Trojan:Win64/ShellCodeRunner!rfn

The Trojan:Win64/ShellCodeRunner!rfn loader follows a predictable but adaptable multi-stage launch chain. It begins by calling low-level Windows memory management functions. The most observed API is VirtualAlloc, though some variants call the native API ZwAllocateVirtualMemory to avoid user-mode hooks. The Trojan:Win64/ShellCodeRunner!rfn requests a region of memory large enough to hold an encrypted or encoded payload. In earlier samples, the allocation was made with PAGE_EXECUTE_READWRITE permissions. This was a reliable heuristic for security tools. Newer variants allocate memory as PAGE_READWRITE, write the decrypted shellcode into that buffer, and then change the page protection to PAGE_EXECUTE_READ using VirtualProtect. This two-step permission change is harder to detect with simple API monitors.

Once the binary in memory is ready, the loader decrypts its payload. The encryption algorithm varies. Some variants use AES with a hardcoded key. Others use a multi-byte XOR routine. The EDRKILLSHIFT variant requires a 64-character passkey supplied as a command-line argument named -pass. Without this exact key, the decryption routine outputs garbage, and the shellcode never launches. This passkey requirement frustrates automated sandboxes and manual reverse engineering. 

The loader then writes the decrypted shellcode into the allocated memory and transfers the launch. The transfer mechanism is a direct function pointer call, a thread creation via CreateThread, or an asynchronous procedure call. Reflective loading is a defining trait of ShellcodeRunner family. Instead of relying on the Windows loader to map a portable executable (PE) into memory, the malware parses the PE headers itself. It maps each section to the correct virtual address, performs base relocations, and resolves the import address table by walking through the loaded modules of the current process. Because Windows never registers the loaded module in the standard process environment block, the payload is invisible to tools that enumerate loaded DLLs. 

The EDRKILLSHIFT variant adds a kernel-mode pre-attack phase. It writes a legitimate but vulnerable 64-bit driver to the user's temporary directory. This driver is often signed and is detected by Microsoft Defender as a potentially unwanted application (PUA). It creates a Windows service with a randomized name. The naming pattern observed is Kill followed by ten decimal digits. It starts this service, which loads the vulnerable driver into kernel memory. With kernel privileges, ShellcodeRunner enumerates running processes and terminates a long list of security products. The targeted processes include AmSvc.exe, aswidsagent.exe, avastsvc.exe, avastui.exe, avgnt.exe, avguard.exe, avpui.exe, bdagent.exe, bdntwrk.exe, bdredline.exe, ccSvcHst.exe, CybereasonAV.exe, CylanceSvc.exe, egui.exe, ekrn.exe, and coreServiceShell.exe. After terminating these processes, it decrypts its primary shellcode payload from a file named Data.bin. The malware creates a mutex named DriverInstallMutex to prevent multiple concurrent installations. 

The threat actors can also distribute an ISO file disguised as an invitation. When mounted, the ISO showed a shortcut file with a PDF icon. Double-clicking this shortcut runs a hidden binary named scholar.exe. Scholar.exe extracted saved passwords, credit card numbers, browsing history, and cookies from Microsoft Edge and other browsers. It wrote this stolen data to multiple CSV files in C:\Users\Public\results. It created a mutex named Bkdqqxb.txt to prevent multiple instances from harvesting the same data simultaneously. The malware compressed all CSV files into results.zip and exfiltrated the archive over HTTPS to a Slack channel controlled by the threat actors. The exfiltration IP addresses were 3[.]129.123[.]235 and 13[.]127.99[.]68. 

A separate campaign across multiple Asian countries used a tax audit document lure to deploy the HoldingHands backdoor. The initial loader was a modified version of a legitimate open-source library, dokan2.dll. This loader decrypted a file named sw.dat. The shellcode from sw.dat then prepared the launch of msvchost.dat. ShellcodeRunner achieved persistence by force closing the Windows Task Scheduler service. When Windows automatically restarts the service, it injects a malicious library named TimeBrokerClient.dll into the newly launched svchost.exe process. This library used the process name svchost.exe as a cryptographic key to decrypt the payload within msvchost.dat. If an analyst attempted to run msvchost.dat from a different process, the decryption produced invalid code. After successful decryption, the shellcode enumerated active terminal sessions, duplicated a logged-on user's access token, and launches a backdoor within that user's session. Indicators for this campaign include the staging files sw.dat and msvchost.dat in application directories and registry artifacts under HKEY_CURRENT_USER\SOFTWARE\HHClient. Command-and-control (C2) communication was observed with IP addresses 206[.]238.199[.]22, 154[.]91.64.45, and 156[.]251.17[.]12, as well as domains zxp0010w[.]vip and gjqygs[.]cn. 

Evasion techniques in this family extend beyond simple obfuscation. The pkr_mtsi packer, distributed through search engine poisoning and fake download sites for software like PuTTY, Microsoft Teams, and Rufus, uses two distinct anti-analysis methods. First, it makes thousands of Graphics Device Interface calls that have no functional purpose. These calls consume time and CPU cycles in automated sandboxes, sometimes causing the analysis to time out before the malicious payload runs. Second, it applies a modified version of the UPX packer to its intermediate stages.