Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Backdoor.Stupig is a DLL backdoor that achieves persistence by registering as a keyboard-layout provider, causing win32k.sys to load it into winlogon.exe at system startup. This persistence mechanism is related to the Winlogon Helper DLL technique described in MITRE ATT&CK T1547.004 but uses a different registry loading path.
Backdoor.Stupig is a DLL backdoor that achieves persistence by registering as a keyboard-layout provider, causing win32k.sys to load it into winlogon.exe at system startup. This persistence mechanism is related to the Winlogon Helper DLL technique described in MITRE ATT&CK T1547.004 but uses a different registry loading path.
The new filename was constructed to closely resemble the legitimate Windows keyboard-layout library kbdus.dll... Placing the file there under a name that differed by a single appended character was designed to pass casual visual inspection and evade filename-based detection controls.
Its design can give an attacker command execution as SYSTEM... while also creating an opportunity to intercept credentials entered during the sign-in process... Stupig also places hooks in Windows functions used during authentication and credential handling, allowing it to capture information inside winlogon.exe.
Its design can give an attacker command execution as SYSTEM... while also creating an opportunity to intercept credentials entered during the sign-in process... Stupig also places hooks in Windows functions used during authentication and credential handling, allowing it to capture information inside winlogon.exe.
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A stealthy Windows backdoor that masquerades as a keyboard-layout provider so Windows loads its malicious DLL into winlogon.exe at startup. It watches the logon screen for usernames beginning with a special prefix, can spawn a SYSTEM command shell or execute commands before user logon, and hooks authentication and credential-handling functions to capture information inside winlogon.exe.
A previously undocumented DLL backdoor that persists by registering as a keyboard-layout provider so it is loaded into winlogon.exe at startup. It enables pre-authentication SYSTEM command execution from the Windows logon screen, hooks logon-related APIs for credential interception, and references a missing companion payload.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.