The sleeping lion: analysis of InstallsKey related service

4 min readApr 13, 2025

Well, hello there.

Today we are going to focus on the “good”, old malware campaign first observed by us around May 2020 while it was actively distributing Redline stealer. Although it is gone through some updates over years, the scheme it works remained the same.

Download

Searching through the Internet, we came across a kind, independent blogger who offers us to download a free cracked software. Let’s proceed!

We can see that the blog references to the website fpn-stp[.]ru which redirects us to the well-known framework also related to PrivateLoader campaigns. This framework of unknown name leverages unique links that expire after a few minutes to block scans and avoid being blacklisted. Each link it generates consists of three parts: likely a md5 hash, 34 random characters and salt at the end.

URL pattern

After being authorized with hCaptcha and User-Agent check which should be MSEdge, we are being welcomed with download page:

Notice that this exact framework with slight JS modifications on the client side was distributing PrivateLoader on xiuty[.]com, arakusus[.]com, oyndr[.]com any many other fake URL shortening services. (More about this in the referring articles, at the bottom of the page.)

After clicking the DOWNLOAD button, a new page opens and the file download starts. It is a ZIP archive built automatically by the framework at the time of link generation.
Unzipping it with password 123 gives us 2 files: the loader and password file containing md5 hash of empty string.

The loader

The loader itself is an Inno Setup compiled installation wizard. The installer is secured with a password but it turns out that it is not much of a problem for us.

After this step nothing stops us from extracting whatever they embedded in there.

Embedded files and call to initializing functions

The stub

There are a bunch of DLLs and one file with EXE extension in extracted content. The EXE seems to be malformed but it lacks only the PE header. In the compiled script there is a function VideoCutterOpen responsible for adding that header

Part of the function which fills the MZ header of the payload

The payload needs to be provided with a CMD argument which is a MD5 hash of EXE name obtained in a way which resembles some sort of obfuscation.

If the argument doesn’t correspond to the hash of file name, the payload exits. I assume this prevents the file to be scanned separately, for instance during automated analysis. If the condition is met, we’ll see a PayPerInst[.]com Download Assistant window.

Now download assistant commences downloading executables. Unlike previous detonations
(e.g. https://www.virustotal.com/gui/file/2e8e59eb04b473054402a130152a2e666f57cd07c6a7116edf4a4ea5ec20b271), it doesn’t drop Redline anymore, however potentially unwanted content is still present. This time it is Snetchball adware. Then it performs a POST request to hxxp://start7345724.ru/new/net_api with hexadecimal data that has been encrypted with RC4.
67e28dd86f5af1211607f81c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa48e8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11a167c657adb719a9577e55b8603e983a608ef719c0e6909939Path of the API which the installer uses keeps changing over time, although each one remains accessible:
/v2/events => /v3/api => /new/net_api

This C2 communication is overwhelmingly similar to the one that is leveraged by SOCKS5SYSTEMZ proxy botnet (see also https://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey). Moreover, the loader and DLL libraries that it contains are exactly the same.

DLLs

The DLL libraries aren’t malicious in this case. In fact the EXE does not even interact with them. What is interesting however, is that the actors are bundling those DLLs in their builds continuously, so we can investigate large number of connections with VirusTotal relations page:
https://www.virustotal.com/gui/file/16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660/relations

Conclusion

The campaign appears to be somewhat dormant for now, however it can be put into action at any time, posing a serious threat to privacy of internet users.

URLs active at the time of writing:
Suspicious blog: hxxp://flstudio12–20.ru/
Blog referral: hxxps://fpn-stp.ru/file/1/14ec560
Framework domains:
ska4aservece[.]ru
cononspace24[.]ru
somenoxezowa[.]ru

C2: hxxp://start7345724.ru/new/net_api

VT:
Inno Setup loader: https://www.virustotal.com/gui/file/a4fef05ccd386520f7dc03ea1e03f060401ba2dadfe2b3db2046489bdb34f2b5
File dropped by the IS loader: https://www.virustotal.com/gui/file/a9f26b84f45f15e5fbe607ba1430282eafdd6d2c6546cfa0ea0149065307366f
Inno Setup loader (SOCKS5SYSTEMZ): https://www.virustotal.com/gui/file/acc63db2e500e557b2c06294a21aabcce70dc599604d6c6a414f0d62977a37ad
sqlite3.dll: https://www.virustotal.com/gui/file/16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660/relations

References:
bitsight.com
virustotal.com
https://jfrog.com/ja/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/
https://www.zscaler.com/de/blogs/security-research/surge-fake-fifa-world-cup-streaming-sites-targets-virtual-fans
https://medium.com/@g0njxa/privateloader-installskey-rewind-2023-c1ce027cbe65