New OpcJacker Malware Distributed via Fake VPN Malvertising<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\"><br \/>\n<meta property=\"og:title\" content=\"New OpcJacker Malware Distributed via Fake VPN Malvertising\"><br \/>\n<meta property=\"og:description\" content=\"We discovered a new malware, which we named \u201cOpcJacker\u201d (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/opcjacker-641.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"New OpcJacker Malware Distributed via Fake VPN Malvertising\"><br \/>\n<meta name=\"twitter:description\" content=\"We discovered a new malware, which we named \u201cOpcJacker\u201d (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/opcjacker-641.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.516593092703\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"604731881\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.76\">\n<div class=\"article-details\" role=\"heading\" readability=\"39.04\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">We discovered a new malware, which we named \u201cOpcJacker\u201d (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022.<\/p>\n<p class=\"article-details__author-by\">By: Jaromir Horejsi, Joseph C Chen <time class=\"article-details__date\">March 29, 2023<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"39\">\n<div readability=\"23\">\n<p>We discovered a new malware, which we named \u201cOpcJacker\u201d (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022. OpcJacker is an interesting piece of malware, since its configuration file uses a custom file format to define the stealer\u2019s behavior. Specifically, the format resembles custom virtual machine code, where numeric hexadecimal identifiers present in the configuration file make the stealer run desired functions. The purpose of using such a design is likely to make understanding and analyzing the malware\u2019s code flow more difficult for researchers.<\/p>\n<p>OpcJacker\u2019s main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"63a97d\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-1.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-1.png\" alt=\"Figure 1. The OpcJacker infection chain\"> <\/a><figcaption>Figure 1. The OpcJacker infection chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div readability=\"8.9379762438368\">\n<div class=\"richText\" readability=\"50.060906515581\">\n<div readability=\"46.134560906516\">\n<p>We\u2019ve observed OpcJacker being distributed via different campaigns that involve the malware being disguised as cryptocurrency-related applications and other legitimate software, which the threat actors distribute through fake websites. In the latest (February 2023) campaign involving OpcJacker, the infection chain began with malvertisements that were geofenced to users in Iran. The malvertisements were disguised as a legitimate VPN service that tricked its victims into downloading an archive file containing OpcJacker.<\/p>\n<p>The malware is loaded by patching a legitimate DLL library within an installed application, which loads another malicious DLL library. This DLL library then assembles and runs shellcode \u2014 the loader and runner of another malicious executable \u2014 and OpcJacker from chunks of data stored in data files of various formats, such as Waveform Audio File Format (WAV) and Microsoft Compiled HTML Help (CHM). This loader has been in use for over a year since it was <a href=\"https:\/\/blog.morphisec.com\/the-babadeda-crypter-targeting-crypto-nft-defi-communities\">previously described<\/a> and named as the Babadeda crypter. The threat actor behind the campaign implemented a few changes in the cryptor itself, then added a completely new payload (a stealer\/clipper\/keylogger).<\/p>\n<p>We noticed that OpcJacker mostly drops (or downloads) and runs additional modules, which are remote access tools \u2014 either the <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.netsupportmanager_rat\">NetSupport RAT<\/a> or a hidden virtual network computing (<a href=\"https:\/\/www.malwaretech.com\/2015\/09\/hidden-vnc-for-beginners.html\">hVNC<\/a>) variant. We also found a report sharing information on a loader called \u201c<a href=\"https:\/\/labs.k7computing.com\/index.php\/phobos-ransomware-found-to-be-using-dll-side-loading\/\">Phobos Crypter<\/a>\u201d (which is actually the same malware as OpcJacker) being used to load the Phobos ransomware.<\/p>\n<p>As mentioned in the introduction, we observed OpcJacker being distributed through several different campaigns that usually involve fake websites advertising seemingly legitimate software and cryptocurrency-related applications, but are actually hosting malware. As these campaigns deliver a few other different malware in addition to OpcJacker, we believe that they are most likely to be different pay-per-install services leveraged by OpcJacker\u2019s operators.