Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • SocketPlayer malware could evade the sandbox mechanism
  • Malware

SocketPlayer malware could evade the sandbox mechanism

Do Son June 12, 2018 4 minutes read
SocketPlayer malware
Add Daily CyberSecurity as a preferred source on Google
A recent report from G Data stated that the recently discovered remote-access SocketPlayer malware is using a particular library, socket.io, “This particular library was designed for use in web applications that require real-time communication between two parties and which are reliant of bi-directional communication” that allows operators to interact with infected devices “without needing it to take the first step“.
The SocketPlayer backdoor differs from most bank trojans, backdoors, and keyloggers that use typical one-way communication systems. By using the socket.io library, real-time two-way communication between applications can be achieved. According to this feature, malware handlers no longer need to wait for the infected device to initiate communications, the attacker can contact the infected computer.
Allegedly, the backdoor SocketPlayer once installed successfully on the compromised machine can receive the operator’s commands and perform various operations such as sniffing, screenshots, grabbing and running code. The researchers also found that SocketPlayer can also selectively use other functions, for example, like a keylogger, although there is no actual keylogger function in the back door. At present, it seems that there has been no specific use.
The backdoor SocketPlayer infection path starts with the downloader’s sandbox detection. If it passes the test, the downloader downloads an executable file and decrypts it, and then uses the Invoke method to run the decryption program in memory.
The called program will create a socket connection for the host (Host is http://93.104.208.17:5156/socket.io), at the same time, create a registry key that implements persistence. Next check if there is a Process Handler/Folder, if not, you need to create one. After that, you also need to create an autostart key with the value “Handler”. Also, SocketPlayer downloads another downloadable SocketPlayer executable that decrypts and runs in memory.
G Data’s security researchers discovered two variants of the SocketPlayer backdoor during the study:
  • Thefirst variant is a ~100KB file which does exactly what a typical downloader does – downloading a file
    and executing it.
  • Same as variant 1, there is also an old version and a new version. Both versions have a similar initial routine as in 2. Initial routine. The old version only uses the C:\Users\USERNAME\Music path and downloads the data from hxxp://173.249.39.7:1337/uploads/excutbls/ with the filename specified via socket.io from the
    server.
Security researchers noticed a series of changes between the two variants of SocketPlayer, including:
  • The c2 port has changed from 3000 to 7218
  • The file location changed from C:\Users\USERNAME\Music\Player\Player.exe to
    C:\Users\USERNAME\Music\Media Player\Player.exe
  • The information that is sent in the initial routine changed a bit. In the old version[1] the
    author sends the string “,1.1,1” to the c2. In the new version the program sends “,1.2,1”,
    telling the c2 that the new version runs on the machine.
  • To the commands Fdrive,fdir,smfdir,procs,prockil,gtscreen and kylgs the variable susrid is
    added to be sent to the server. This is done to identify the infected systems better.
  • The functionality stscrnpercnt is added. This feature assists the gtscreen function to set the
    quality of the image.
  • The gtscreen function additionally to the susrid also sends the computer name with the
    picture.
  • The storage location of upldex is changed to
    C:\Users\User\AppData\Roaming\Microsoft\Windows\Templates. An autostart key to the
    registry is added. The downloaded file is also executed.
  • The kylgs function also switched to use the above path to read the file klsetup.txt.
  • The destt function additionally checks if the following path and files are available. If so, it
    deletes them. C:\Users\USERNAME\AppData\Roaming\Process Handler
    C:\Users\USERNAME\AppData\Roaming\Process Handler\Handler.exe,
    C:\Users\User\AppData\Roaming\Microsoft\Windows\Templates\Image.exe and
    C:\Users\User\AppData\Roaming\Microsoft\Windows\Templates\Media.exe.
The report shows that a sample of known malware was distributed through an Indian website, but it is unclear how the back door spreads. However, whether the site was used for infection or just for mirroring, it is clear that the malware has not been noticed for a long time.
Source, Image: gdatasoftware

Related coverage

  • North Korea’s Kimsuky Upgrades DOCSWAP Malware to Hijack Smartphones via QR Codes
  • Fake Google Authenticator Ads Spread Malware Through Google Search
  • Unmasking the PhantomVAI Framework’s Fileless Assault on Corporate Defenses
  • Fake CleanMyMac Site Unleashes SHub Stealer to Drain macOS Crypto Wallets
  • Polish police arrested the author of Flotera, Vortex, and Polski ransomware
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: SocketPlayer malware

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.