administrator access, or access to a sensitive business application. Any host with stable outbound connectivity can become useful as a proxy node. This makes consumer endpoints, unmanaged corporate endpoints, developer workstations, and utility-heavy desktops relevant from a defensive perspective.

The publisher accounts follow a disposable pattern. The campaign uses plausible but generic seller names, rotates application themes across accounts, and reuses similar utility categories across waves. Several listings also used special characters and trademark-style symbols in display names, which helped create distinct Store identities while keeping the names familiar to users.

Some listings showed ratings and an established Store presence. Hexastrike has not independently validated whether those ratings were organic, manipulated, or partially generated through campaign activity. From a user perspective, the result is still relevant. A working utility with visible ratings and a valid Store install path reduces suspicion.

Microsoft Store rating view for a live STORESOCKS utility application.
Microsoft Store rating view for a live STORESOCKS utility application.

The applications are designed to avoid immediate user complaints. When launched normally, they open a real interface and provide visible utility behavior. The proxy component is loaded before the interface is created. During logon execution, the same loader path runs headless and exits before opening a window.

For incident response, user reports are unlikely to be the first signal. Useful evidence is more likely to come from package contents, startup behavior, DLL loads from WindowsApps paths, and network communication to helper or relay infrastructure.

Campaign Scope and Evolution

Hexastrike identified multiple seller accounts and application families associated with STORESOCKS. Earlier listings had already been removed by the time of analysis, while four applications remained live and armed on 27 June 2026.

PublisherStore hashApplicationsProduct IDsStatus on 27 June 2026
PeakToolsjbr3b8129hcppWinDirStat, ScreenRecorder9MW9HR27K9B99NJXJTN15CV2Removed
HobbyApps6b1d5ygjy0x60Lightshot or Screenshot Tool, Cleaner9NTC2KMZMGNDRemoved
NikiaFraizer48fm0y264fyxmScreenRecorder, MemreductRelated packages observedRemoved
PersonalUtilities37q3eh6e1w8j0MemoryCleaner, Memory Cleaner Plus, Auto Clicker – Fast9PKWPPBH5M6D9PGM15TVJKNTPartially removed, two apps live
SOFTWARE MARKETPLACE3z7eh2g3cf7qgMemory Cleaner℠, Auto Clicker⁺9P7502ZPX6V49PG13ZP1R035Live

The use of multiple accounts and related utility names indicates a maintained distribution operation rather than isolated Store abuse. The actor continued after earlier removals with new seller accounts, new application names, new payload names, and new infrastructure.

Microsoft Store listing for a live Memory Cleaner application associated with STORESOCKS.
Microsoft Store listing for a live Memory Cleaner application associated with STORESOCKS.

The campaign evolved in visible waves. The earliest known samples date to October 2025. Store waves in March and May 2026 used client.dll and koffi. The live June 2026 wave used telemetry.dll or lib3Z7.dll@yuuang/ffi-rs, and new telemetry-themed helper domains.

Infection Chain

Store Delivery and Trust

Initial access occurs when the user installs a trojanized utility application from the Microsoft Store. The package is delivered as MSIX and carries a valid Store signature. The user sees a normal Store application, not an unsigned executable downloaded from an unknown website.

This trust path changes defender assumptions. A valid Store signature should be treated as a distribution and integrity signal. It should not be treated as proof that runtime behavior is benign. In STORESOCKS, the package structure is valid, the application is functional, and the malicious behavior is embedded inside the packaged application.

Microsoft Store signing chain for a STORESOCKS MSIX package.
Microsoft Store signing chain for a STORESOCKS MSIX package.

An MSIX package is a structured application archive. It contains the application files, identity metadata, declared capabilities, integrity metadata, and signature data. In STORESOCKS, the relevant files are the manifest, the Store signature, the Electron application directory, the Electron archive, the unpacked Node modules, and the native payload DLL.

MSIX package structure showing the manifest, Store signature, Electron resources, and bundled payload DLL.
MSIX package structure showing the manifest, Store signature, Electron resources, and bundled payload DLL.

MSIX Persistence

STORESOCKS uses MSIX-native persistence. The AppxManifest.xml declares a windows.startupTask extension that points to the packaged application executable and passes the -start argument.

<uap5:Extension Category="windows.startupTask" Executable="app/<Application>.exe" EntryPoint="Windows.FullTrustApplication" uap10:Parameters="-start">
  <uap5:StartupTask TaskId="<Application>AutoRun" DisplayName="<Application>" Enabled="true"/>
</uap5:Extension>

When launched normally, the application loads the DLL and opens the visible utility interface. When launched through the startup task at logon, it loads the same DLL but returns before creating the user interface. The result is headless execution without a visible window.