<\/p>\n<p>In the latest campaign from February 2023, we noticed OpcJacker being distributed via malvertisements geotargeting Iran. These malvertisements were linked to a malicious website disguised as a website for a legitimate VPN software. The site\u2019s content was copied from the website of a legitimate commercial VPN service \u2014 however, the links were modified to link to a compromised website hosting malicious content.<\/p>\n<p>The malicious website checks the client\u2019s IP address to determine whether the victim uses a VPN service. If the IP address is not from a VPN service, it then redirects the victim to the second compromised website to lure them into downloading an archive file containing OpcJacker. Note that the attack will not proceed if the intended victim is using a VPN service.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"7aa1fc\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-2.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-2.png\" alt=\"Figure 2. An example of a malvertisement designed to deliver OpcJacker\"> <\/a><figcaption>Figure 2. An example of a malvertisement designed to deliver OpcJacker<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.490286298569\">\n<div readability=\"23.386503067485\">\n<p>Furthermore, we also found a bunch of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Optical_disc_image\">ISO images<\/a> and RAR\/ZIP archives containing modified installers of various pieces of software that all lead to the loading of OpcJacker. These installers, which were previously used by other campaigns, were hosted on various hacked WordPress-powered websites or software development platforms like GitHub. A possible reason why threat actors favor the use of ISO files is to bypass <a href=\"https:\/\/redcanary.com\/blog\/iso-files\/\">Mark-of-the-Web<\/a> warnings.<\/p>\n<p>The following are some file name examples we found:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">CLF_security.iso<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Cloudflare_security_setup.iso<\/span><\/li>\n<li><span class=\"rte-red-bullet\">GoldenDict-1.5.0-RC2-372-gc3ff15f-Install.zip<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSI_Afterburner.iso<\/span><\/li>\n<li><span class=\"rte-red-bullet\">tigervnc64-winvnc-1.12.0.rar<\/span><\/li>\n<li><span class=\"rte-red-bullet\">TradingViewDesktop.zip<\/span><\/li>\n<li><span class=\"rte-red-bullet\">XDag.x64.rar<\/span><\/li>\n<\/ul>\n<p>Note that the file names mentioned in this section often change between different installers. However, their overall functions remain the same.<\/p>\n<p>After the installer drops all the necessary files, it then loads the main executable file (<i>RawDigger.exe<\/i>), which is a clean legitimate file. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"44c6e7\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-3.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-3.png\" alt=\" Figure 3. A list of files dropped by the installer; while most of them are clean legitimate files, some are patched or malicious files\"> <\/a><figcaption> Figure 3. A list of files dropped by the installer; while most of them are clean legitimate files, some are patched or malicious files<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The executable file loads a DLL library that includes patched imports (<i>librawf.dll<\/i>).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"cc71c4\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-4.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-4.png\" alt=\"Figure 4. A list of imported DLL libraries; the highlighted library was patched to load another malicious DLL library\"> <\/a><figcaption>Figure 4. A list of imported DLL libraries; the highlighted library was patched to load another malicious DLL library<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The patched DLL\u2019s (<i>librawf.dll<\/i>, which is connected to the legitimate app RawDigger, a raw image analyzer) import address table was further patched to include two additional DLL libraries. In the figure below, notice how the FirstThunk addresses (of the newly added libraries) start with 001Dxxxx instead of the 0012xxxx used in the FirstThunk addresses from the original libraries.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"3ddc5c\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-5.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-5.png\" alt=\"Figure 5. A patched import address table\"> <\/a><figcaption>Figure 5. A patched import address table<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The highlighted library in Figure 5 (<i>libpushpp.dll<\/i>) is then loaded and executed. Its main task is to open one of the data files (<i>hm<\/i>) and load the first stage shellcode stored inside.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"e9931f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-6.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-6.png\" alt=\"Figure 6. Malicious library opening a data file\"> <\/a><figcaption>Figure 6. Malicious library opening a data file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The offset and size of the first stage shellcode is hardcoded into the DLL library.