A Windows backdoor known as BadSpace is currently being distributed through compromised websites posing as fake browser updates [1] [2].


This multi-stage attack involves an infected website injecting code to collect user information and transmit it to a server [1] [2]. The server then displays a fake Google Chrome update pop-up window to deliver the malware [1] [2]. BadSpace is capable of harvesting system information [1] [2], executing commands [1] [2] [3], setting up persistence using scheduled tasks [1] [3], and employing anti-sandbox checks [3]. It can also take screenshots, read and write files [3], and delete scheduled tasks [3]. The campaign has connections to a known malware called SocGholish [1], a JavaScript-based downloader propagated through a similar mechanism [3]. Other campaigns have been reported using similar tactics to distribute information stealers and remote access trojans [1].


The distribution of BadSpace through fake browser updates poses a significant threat to user privacy and system security. To mitigate the risk, users should be cautious when downloading updates and ensure they are from legitimate sources. Additionally, organizations should implement robust cybersecurity measures to detect and prevent such attacks in the future. The evolving tactics of malware campaigns highlight the importance of staying vigilant and continuously updating security protocols to defend against emerging threats.


[1] https://thehackernews.com/2024/06/hackers-exploit-legitimate-websites-to.html
[2] https://f5.pm/go-245545.html
[3] https://www.redpacketsecurity.com/hackers-exploit-legitimate-websites-to-deliver-badspace-windows-backdoor/