The observed packages also request internetClient and runFullTrust. The first is expected for many network-aware applications. The second allows the packaged desktop application to run with broader Win32 functionality. For defenders, the important point is that persistence is declared inside the packaged application model.

AppxManifest showing internetClient, runFullTrust, and windows.startupTask with -start.
AppxManifest showing internetClient, runFullTrust, and windows.startupTask with -start.

Electron Loader

The Store apps use Electron for the visible utility interface. The loader code sits inside app\resources\app.asar and uses Node FFI to call the bundled Go DLL.

ASAR is Electron’s application archive format. It is not encryption and it is not a security boundary. In STORESOCKS, unpacking app.asar exposes the JavaScript loader, helper configuration, payload filename references, and the call path into the native DLL.

Electron package layout showing app.asar, app.asar.unpacked, the ffi-rs Node module, and packaged application files.
Electron package layout showing app.asar, app.asar.unpacked, the ffi-rs Node module, and packaged application files.

Earlier STORESOCKS Store waves used koffi. The live June 2026 wave uses the package @yuuang/ffi-rs, which the loader imports as ffi-rs. Both are Node Foreign Function Interface libraries, which let JavaScript call exported functions from native libraries such as DLLs. In STORESOCKS, the FFI library is the bridge between the Electron application and the Go backconnect proxy DLL.

The Store application loads the FFI module from the unpacked Node module directory, opens the bundled native DLL from the application directory, and calls the DLL export used to start the proxy.

JavaScript loader code that opens the native payload DLL and prepares the exported Start call.
JavaScript loader code that opens the native payload DLL and prepares the exported Start call.

The loader calls a single exported function named Start. The important argument is a string that behaves like command-line configuration. It contains the Store-specific user_id and, in the live wave, the helper registration URLs.

-user_id=microsoft_store_AutoClicker_9PGM15TVJKNT_jun5_2026
-helper-urls=https://storetelemetryapi.xyz/register,https://gate1.storetelemetryapiapps.XYZ/register

The user_id embeds the Store product ID and campaign tag. This gives the backend an install attribution mechanism by application, seller account, and wave. The helper URLs identify the first registration endpoints used by the proxy after startup.

Live-wave helper configuration showing Store product attribution, helper registration URLs, telemetry.dll, and @yuuang/ffi-rs loading.
Live-wave helper configuration showing Store product attribution, helper registration URLs, telemetry.dll, and @yuuang/ffi-rs loading.

The loader checks for the DLL before calling it. In observed builds, this allows the application path to continue without an obvious user-facing failure if the native payload is absent.

The Go Backconnect Proxy

The native payload is a Go DLL loaded by the Electron application through Node FFI. The loader calls the exported Start function and passes a configuration string containing the Store user_id, optional helper-urls, and host identifier settings. Earlier Store packages used client.dll. The live June 2026 packages use telemetry.dll or lib3Z7.dll.

The DLL parses the loader arguments, builds a host identifier, registers with helper infrastructure, then loops over a list of session handlers until it can establish relay connectivity.

Relay loop in client.dll attempting to connect back to configured session handlers.
Relay loop in client.dll attempting to connect back to configured session handlers.

Earlier client.dll builds expose the original Go module layout, including the server module and server/src/cmd/backconnect_dll command path. This identifies the build family, while the code path confirms the role: helper registration, polling, relay connection, stream setup, TCP proxying, UDP proxying, and teardown.

mylabubus.shop helper reference recovered from client.dll.
mylabubus.shop helper reference recovered from client.dll.

The helper infrastructure is configured by the loader and embedded campaign settings. In the earlier Store wave, the payload references mylabubus.shop helper infrastructure. The user_id string includes the Store application identity, allowing the backend to separate installs by app, product ID, and campaign wave.

Lightshot Store campaign identifier embedded in client.dll.
Lightshot Store campaign identifier embedded in client.dll.

The victim does not expose an inbound listener. After helper registration, the DLL waits for relay instructions and then opens outbound relay sessions. Earlier client.dll samples use TLS with yamux multiplexing, allowing multiple proxy streams over one outbound connection.

Each stream is dispatched as TCP or UDP. Target addressing follows SOCKS5-style address types: 0x01 for IPv4, 0x03 for domain names, and 0x04 for IPv6. The DLL resolves the requested destination and bridges traffic between the relay stream and the target. UDP handling includes flow accounting for target, local socket, packet count, byte count, keepalive state, duration, and errors.