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"38b8e7\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-7.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-7.png\" alt=\"Figure 7. Malicious library copying the first stage shellcode from offset 0x37D50; the size of the shellcode is 0x75A bytes\"> <\/a><figcaption>Figure 7. Malicious library copying the first stage shellcode from offset 0x37D50; the size of the shellcode is 0x75A bytes<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>In newer versions of the Babadeda crypter, another DLL library (<i>mdb.dll<\/i>, from the fake VPN installer) is loaded into memory, after which a hardcoded, randomly selected block of memory is overwritten with the first stage shellcode. Note that this change is just a small detail and has no influence on the first stage shellcode\u2019s overall function.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"4a3976\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-8.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-8.png\" alt=\"Figure 8. The legitimate library (mdb.dll) is loaded into memory, after which the first stage shellcode (0x7B5 bytes) is copied into the library\u2019s memory space\"> <\/a><figcaption>Figure 8. The legitimate library (mdb.dll) is loaded into memory, after which the first stage shellcode (0x7B5 bytes) is copied into the library\u2019s memory space<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>There is a configuration table containing offsets of encrypted chunks followed by their respective sizes at the end of the first stage shellcode. The first stage shellcode then decrypts and combines all chunks to form the second stage shellcode (a loader) and the main malware (OpcJacker with the ability to load additional malicious modules).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"5c2440\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-9.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-9.png\" alt=\"Figure 9. Configuration table of the first stage shellcode\"> <\/a><figcaption>Figure 9. Configuration table of the first stage shellcode<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.893805309735\">\n<div readability=\"21.082174462705\">\n<p>The configuration table starts with at least eight of the same characters (the red colored \u201c*\u201d in Figure 9, but different characters may be used in other samples), followed by the total length of the data file (green color; length of <i>hm<\/i> = 0x1775e0 = 1537504 bytes), the encryption key (yellow color; 0x18), the number of chunks in the second stage of the shellcode (brown color; 0x07), and finally, by the number of chunks in the main malware (white color; 0x08). The list of 0x07 (red bracket) and 0x08 (blue bracket) is equivalent to fifteen addresses and sizes of each chunk.<\/p>\n<p>At the beginning of the data file (<i>hm<\/i>), we can see the <a href=\"https:\/\/docs.fileformat.com\/audio\/wav\/\">(WAV) file header<\/a> as it tries to mimic a <a href=\"https:\/\/docs.fileformat.com\/audio\/wav\/\">WAVE file format<\/a>. Note that the data file can be a different file format, since we also observed CHM being used.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b3381f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-10.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-10.png\" alt=\"Figure 10. Data file that starts with a WAV header\"> <\/a><figcaption>Figure 10. Data file that starts with a WAV header<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38\">\n<div readability=\"21\">\n<p><span class=\"body-subhead-title\">Main stealer component (OpcJacker)<\/span><\/p>\n<p>The main malware component (OpcJacker) is an interesting stealer that first decrypts and loads its configuration file. The configuration file format resembles a bytecode written in a custom machine language, where each instruction is parsed, individual opcodes are obtained, and then the specific handler is executed.<\/p>\n<p>When analyzing the custom bytecode, we noticed the following patterns:<\/p>\n<p>ASCII strings were encoded as 01 xx xx xx xx <string bytes>; where xx xx xx xx is the length of the string.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"4b3b91\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-11.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-11.png\" alt=\"Figure 11. Encoded ASCII string inside the configuration file\"> <\/a><figcaption>Figure 11. Encoded ASCII string inside the configuration file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"29.030927835052\">\n<div readability=\"8.1649484536082\">\n<p>Similarly, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Wide_character\">wide char<\/a>acter strings started with byte 02, while binary arrays started with byte 03.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"6670ab\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-12.