At a glance
| Malware family | Multi-stage trojan (Doctor Web: Trojan.DownLoader49, BackDoor.Siggen2.5906, Trojan.BtcMine.3956) |
| Threat actor | Unknown; not attributed |
| Target / victims | Software developers using C++ and C# projects; downstream users |
| Delivery vector | Infected executables, Python scripts, and poisoned project files |
| Key capabilities | Data theft, clipboard hijack, backdoor, crypto wallet theft, rogue mining, file infection |
| Source | Doctor Web |
TL;DR
Doctor Web has detailed a multi-stage supply chain trojan that targets software developers. The malware infects C++ and C# project files, then spreads to anyone who builds them. It steals data, hijacks the clipboard, mines cryptocurrency, and opens a backdoor. Doctor Web has not linked the campaign to a named group.
Delivery
The trojan spreads over the internet through infected executables and Python scripts. Doctor Web calls it “a new trojan engaging in supply chain attacks.” Its main aim is developer machines. When a developer builds a poisoned project, the infection passes into their output. Regular users then run those tainted programs without warning.
The malware first surfaced in late 2025. Its authors have updated and upgraded it many times since. Because it rides trusted build tools, it can reach far beyond the first victim.
Infection chain
The attack unfolds in three phases. Doctor Web tracks each phase under its own detection name.

Phase one: the loader
An infected app injects a global object into a legitimate executable. At launch, the loader uses the PEB walking technique to reach system APIs. It then hijacks the standard initterm routine to run a hidden PowerShell command. That command pulls down the next stage. In Python builds, the same logic hides inside Fernet-encrypted code, padded with whitespace to dodge quick review.
Phase two: the downloader
The second stage first checks for a sandbox and sets a fixed mutex. Next, it fetches its command server address from an unusual place. It reads domain names posted on public GitHub repositories, Steam profiles, and YouTube pages. This dead-drop method hides the real infrastructure behind trusted services. The stage then injects code into a pre-defined System32 process and passes control onward.
Phase three: the backdoor
The final stage runs the main payload. It replaces trusted DLL files, including ones tied to Discord and Microsoft Edge, to keep a foothold. It also abuses a Windows settings handler to bypass User Account Control. From there, the operator gains broad control of the host.
C2 and data theft
The backdoor talks to its C2 server through a named pipe and remote commands. Operators can run shell commands, start a reverse proxy, upload files, or list directories. One command even plays disruptive “troll” effects, which shows how fully they own the machine. The supply chain trojan also drains a wide range of secrets.
It grabs browser passwords and cookies from Chrome, Edge, Opera, Brave, and Yandex. It lifts Discord tokens and Telegram Desktop data. For crypto theft, it targets the Exodus wallet. It swaps the wallet’s code to capture recovery phrases and send them out. Meanwhile, a clipboard watcher steals bank card data and rewrites copied wallet addresses in real time.
The trojan adds rogue mining once a machine sits idle. It deploys open-source miners such as XMRig, T-Rex, and TeamRedMiner.
Why developers are the weak point
The file-infection stage sits at the heart of this supply chain trojan. It poisons developer files such as .suo, .vcxproj, .csproj, and shared C++ headers. It even edits a popular open-source GUI library used in many C++ apps. As a result, every fresh build can carry the malware forward. Doctor Web warns that “a diverse set of malicious features makes this trojan extremely dangerous.”
Defense and detection
Developers should scan every downloaded file and dependency before use. Watch for odd pre-build events and unexpected edits to project files. Flag any build tool that spawns hidden PowerShell or writes to AppData. Set project directories to read-only where you can. Keep endpoint tools current, since detection names for these stages already exist.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.