The live June 2026 payloads changed packaging, not purpose. telemetry.dll and lib3Z7.dll are about 68 MB and are wrapped in a larger Go build associated with gogs.io/gogs. The live builds retain the same loader entry point, host identification dependency, helper registration model, and TCP and UDP proxy behavior. This makes source-path-only rules and small-file assumptions unreliable.

Operational Impact of a Proxy Infection

STORESOCKS does not need to steal local data to create impact. Once activated, the host can become egress infrastructure for third-party traffic. Teams should review outbound activity from installation through removal, identify helper or relay contact, and check whether unusual third-party egress followed activation. Abuse reports or suspicious activity may point back to the victim organization because traffic can exit through the infected host.

Attribution

Hexastrike tracks STORESOCKS as an unattributed proxy-botnet operation. We do not link this activity to a named actor or APT group.

The evidence points to infrastructure monetization rather than targeted intrusion. The campaign uses broad utility themes, disposable Store seller accounts, Store product IDs inside user_id values, and a payload built to enroll hosts as TCP and UDP proxy nodes. Those traits are consistent with residential proxy or relay-access monetization.

The campaign relies on integration of trusted distribution, functional decoys, startup persistence, native loading, and proxy enrollment.

Detection Opportunities

STORESOCKS should be detected through correlation across installation, persistence, runtime, and network activity. A single Store install, Electron app, desktop shortcut, or DLL name is not enough.

Store Installation and Persistence

Prioritize review of newly installed Store utility applications when the installation is followed by package-created startup behavior or automatic execution after logon.

Relevant detection logic:

  • New Store utility application installed from an unfamiliar publisher.
  • Utility categories matching the campaign pattern, including cleaners, recorders, screenshot tools, disk analyzers, memory tools, and auto-clickers.
  • Package-declared startup task or other Store package startup registration.
  • Startup execution that occurs shortly after installation.
  • Store application requesting full-trust desktop execution and also declaring startup behavior.

Desktop shortcut creation is install-time context only. It should not be treated as a STORESOCKS indicator without startup, runtime, or network correlation.

Runtime Behavior

Prioritize Store utility processes that combine automatic startup with native code loading.

Relevant detection logic:

  • Store application process launched from C:\Program Files\WindowsApps\ at logon.
  • Store application startup execution with the -start argument.
  • Store utility process loading a bundled native DLL from its own package directory.
  • Store utility process loading known STORESOCKS payload names such as client.dlltelemetry.dll, or lib3Z7.dll.
  • Electron-based Store utility using JavaScript-to-native loading through a Node FFI bridge.
  • Store utility running headless at startup but presenting a normal interface when opened manually.

The analytic should tie these events to the same package or process tree. The strongest endpoint pattern is Store startup execution followed by native DLL loading from the packaged application directory.

Network and Proxy Activity

Known STORESOCKS domains and IP addresses should be blocked and used for scoping. They are useful for containment and retrospective search, but the actor has rotated infrastructure across waves.

Relevant detection logic:

  • DNS requests or outbound connections to known STORESOCKS helper or relay infrastructure.
  • Store utility process contacting helper or registration infrastructure shortly after installation or logon.
  • Outbound /register-style traffic from a Store application process.
  • Periodic helper communication from the same Store application process after initial registration.
  • Long-lived outbound sessions from a Store utility process to relay infrastructure.
  • Unusual third-party outbound traffic from the host after helper or relay contact.

The process context matters. Traffic to known infrastructure is higher priority when it originates from a Store utility process that also has startup behavior and native DLL loading.

Hardening and Mitigation Guidance

Store Application Control

Apply the following controls where business requirements allow:

  • Restrict Microsoft Store installations to approved applications.
  • Require review for utility apps from unfamiliar publishers.
  • Block or review Store apps that combine full-trust desktop execution with startup behavior.
  • Treat Store apps as managed software inventory, not as user preference.
  • Review Store utility apps before deployment to developer workstations, shared systems, executive endpoints, and hosts with valuable egress.

Startup and Package Governance

Apply the following controls:

  • Inventory package-declared startup tasks, not only Run keys, services, and scheduled tasks.
  • Review Store apps that start automatically after logon.
  • Review Store apps that launch headless or without clear user interaction.
  • Include C:\Program Files\WindowsApps\ in endpoint visibility and hunting coverage.
  • Preserve package contents, manifest, Electron archive, native DLLs, and endpoint telemetry before removal when investigation is required.