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-12.png\" alt=\"Figure 12. Encoded UNICODE string inside the configuration file\"> <\/a><figcaption>Figure 12. Encoded UNICODE string inside the configuration file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"9dc964\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-13.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-13.png\" alt=\"Figure 13. Encoded binary array inside the configuration file\"> <\/a><figcaption>Figure 13. Encoded binary array inside the configuration file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.5\">\n<div readability=\"28\">\n<p>The configuration file format is a sequence of instructions where instruction starts with three 4-byte little-endian (DWORD) numbers. The first number is the virtual program counter, the second is likely the parent instruction\u2019s virtual program counter, while the third is the handler ID (code to be executed in the virtual machine), followed by data bytes or additional handler IDs.<\/p>\n<p>Based on these observations, we wrote an instruction parser, from which we were presented with the following output. Although our observations and understanding of the virtual machine\u2019s internal implementation was incomplete, the parser gave us a good understanding of what behavior was defined in the configuration file.<\/p>\n<p>The decrypted and decoded configuration file starts with the initialization of certain system variables, with \u201c<i>test<\/i>\u201d and \u201c<i>rik<\/i>\u201d likely being campaign IDs. The configuration file dropped by SHA256 c5b499e886d8e86d0d85d0f73bc760516e7476442d3def2feeade417926f04a5 contains different keywords \u201c<i>test<\/i>\u201d and \u201c<i>ilk<\/i>\u201d as campaign IDs. Meanwhile, the configuration file dropped by the latest campaign from February 2023 (SHA256 565EA7469F9769DD05C925A3F3EF9A2F9756FF1F35FD154107786BFC63703B52) contains the keywords \u201c<i>test_installs<\/i>\u201d and \u201c<i>yorik<\/i>.\u201d<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"413ded\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-14.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-14.png\" alt=\"Figure 14. Initialization commands\"> <\/a><figcaption>Figure 14. Initialization commands<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>Then initialization of clipboard replacement functionality (clipping) follows.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"fc9101\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-15.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-15.png\" alt=\"Figure 15. Clipboard replacer (clipper) initialization\"> <\/a><figcaption>Figure 15. Clipboard replacer (clipper) initialization<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Later, the variable \u201c<i>exe\u201d<\/i> is initialized with executable file bytes (see the 4d 5a 90 = MZ marker). This executable is a remote access tool.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"fe65a0\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-16.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-16.png\" alt=\"Figure 16. The embedded module (PE EXE format)\"> <\/a><figcaption>Figure 16. The embedded module (PE EXE format)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The malware sets up persistence via registry run and task scheduler methods. Note the <i> $itself_exe<\/i> variable used for holding the file name of the current process.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"13e985\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-17.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-17.png\" alt=\"Figure 17. Method for setting persistence\"> <\/a><figcaption>Figure 17. Method for setting persistence<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The malware then starts the clipper function, that is, it monitors the clipboard for cryptocurrency addresses and replaces them with its own cryptocurrency addresses controlled by the attackers.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"0bc836\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-18.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-18.png\" alt=\"Figure 18. The clipper function\"> <\/a><figcaption>Figure 18. The clipper function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>Finally, the <i>virtual_launch_exe<\/i> function runs the previously embedded executable, which we observed to be RATs, either the NetSupport RAT, the NetSupport RAT downloader, or hVNC.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"d27b6a\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-19.