Overview
A newly uncovered campaign has turned a rarely noticed Windows utility — Fondue.exe — into a stealthy malware delivery mechanism. Threat actors are exploiting this legitimate Microsoft binary to side‑load a malicious control panel file (APPWIZ.cpl) and execute malware under the guise of trusted system activity.
Researchers at Trend Micro report that this technique is part of a broader trend: attackers increasingly hide behind signed Windows binaries to bypass endpoint defenses. The campaign has targeted government, military, and drone‑engineering sectors, using fake Starlink registration tools and drone pilot training apps as lures.
How Fondue.exe Is Abused
Fondue.exe — officially Features on Demand UX — normally enables or disables optional Windows components. However, when executed, it first checks its local directory for APPWIZ.cpl before searching system paths.
Attackers exploit this behavior by placing a malicious APPWIZ.cpl alongside Fondue.exe in a hidden folder. The trusted binary then loads the rogue file, which is packed with UPX compression and protected by Oreans Code Virtualizer to resist reverse engineering.
Once loaded, the fake applet deploys a Sliver post‑exploitation framework implant, granting attackers remote command execution and lateral movement capabilities.
| Component | Legitimate Purpose | Abuse Technique |
|---|---|---|
| Fondue.exe | Enables Windows optional features | Side‑loads malicious APPWIZ.cpl |
| APPWIZ.cpl | Control Panel applet | Executes Sliver implant under trusted process |
| Sliver Framework | Adversary simulation tool | Used for real‑world espionage and persistence |
Multi‑Stage Delivery and Persistence
The attack begins with a malicious MSI installer disguised as legitimate software. Once executed, it drops:
- Fondue.exe and APPWIZ.cpl into a hidden
%PROGRAMDATA%directory. - PowerShell, VBS, and .NET loader scripts to fetch next‑stage payloads.
- A scheduled task named like a Windows update (e.g., MicrosoftEdgeUpdateTaskMachineUA{GUID}) to ensure persistence.
The implant connects to the C2 server curtainbeatdisturbance[.]com and creates a mutex named MediumTurquoiseBeige to prevent duplicate execution.
Parallel operations also deploy SoullessRAT, a JavaScript‑based remote access trojan reportedly written using generative AI, capable of file uploads, screenshots, and system reconnaissance.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| Domain | curtainbeatdisturbance[.]com | Sliver implant C2 server |
| File Name | Fondue.exe | Legitimate binary abused for side‑loading |
| File Name | APPWIZ.cpl | Malicious Control Panel applet |
| Scheduled Task | MicrosoftEdgeUpdateTaskMachineUA{GUID} | Persistence mechanism |
| Directory | %PROGRAMDATA%\29167fc2‑cdc7‑490d‑9c70‑96bfb9b58225 | Hidden payload staging folder |
Defensive Recommendations
Security teams should focus on behavioral detection rather than file signatures.
- Monitor Fondue.exe Execution → Flag runs from non‑standard directories.
- Detect CPL Side‑Loading → Alert on unexpected Control Panel applets loaded by trusted binaries.
- Audit Scheduled Tasks → Look for tasks mimicking Microsoft update names.
- Restrict Installer Sources → Only allow software from official channels.
- Implement Endpoint Behavioral Analytics → Correlate binary execution with network activity for early detection.
Expert in the Cloud Insight
The Fondue.exe campaign illustrates how trusted system binaries can be weaponized for stealth and persistence. As attackers increasingly use AI to accelerate tool development, defenders must pivot toward behavior‑based security and continuous threat hunting.
For organizations in critical sectors, the lesson is clear: trust no binary by default. Even signed executables can be turned against you when placed in the wrong context.
Leave a Reply