Network Containment and Exposure Review

For confirmed or suspected STORESOCKS hosts:

  • Block known STORESOCKS domains and IP addresses at DNS, proxy, firewall, and EDR layers.
  • Remove the affected Store package.
  • Verify that package-created startup behavior is removed.
  • Review outbound traffic from installation time through removal time.
  • Identify whether the host contacted helper or relay infrastructure.
  • Review unusual third-party egress after helper contact because the host may have been used as a proxy node.
  • Check whether abuse reports, account blocks, fraud alerts, or suspicious service access align with the host’s public IP during the exposure window.
  • Hunt for related non-Store EXE and DLL builds outside C:\Program Files\WindowsApps\ when the host shows STORESOCKS network activity.

Conclusion

STORESOCKS shows how a commodity proxy operation can abuse a trusted software distribution channel without relying on a visibly suspicious installer. The campaign uses working utility applications, Microsoft Store packaging, MSIX-native startup behavior, Node FFI loading, and a Go backconnect proxy hidden behind familiar desktop tools.

The live June 2026 wave demonstrates active development. The actor changed seller accounts, renamed payloads, switched loader libraries, moved infrastructure, inflated payload size, and re-hosted the proxy module inside a larger Gogs-based Go build while preserving the same core operational model. Earlier takedowns did not end the campaign.

Effective defense requires more than blocking domains or searching for one DLL name. The durable detection is the chain: Store-delivered MSIX utility, Electron runtime, Node FFI bridge, native Go DLL, startup task with headless behavior, helper registration, and relay proxying. Organizations that allow Microsoft Store applications should include Store package inspection, startup task review, and WindowsApps telemetry in their endpoint security program.

MITRE ATT&CK Mapping

TacticIDTechniqueSTORESOCKS
Resource DevelopmentT1583.001Acquire Infrastructure: DomainsActor-controlled domains were used for helper and relay infrastructure.
Initial AccessT1195.002Supply Chain Compromise: Compromise Software Supply ChainThe actor delivered trojanized utility software through a trusted Store distribution channel rather than an unsigned external installer.
ExecutionT1204.002User Execution: Malicious FileUsers installed and launched trojanized Store applications.
ExecutionT1106Native APINode FFI called native DLL exports from the Electron application.
PersistenceT1547Boot or Logon Autostart ExecutionMSIX windows.startupTask launched the application with -start at logon.
Defense EvasionT1036.005Masquerading: Match Legitimate Name or LocationApplications impersonated common utility tools and used plausible Store branding.
Defense EvasionT1027Obfuscated Files or InformationLive payloads were renamed, size-inflated, and re-hosted inside a larger Gogs build to obscure provenance.
DiscoveryT1082System Information DiscoveryThe implant registered machine ID and build metadata with helper infrastructure.
Command and ControlT1071.001Application Layer Protocol: Web ProtocolsHTTPS was used for helper registration and ping communication.
Command and ControlT1573.002Encrypted Channel: Asymmetric CryptographyTLS was used for relay sessions in analyzed earlier samples.
Command and ControlT1090ProxyThe victim host was used as a TCP and UDP proxy node through relay infrastructure.

Indicators of Compromise

Note: First Seen and Last Seen values reflect Hexastrike’s observation window for each indicator and do not necessarily represent creation date, registration date, first malicious use, or the full period of operator control. For removed Store applications, Last Seen indicates the date the removed or unavailable status was observed, not the last date the application was live.