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-19.png\" alt=\"Figure 19. Function to run the embedded executable file\"> <\/a><figcaption>Figure 19. Function to run the embedded executable file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>As can be observed in the third column (or decoded \u201ccommand\u201d variable) in a few of the previous screenshots, the virtual machine implements numerous internal handlers. Most of these are related to various data manipulations. We list a few of the notable handlers that have specific high-level functionalities in Table 1. The functions the stealer implements include the following: clipping (clipboard content replacement), keylogging, file execution and listing, killing processes, stealing chromium credentials, detecting idleness, and detecting virtual machines. However, during our testing scenarios, we observed the stealer mostly just sets the persistence and delivers additional modules (remote access tools).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"25.5\">\n<tr>\n<th scope=\"col\">Handler ID<\/th>\n<th scope=\"col\">Function<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td>0x3E9<\/td>\n<td>Used for persistence (registry; HKCU)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x3EA<\/td>\n<td>Used for persistence (registry; HKLM)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x3EB<\/td>\n<td>Used for persistence (startup folder)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x3EC;0x3ED<\/td>\n<td>Used for persistence (task scheduler)<\/td>\n<\/tr>\n<tr>\n<td>0x7d1<\/td>\n<td>Lists files<\/td>\n<\/tr>\n<tr>\n<td>0x579<\/td>\n<td>Starts clipper<\/td>\n<\/tr>\n<tr>\n<td>0x57A<\/td>\n<td>Stops clipper<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x12d<\/td>\n<td>Puts the machine into sleep mode<\/td>\n<\/tr>\n<tr>\n<td>0x385<\/td>\n<td>Terminates process<\/td>\n<\/tr>\n<tr>\n<td>0x387<\/td>\n<td>Exits process<\/td>\n<\/tr>\n<tr>\n<td>0x388; 0x38B<\/td>\n<td>Runs PE executable<\/td>\n<\/tr>\n<tr>\n<td>0x389<\/td>\n<td>Runs shellcode<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x38A<\/td>\n<td>Runs PE executable export routine<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x76D<\/td>\n<td>Gets current committed memory limit (ullTotalPageFile)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x76E<\/td>\n<td>Gets the amount of actual physical memory (ullTotalPhys)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x641<\/td>\n<td>Steals sensitive data from Chromium<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x259<\/td>\n<td>Checks if the machine is idle and if the cursor is not moving<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x25B<\/td>\n<td>Checks if the machine is idle and if no new process is being created<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x25D<\/td>\n<td>Checks if the machine idle and if no new window is being created<\/td>\n<\/tr>\n<tr>\n<td>0x835<\/td>\n<td>Starts keylogger<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x836<\/td>\n<td>Starts keylogger for a certain period<\/td>\n<\/tr>\n<tr>\n<td>0x837<\/td>\n<td>Stops keylogger<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x839<\/td>\n<td>Copies data (likely logs) then return 0x83a (klogs)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x1F5<\/td>\n<td>Retrieves VMWare via CPUID<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x1f7<\/td>\n<td>Searches for ‘virtual’ in SYSTEM\\\\ControlSet001\\\\Services\\\\disk\\\\Enum<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x83A<\/td>\n<td>Writes file(s) to klogs\/\/<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x89a<\/td>\n<td>Writes file(s) to screenshots\\\\<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0x596<\/td>\n<td>Writes to clp\\clp_log.txt<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0xf6<\/td>\n<td>Writes file(s) to chromium_creds\\\\<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0xCE<\/td>\n<td>Copies files to filesystem\\\\<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>0x321<\/td>\n<td>Creates messagemonitor window, which needed for the clipper<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>0x322<\/td>\n<td>Destroys messagemonitor window, which is needed for the clipper<\/td>\n<\/tr>\n<tr>\n<td>0x5DC<\/td>\n<td>Gets environment ID<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>0x5E0<\/td>\n<td>Runs GetModuleFileNameW, which is needed for resolving $itself_exe<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<p><h5>Table 1. Virtual machine command IDs<\/h5>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"845663\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-20.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-20.png\" alt=\"Figure 20. Keylogger-related commands implemented within the stealer\u2019s binary; Command IDs can also be observed in the screenshot (0x835; 0x837; 0x836; 0x839)\"> <\/a><figcaption>Figure 20. Keylogger-related commands implemented within the stealer\u2019s binary; Command IDs can also be observed in the screenshot (0x835; 0x837; 0x836; 0x839)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>Some embedded modules contain the <i>client32.exe<\/i> (SHA256 <i>18DF68D1581C11130C139FA52ABB74DFD098A9AF698A250645D6A4A65EFCBF2D<\/i> or SHA256 <i>49A568F8AC11173E3A0D76CFF6BC1D4B9BDF2C35C6D8570177422F142DCFDBE3<\/i>) file from the NetSupport RAT. This single file is not enough, however, as the NetSupport tool needs additional DLL libraries and a configuration file. Note that these missing files have already been dropped by the modified installer into the installation directory.