A new investigation from CyStack’s security team reveals how the threat group APT-Q-27, also known as GoldenEyeDog, is bypassing modern security defenses through an elaborate multi-stage attack chain that operates almost entirely in memory.
The Attack Chain: From Support Ticket to Full Compromise
The intrusion began with an unsuspecting customer support agent clicking a link in a Zendesk support ticket. The link appeared to lead to an image file but instead downloaded a malicious .pif file — a legacy Windows executable format that often bypasses file extension visibility settings.
What made this attack particularly dangerous was the malware’s use of a valid digital signature. This legitimate certificate acted as a “hall pass,” allowing the malicious program to bypass reputation checks and security warnings that typically block unknown internet downloads.
Living Off the Land: DLL Sideloading and Memory-Only Execution
Once executed, the initial payload acted as a dropper, contacting cloud storage servers to download additional components hidden in a folder designed to mimic a standard Windows Update cache. The attackers employed DLL sideloading, placing a malicious file named crashreport.dll next to a legitimate, signed program called updat.exe.
When the legitimate program ran, it automatically loaded the malicious DLL, believing it was a necessary component. This allowed the attackers to execute their code inside a trusted process, effectively hiding their activity from security tools.
Fileless Persistence: The Ultimate Evasion
The most dangerous aspect of this campaign was its fileless approach. The malware decrypted its main backdoor payload directly into RAM, meaning the malicious code never existed as a standalone file on the hard drive. Traditional antivirus scans cannot detect infections that only exist in memory.
The malware also modified system settings to disable User Account Control (UAC) prompts and established persistence by creating a fake Windows service that restarts automatically after reboots.
Attribution to APT-Q-27
CyStack’s research team linked this campaign to APT-Q-27 based on several indicators:
- Command-and-control servers following naming conventions seen in previous GoldenEyeDog campaigns (e.g., “goldeye” in domain names)
- Plugin-based backdoor architecture matching the group’s established toolkit
- Targeting patterns consistent with the group’s history of attacking gambling and technology sectors
Defensive Implications
This incident highlights a critical gap in traditional security monitoring. Because the attack used valid digital signatures and legitimate-looking processes, it did not trigger standard alerts. Security experts recommend moving beyond simple file scanning to focus on behavior-based monitoring.
Detecting abnormal patterns — such as a support tool communicating with unknown servers or a legitimate program loading an unexpected file — is often the only way to catch these “low-noise” intrusions before significant damage occurs.
Key IOCs
Notable command-and-control infrastructure includes:
wk.goldeyeuu.io(185.135.79.200) – Tokyo, Japan- Multiple IP addresses across Hong Kong, China, India, and the United States
- Infrastructure spanning AWS and various hosting providers
Organizations are urged to review their endpoint detection capabilities, implement behavior-based monitoring, and ensure visibility into DLL loading patterns across their environments.
