New Trojan Turns Visual Studio Projects into Software Supply Chain Attack Vectors
In an alarming development in the cybersecurity landscape, a sophisticated Windows Trojan has emerged that compromises software development projects to disseminate a multi-faceted attack vector. This malware, documented by researchers at Doctor Web, has been on the scene since the final quarter of 2025 and has progressively evolved, now specifically targeting C++ and C# development environments.
The modus operandi of this advanced Trojan is notably insidious—by infiltrating Visual Studio project files and essential components utilized during application compilation, it effectively transforms compromised developer workstations into distribution points for malicious content within the software supply chain. This aspect raises significant concerns not only for individual developers but also for organizations relying on these development environments for their software products.
How the Attack Begins
The attack campaign is initiated using trojanized executable files or nefarious Python scripts recognized as Python.Downloader.255. Through this method, attackers embed a global object into the compromised executables that is executed when the application is launched. By employing Process Environment Block walking techniques, the malware is able to resolve Windows APIs, subsequently exploiting the C runtime’s initterm initialization mechanism to conceal a PowerShell downloader capable of fetching further malicious payloads.
Doctor Web has identified the first stage of this malware as Trojan.DownLoader49.35384. Its primary function is to retrieve the next loader stage, Trojan.DownLoader49.35687, facilitating a series of subsequent attacks.
The Multi-Stage Nature of the Malware
Malicious Python files replicate this functionality, featuring encrypted code that utilizes the Fernet algorithm, which is further obscured with excessive whitespace. In this second phase of operation, the malware checks if it has been executed previously or if it exists within sandbox-like environments through a mutex named Global\PFNMX. This meticulous checking ensures that the malware can operate undetected, slipping past various security measures.
During its operation, the malware seeks command-and-control (C2) infrastructure hosted on public platforms, including GitHub and Steam. Researchers have discovered that some Steam accounts contain tracked C2 domains, while other data hosted on GitHub features raw files that store encrypted server addresses protected with multiple layers of security measures—Base64 encoding, XOR encryption, and specific routines involving ZwFlushKey.
Once the downloader downloads payloads, it injects malicious code into one of 41 predefined executables located in the C:\Windows\System32 directory. This not only aids in the stealthy execution of the malware but also facilitates communication of victim identifiers and C2 information.
The third stage, known as BackDoor.Siggen2.5906, establishes persistence by replacing crucial DLLs. This includes modifying Discord’s profapi.dll, DLLs associated with Microsoft Edge, and C:\Windows\omadmapi.dll. Such actions significantly enhance its footprint within a compromised system, enabling broader control over the environment.
Stealing Sensitive Data
Once fully operational, the backdoor is primed to siphon sensitive information such as Discord tokens, browser passwords, cookies, Telegram Desktop data, and files from Exodus cryptocurrency wallets. The malware also demonstrates its capability to inject malicious code into processes running in web browsers, capturing credentials, while further manipulating files associated with cryptocurrency wallets to intercept recovery phrases.
Beyond information theft, the Trojan continuously monitors the clipboard for payment card data and takes a nefarious step by replacing copied cryptocurrency wallet addresses with those provided by attackers. This tactic poses a significant risk for unsuspecting users who may unwittingly send their assets to criminals.
Comprehensive Remote-Control Features
The Trojan’s remote-control capabilities extend beyond data theft; it allows for command execution, file uploads, directory enumeration, payload downloads, and even disruptive functionalities, including audio manipulation and scareware effects.
The devastating reach of this Trojan is underscored by its ability to deploy cryptocurrency miners, utilizing openly available tools such as XMRig, T-Rex, and TeamRedMiner. Notably, the mining process initiates only when the victim’s system remains inactive, further ensuring that the malicious activity goes unnoticed for extended periods.
For software developers, this threat is especially dire. The Trojan specifically targets the .vcxproj and .csproj project files, inserting malicious pre-build events that compromise the integrity of projects shared within development communities. Consequently, developers who build or disseminate these infected projects risk unknowingly distributing malware to both their peers and end-users.
Recommended Mitigation Strategies
Given the escalation of this threat, it is imperative for organizations to take proactive measures. Regular audits of project files for unauthorized pre-build commands, monitoring developer endpoints, and validating the integrity of SDKs and dependencies are critical practices for safeguarding against such sophisticated attacks. Furthermore, scanning downloaded code before compilation can provide an essential layer of security.
In conclusion, the emergence and development of this Windows Trojan serve as a stark reminder of the evolving nature of cybersecurity threats in software development. Awareness and proactive measures will be key in combating such attacks, ensuring that organizations remain vigilant in the face of these sophisticated threats.