<\/p>\n<p>For researchers, the most important file is called <i>client32.ini<\/i>, which contains important settings such as gateway addresses, gateway keys (GSK), and ports.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"ea781f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-21.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-21.png\" alt=\"Figure 21. The configuration file of NetSupport RAT\"> <\/a><figcaption>Figure 21. The configuration file of NetSupport RAT<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>Some embedded modules contain the NetSupport RAT downloader (SHA256 <i>C68096EB0A655924CA840EA1C71F9372AC055F299B52335AD10DDFA835F3633D<\/i>). This downloader decrypts the URL payload, then downloads and executes it.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b0ba0a\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-22.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-22.png\" alt=\"Figure 22. Decrypted downloader\u2019s configuration file, with additional URLs being visible in clear text\"> <\/a><figcaption>Figure 22. Decrypted downloader\u2019s configuration file, with additional URLs being visible in clear text<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>The decrypted configuration contains two URLs, one leading to an archive containing the NetSupport RAT, like the previous module, while the second contains a few batch scripts, which display messages such as the one seen in Figure 23. Later, one of these batch scripts downloads additional stealers.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"6bfe14\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-23.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-23.png\" alt=\"Figure 23. Decoy message telling the victim to wait for the program to be installed\"> <\/a><figcaption>Figure 23. Decoy message telling the victim to wait for the program to be installed<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>Some embedded modules contain a modified hVNC module <i>F772B652176A6E40012969E05D1C75E3C51A8DB4471245754975678F04DEDAAA<\/i>. This module, in addition to standard remote desktop functionality, also contains routines to search for the existence of the following cryptocurrency related Google Chrome, Microsoft Edge, and Mozilla Firefox extensions (wallets):<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\">\n<tbody readability=\"32\">\n<tr>\n<th scope=\"col\">Google Chrome extension ID<\/th>\n<th scope=\"col\">Extension name<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">ffnbelfdoeiohenkjibnmadjiehjhajb <\/td>\n<td width=\"317\">Yoroi<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">ibnejdfjmmkpcnlpebklmnkoeoihofec<\/td>\n<td width=\"317\">TronLink<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">jbdaocneiiinmjbjlgalhcelgbejmnid<\/td>\n<td width=\"317\">Nifty Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">nkbihfbeogaeaoehlefnkodbefgpgknn<\/td>\n<td width=\"317\">MetaMask<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">afbcbjpbpfadlkmhmclhkeeodmamcflc<\/td>\n<td width=\"317\">Math Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">hnfanknocfeofbddgcijnmhnfnkdnaad<\/td>\n<td width=\"317\">Coinbase Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">fhbohimaelbohpjbbldcngcnapndodjp<\/td>\n<td width=\"317\">Binance Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">odbfpeeihdkbihmopkbjmoonfanlbfcl<\/td>\n<td width=\"317\">Brave Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">hpglfhgfnhbgpjdenjgmdgoeiappafln<\/td>\n<td width=\"317\">Guarda Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">blnieiiffboillknjnepogjhkgnoapac<\/td>\n<td width=\"317\">Equall Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">cjelfplplebdjjenllpjcblmjkfcffne<\/td>\n<td width=\"317\">Jaxx Liberty<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">fihkakfobkmkjojpchpfgcmhfjnmnfpi<\/td>\n<td width=\"317\">BitApp Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">kncchdigobghenbbaddojjnnaogfppfj<\/td>\n<td width=\"317\">iWallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">amkmjjmmflddogmhpjloimipbofnfjih<\/td>\n<td width=\"317\">Wombat<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">fhilaheimglignddkjgofkcbgekhenbh<\/td>\n<td width=\"317\">Oxygen<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">nlbmnnijcnlegkjjpcfjclmcfggfefdm<\/td>\n<td width=\"317\">MyEtherWallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">nanjmdknhkinifnkgdcggcfnhdaammmj<\/td>\n<td width=\"317\">GuildWallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">nkddgncdjgjfcddamfgcmfnlhccnimig<\/td>\n<td width=\"317\">Saturn Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">fnjhmkhhmkbjkkabndcnnogagogbneec<\/td>\n<td width=\"317\">Ronin Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">aiifbnbfobpmeekipheeijimdpnlpgpp<\/td>\n<td width=\"317\">Station Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">fnnegphlobjdpkhecapkijjdkgcjhkib<\/td>\n<td