Malware is distributed through the Microsoft Store

Η Check Point Research (CPR) has identified new malware that is widely distributed through gaming applications in its official store Microsoft. By name Electron-muzzle, malware can control its victims's social media accounts, including Facebook, Google and Sound Cloud. Malware can register new accounts, log in, comment and do “like”In other posts. THE CPR counts so far 5.000 victims in 20 countries. Η CPR prompts users to immediately delete applications from different publishers. 

  • Popular games like “Temple Run"Or"Subway SurferWere found to be malicious.

  • Attackers can use the installed malware as a backdoor to gain complete control over the victim's machine

  • Most victims come from Sweden, Bermuda, Israel and Spain


Η Check Point Research (CPR) has identified new malware that is widely distributed through its official store Microsoft. With more than 5.000 machines already affected, the malware constantly executes attackers' commands, such as controlling social media accounts on Facebook, The Google and the Sound Cloud. Malware can register new accounts, log in, comment and do “like”In other posts.   

By name Electron-muzzle by CPR, the full capabilities of the malware are as follows:  

  • SEO poisoning, a method of attack in which cybercriminals create malicious websites and use search engine optimization tactics to make them appear prominent in search results. This method is also used as a sale as a service to promote the ranking of other sites.

  • Ad Clicker, A computer infection that runs in the background and is constantly linked to remote sites to generate "clicks" on ads, resulting in financial gain from how many times an ad is clicked.

  • Promotion of social media accounts, As the YouTube and the SoundCloud, to drive traffic to specific content and increase views and advertising clicks to generate profits.

  • Promotion of online products, to generate profits by clicking on ads or increasing the store rating for higher sales.

  OSX / Crisis.B new malware for Mac and Windows

In addition, as its payload Electron-muzzle loaded dynamically, attackers can use the installed malware as backdoor to gain complete control over the victim's machine. 

Distribution through game applications in Microsoft Store

There are dozens of infected applications in her store Microsoft. Popular games like “Temple Run"Or"Subway SurferWere found to be malicious. THE CPR has identified several malicious game providers, where all applications under these providers are associated with the malicious campaign:

  • Lupy games. 

  • Crazy 4 games. 

  • Jeuxjeuxkeux games 

  • akshi games 

  • Goo Games 

  • bison case 


So far, the CPR has counted 5.000 in 20 countries. Most of the victims come from Sweden, Bermuda, Israel and Spain.  

How malware works

The malicious campaign works with the following steps:  

  1. The attack starts with the installation of an application Microsoft Store pretending to be legal. 

  2. After installation, the attacker downloads files and executes scripts 

  3. The downloaded malware becomes resistant to the victim's machine by repeatedly executing various commands sent by the C&C of the attacker

To prevent crawling, most of the malware-controlled scripts are loaded dynamically when executed by attacker's servers.

This allows attackers to modify the payload of malware and change their behavior. bots anytime. Malware uses the framework Electron to mimic human browsing behavior and bypass site protections.

  GoDaddy recalls Lavabit's security certificate when he learns that the FBI has it


There are indications that the malware campaign started in Bulgaria, such as:

  1. All variants between 2019 - 2022 were uploaded to public storage "mediafire.comFrom Bulgaria. 
  2. Account Sound Cloud and the channel YouTube promoting muzzle is with the name “I Ivaylo Yordanov", A popular Bulgarian wrestler / soccer player 
  3. Bulgaria is the country most promoted in the source code


Η CPR reported to Microsoft all game publishers identified and associated with this campaign.

Comment by Daniel Alima, Malware Analyst at Check Point Research: 

"This investigation analyzed a new malware called Electron-Bot which has affected more than 5.000 victims worldwide. The Electron-Bot descends and spreads easily from its official platform Microsoft Store.

The frame Electron provides in applications Electron access to all computer resources, including computers But by the full GPU acceleration tech. As its payload muzzle loaded dynamically at each execution time, attackers can modify the code and change its behavior muzzle at high risk. For example, they can start another second stage and launch new malware like ransomware or one RAT. All this can happen without the victim's knowledge.

Most people think that you can trust app store reviews and do not hesitate to download an app from there. There is an incredible danger with this, as you never know what malicious data you can download ".

Security tips

To be as safe as possible, before downloading an app from the App Store:  

  1. Avoid downloading an application with a small number of reviews 

  2. Look for applications with good, consistent and reliable reviews 

  3. Beware of suspicious application names that are not identical to the original name

Registration in via email

Your email for sending each new post

Follow us on Google News at Google news

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address Will not be published.

  + 6 = 12

Previous Story

TVAddons fee: $ 19.5 million fine

Next Story

Russia - Ukraine which hackers support them?