CategoryTypeValueCommentFirst SeenLast Seen
Store applicationproduct ID9PKWPPBH5M6DMemory Cleaner Plus, PersonalUtilities2026-06-272026-06-27
Store applicationproduct ID9PGM15TVJKNTAuto Clicker – Fast, PersonalUtilities2026-06-272026-06-27
Store applicationproduct ID9P7502ZPX6V4Memory Cleaner℠, SOFTWARE MARKETPLACE2026-06-272026-06-27
Store applicationproduct ID9PG13ZP1R035Auto Clicker⁺, SOFTWARE MARKETPLACE2026-06-272026-06-27
Store applicationproduct ID9MW9HR27K9B9WinDirStat, PeakTools2026-04-072026-06-27
Store applicationproduct ID9NJXJTN15CV2ScreenRecorder, PeakTools2026-05-042026-06-27
Store applicationproduct ID9NTC2KMZMGNDLightshot or Screenshot Tool, HobbyApps2026-04-072026-06-27
Store applicationproduct ID9NRXPZDL2K0JCluster-linked product ID2026-06-27
Store publisherstore hash37q3eh6e1w8j0PersonalUtilities2026-06-272026-06-27
Store publisherstore hash3z7eh2g3cf7qgSOFTWARE MARKETPLACE2026-06-272026-06-27
Store publisherstore hashjbr3b8129hcppPeakTools2026-04-072026-06-27
Store publisherstore hash6b1d5ygjy0x60HobbyApps2026-04-072026-06-27
Store publisherstore hash48fm0y264fyxmNikiaFraizer2026-05-062026-06-27
Network activitydomainstoretelemetryapi.xyzLive June 2026 helper infrastructure2026-06-272026-06-27
Network activitydomainstoretelemetryapiapps.xyzLive June 2026 helper-related infrastructure2026-06-272026-06-27
Network activitydomaingate1.storetelemetryapiapps.xyzLive June 2026 helper registration endpoint2026-06-272026-06-27
Network activitydomaintelemetrystoreapi1.xyzLive June 2026 helper infrastructure2026-06-272026-06-27
Network activitydomainapi1.mylabubus.shopStore wave 1 helper infrastructure2026-03-052026-06-27
Network activitydomainapi2.mylabubus.shopStore wave 1 helper infrastructure2026-03-052026-06-27
Network activitydomainmylabubus.shopStore wave 1 infrastructure2026-03-052026-06-27
Network activitydomainapi1.checkupdatesnow.xyzStore wave 2 helper infrastructure2026-05-032026-06-27
Network activitydomainapi2.checkupdatesnow.xyzStore wave 2 helper infrastructure2026-05-032026-06-27
Network activitydomainhelper.labubusmarket.com2025 helper infrastructure2025-10-182026-06-27
Network activitydomainrelay.labubusmarket.com2025 relay infrastructure2025-10-182026-06-27
Network activityIP address2.26.26.139Live June 2026 helper infrastructure2026-06-272026-06-27
Network activityIP address147.45.221.28checkupdatesnow.xyz infrastructure2026-05-032026-06-27
Network activityIP address147.45.221.29mylabubus.shop infrastructure2026-03-052026-06-27
Network activityIP address185.218.137.62relay.labubusmarket.com infrastructure2025-10-182026-06-27
Network activityIP address178.250.187.243helper.labubusmarket.com infrastructure2025-10-182026-06-27
Network activityIP address144.124.254.145Earlier campaign infrastructure2026-03-052026-06-27
Network activityIP address89.124.124.112Earlier campaign infrastructure2026-03-052026-06-27
Network activityIP address146.103.110.251Earlier campaign infrastructure2025-10-182026-06-27
Network activityIP address91.84.106.129Related mylabubus.shop infrastructure2026-03-052026-06-27
MalwareSHA-25609049e365c86e0bc6192fb1601d0fbe6bf2235f9f3e26ea1c83e26f41d041530client.dll, older Store wave payload2026-03-052026-06-27
MalwareSHA-25627870854b9e85265e21d06a4b9e696093c1558c1480e36a42540943d66f7a3ecclient.dll, May 2026 x86 payload2026-05-032026-06-27
MalwareSHA-25654a79692f3406c9fdf5ad4d090e6593a8906fcd6620c1ecf2f22c7390b577b78client.dll, May 2026 x64 payload2026-05-032026-06-27
MalwareSHA-25694182f6ad0ed5e1f02ffe646d5cef1ad161de43924656000478e1359de230438telemetry.dll, Memory Cleaner build2026-06-272026-06-27
MalwareSHA-256a094293b06e43060eb93d31237a931d26756df18f7e0ec5f2b762d7672bb08c6telemetry.dll, Auto Clicker build2026-06-272026-06-27
MalwareSHA-2569ce75ad965ab67de4db57f41340bd4acef232d0401da18e0652f34612ce2c8b3lib3Z7.dll, SOFTWARE MARKETPLACE packages2026-06-272026-06-27
Malwarefilenameclient.dllEarlier STORESOCKS payload name2025-10-182026-06-27
Malwarefilenametelemetry.dllLive PersonalUtilities payload name2026-06-272026-06-27
Malwarefilenamelib3Z7.dllLive SOFTWARE MARKETPLACE payload name2026-06-272026-06-27

Table of Contents

About the author
Maurice Fielenbach

Maurice has spent over 10 years in cybersecurity, leading digital forensics and incident response, threat intelligence, and threat hunting. He has managed major security incidents across industries and works more than 100 cases per year. He trains security teams in digital forensics, malware analysis, and threat hunting, and is a regular speaker at industry events. His research has been featured in The Hacker News, Cybersecurity News, and Cryptika.

Training built from real incidents. Sharpening the defenders who matter.