width=\"317\">Harmony<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">aeachknmefphepccionboohckonoeemg<\/td>\n<td width=\"317\">Coin98<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">cgeeodpfagjceefieflmdfphplkenlfk<\/td>\n<td width=\"317\">EVER Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">pdadjkfkgcafgbceimcpbkalnfnepbnk<\/td>\n<td width=\"317\">KardiaChain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">bfnaelmomeimhlpmgjnjophhpkkoljpa<\/td>\n<td width=\"317\">Phantom<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">fhilaheimglignddkjgofkcbgekhenbh<\/td>\n<td width=\"317\">Oxygen<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">mgffkfbidihjpoaomajlbgchddlicgpn<\/td>\n<td width=\"317\">Pali<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">aodkkagnadcbobfpggfnjeongemjbjca<\/td>\n<td width=\"317\">BoltX<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">kpfopkelmapcoipemfendmdcghnegimn<\/td>\n<td width=\"317\">Liquality<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">hmeobnfnfcmdkdcmlblgagmfpfboieaf<\/td>\n<td width=\"317\">XDEFI<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">lpfcbjknijpeeillifnkikgncikgfhdo<\/td>\n<td width=\"317\">Nami<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">dngmlblcodfobpdpecaadgfbcggfjfnm<\/td>\n<td width=\"317\">MultiversX DeFi<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<p><h5>Table 2. Targeted Chrome extensions<\/h5>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\">\n<tbody readability=\"9\">\n<tr>\n<th scope=\"col\">Microsoft Edge extension ID<\/th>\n<th scope=\"col\">Extension name<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">akoiaibnepcedcplijmiamnaigbepmcb<\/td>\n<td width=\"317\">Yoroi<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">ejbalbakoplchlghecdalmeeeajnimhm<\/td>\n<td width=\"317\">MetaMask<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">dfeccadlilpndjjohbjdblepmjeahlmm<\/td>\n<td width=\"317\">Math Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">kjmoohlgokccodicjjfebfomlbljgfhk<\/td>\n<td width=\"317\">Ronin Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">ajkhoeiiokighlmdnlakpjfoobnjinie<\/td>\n<td width=\"317\">Terra Station<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">fplfipmamcjaknpgnipjeaeeidnjooao<\/td>\n<td width=\"317\">BDLT wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">niihfokdlimbddhfmngnplgfcgpmlido<\/td>\n<td width=\"317\">Glow<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">obffkkagpmohennipjokmpllocnlndac<\/td>\n<td width=\"317\">OneKey<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">kfocnlddfahihoalinnfbnfmopjokmhl<\/td>\n<td width=\"317\">MetaWallet<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<p><h5>Table 3. Targeted Edge extensions<\/h5>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\">\n<tbody readability=\"11\">\n<tr>\n<th scope=\"col\">Mozilla Firefox extension ID<\/th>\n<th scope=\"col\">Extension name<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">{530f7c6c-6077-4703-8f71-cb368c663e35}.xpi<\/td>\n<td width=\"317\">Yoroi<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">ronin-wallet@axieinfinity.com.xpi<\/td>\n<td width=\"317\">Ronin Wallet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">webextension@metamask.io.xpi<\/td>\n<td width=\"317\">MetaMask<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"32\" width=\"317\">{5799d9b6-8343-4c26-9ab6-5d2ad39884ce}.xpi<\/td>\n<td width=\"317\">TronLink<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">{aa812bee-9e92-48ba-9570-5faf0cfe2578}.xpi<\/td>\n<td width=\"317\"> <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"30\" width=\"317\">{59ea5f29-6ea9-40b5-83cd-937249b001e1}.xpi<\/td>\n<td width=\"317\"> <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"26\" width=\"317\">{d8ddfc2a-97d9-4c60-8b53-5edd299b6674}.xpi<\/td>\n<td width=\"317\"> <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"29\" width=\"317\">{7c42eea1-b3e4-4be4-a56f-82a5852b12dc}.xpi<\/td>\n<td width=\"317\">Phantom<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">{b3e96b5f-b5bf-8b48-846b-52f430365e80}.xpi<\/td>\n<td width=\"317\"> <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">{eb1fb57b-ca3d-4624-a841-728fdb28455f}.xpi<\/td>\n<td width=\"317\"> <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"21\" width=\"317\">{76596e30-ecdb-477a-91fd-c08f2018df1a}.xpi<\/td>\n<td width=\"317\"> <\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<p><h5>Table 4. Targeted Firefox extensions<\/h5>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>In our analyzed sample, command-and-control (C&C) communication starts with the following magic:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"41f1b2\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-24.