**How Real Software Downloads Can Hide Remote Backdoors**

Imagine setting up remote access to a colleague's computer, searching for "RustDesk download" and landing on a polished website with documentation, downloads, and familiar branding. You install the software, launch it, and everything works exactly as expected. But what you don't see is the second program that installs alongside it – one that quietly gives attackers persistent access to your computer.

This is exactly what we observed in a campaign using the fake domain rustdesk[.]work, which impersonated the legitimate RustDesk project hosted at rustdesk.com. The fake site closely mirrors the real one, complete with multilingual content and prominent warnings claiming (ironically) that rustdesk[.]work is the only official domain.

This campaign doesn't exploit software vulnerabilities or rely on advanced hacking techniques. It succeeds entirely through deception. When a website looks legitimate and the software behaves normally, most users never suspect anything is wrong.

**What Happens When You Run the Installer**

The installer performs a deliberate bait-and-switch: The user sees RustDesk launch normally. Everything appears to work. Meanwhile, the backdoor quietly establishes a connection to the attacker's server.

By bundling malware with working software, attackers remove the most obvious red flag – broken or missing functionality. From the user's point of view, nothing feels wrong. The malware executes through a staged process, with each step designed to evade detection and establish persistence:

### **The Staged Process**

1. **Dropper:** The downloaded file (rustdesk-1.4.4-x86_64.exe) acts as both dropper and decoy. 2. **Logger:** It writes two files to disk: `logger.exe` is a loader – its job is to set up the environment for the main implant.

### **The Loader-to-Implant Handoff**

The logger-to-implant handoff is a common technique in sophisticated malware to separate the initial dropper from the persistent backdoor. By changing its process name, the malware makes forensic analysis harder.

### **Traditional Antivirus Tools vs. Behavioral Analysis and Memory Scanning**

Traditional antivirus tools focus on scanning files on disk (file-based detection). By keeping its functional components in memory only, the malware significantly reduces the effectiveness of file-based detection.

### **The Secondary Payload: Winos4.0 (WinosStager)**

The secondary payload is identified as Winos4.0 (WinosStager): a sophisticated remote access framework that has been observed in multiple campaigns, particularly targeting users in Asia.

Once active, it allows attackers to:

### **Technical Detail: How the Malware Hides**

1. **Connection Establishment:** Shortly after installation, the malware connects to an attacker-controlled server. 2. **Two-Way Communication:** This connection allows attackers to send commands to the infected machine and receive stolen data in return.

### **Network Traffic Disguise**

The malware is particularly clever in how it disguises its network activity: Because the victim installed real RustDesk, the malware's network traffic is mixed with legitimate remote desktop traffic.

### **A Troubling Trend**

This attack demonstrates a troubling trend: legitimate software used as camouflage for malware. The attackers didn't need to find a zero-day vulnerability or craft a sophisticated exploit. They simply:

**The Takeaway:** Software behaving normally does not mean it's safe. Modern threats are designed to blend in, making layered defenses and behavioral detection essential.

### **Cybersecurity Risks Should Never Spread Beyond a Headline**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.