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-24.png\" alt=\"Figure 24. HVNC network communication magic\"> <\/a><figcaption>Figure 24. HVNC network communication magic<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The snippet below shows that some values are hardcoded into the executable, others are generated from MachineGuid or randomly generated. Note the string \u201c7.7\u201d seen in Figure 25, which is likely the modified hVNC version.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"66bbaf\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-25.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/opcjacker-25.png\" alt=\"Figure 25. Code generating hVNC packet magic\"> <\/a><figcaption>Figure 25. Code generating hVNC packet magic<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.297695262484\">\n<div readability=\"23.877080665813\">\n<p>It seems that OpcJacker\u2019s operator is motivated by financial gain, since the malware\u2019s primary purpose is stealing cryptocurrency funds from wallets. However, its versatile functions also allow OpcJacker to act as an information stealer or a malware loader, meaning it can be used beyond its initial intended use.<\/p>\n<p>The campaign IDs we found in the samples, such as \u201ctest\u201d and \u201ctest_installs\u201d, indicate that OpcJacker could still be under development and testing stages. Given its unique design combined with a variety of VM-like functionalities, it\u2019s possible that the malware could prove to be popular with threat actors, and therefore could see use in future threat campaigns.<\/p>\n<p>The indicators for this blog entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/ioc-new-opcJacker-malware-distributed-via-fake-vpn-malvertising.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We discovered a new malware, which we named \u201cOpcJacker\u201d (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":51228,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9509],"class_list":["post-51227","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"\n<title>New OpcJacker Malware Distributed via Fake VPN Malvertising 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New OpcJacker Malware Distributed via Fake VPN Malvertising 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-03-29T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/opcjacker-641.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"New OpcJacker Malware Distributed via Fake VPN Malvertising\",\"datePublished\":\"2023-03-29T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\\\/\"},\"wordCount\":2802,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\\\/\",\"name\":\"New OpcJacker Malware Distributed via Fake VPN Malvertising 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.png\",\"datePublished\":\"2023-03-29T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.png\",\"width\":1875,\"height\":1813},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New OpcJacker Malware Distributed via Fake VPN Malvertising\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"New OpcJacker Malware Distributed via Fake VPN Malvertising 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/","og_locale":"en_US","og_type":"article","og_title":"New OpcJacker Malware Distributed via Fake VPN Malvertising 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-03-29T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/opcjacker-641.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"New OpcJacker Malware Distributed via Fake VPN Malvertising","datePublished":"2023-03-29T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/"},"wordCount":2802,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/03\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/","url":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/","name":"New OpcJacker Malware Distributed via Fake VPN Malvertising 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/03\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.png","datePublished":"2023-03-29T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/03\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/03\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.png","width":1875,"height":1813},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"New OpcJacker Malware Distributed via Fake VPN Malvertising"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=51227"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51227\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/51228"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=51227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=51227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=51227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":51227,"date":"2023-03-29T00:00:00","date_gmt":"2023-03-29T00:00:00","guid":{"rendered":"urn:uuid:0025618b-c103-692a-2ac3-fac962d4c7ba"},"modified":"2023-03-29T00:00:00","modified_gmt":"2023-03-29T00:00:00","slug":"new-opcjacker-malware-distributed-via-fake-vpn-malvertising","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising\/","title":{"rendered":"New OpcJacker Malware Distributed via Fake VPN Malvertising"},"content":{"rendered":"