We recently observed a sudden 165% spike in DNS requests to the domain posholnahuy[.]ru, primarily from Spain, Portugal, Ukraine, Russia, and Kyrgyzstan. This unusual traffic led us to investigate the domain’s activity, uncovering an ongoing malware campaign. The domain was registered in February 2025 and is fronted by Cloudflare’s infrastructure. By tracing the DNS queries back to their source processes, we discovered a suspicious executable named “dotaskinchanger.exe”. This file claimed to be a “Dota 2 Skin Changer” tool but was in fact malware. The surge in traffic corresponded with infections by this fake skin changer, as infected machines attempted to beacon out to the posholnahuy[.]ru C2.  

They say never to publish a blog post on a Friday, but we figured this was interesting enough to send out!

The Lure: Dota 2 and “Skin Changer” Mods

Dota 2 is a hugely popular online game (a MOBA by Valve, released in 2013) with millions of players worldwide. While the game itself is free-to-play, Valve monetizes it by selling cosmetic items and skins that alter hero appearances. These cosmetic skins can be quite valuable, driving some players to seek unofficial methods to unlock them for free. A “skin changer” for Dota 2 is basically an unofficial mod or tool that lets players tweak the look of in-game items or heroes, unlocking skins they don’t actually own. But here’s the catch: downloading these from sketchy places is super risky. These programs are known for hiding malware or snatching your login info. It’s like stepping back in time to the “warez” days, where malware was a common thing in “cracked” software. Every time I see my kids trying to download something like this, I have to have a chat with them. How do you even explain malware to kids? Anyway.

In this case, the attackers took advantage of that temptation. They packaged their malware as a fake “Dota2 skinchanger” tool. The malicious file, dotaskinchanger.exe, was found inside a ZIP archive named dota_skinchanger.zip (SHA-256: caa8ffe9723...e940a3). The archive was distributed with a text file containing a password (file named “PASSWORD_0208”, SHA-256: 62e2d97974...e6abe) needed to extract the main EXE. This password-protected ZIP tactic is deliberate, requiring a user to manually enter a password (in this case “0208”), the malware can evade some automated scanners and sandboxes that don’t unpack archives. Both the ZIP and the EXE within it have been observed in the wild across the same regions mentioned above, and in fact have been uploaded to VirusTotal hundreds of times indicating widespread distribution.

Unpacking the Trojan: “Kepavll” aka Salat Stealer

Once extracted and run, the dotaskinchanger.exe does not grant any new skins, instead, it deploys a multi-purpose malware. Microsoft Defender detects this file with the generic signature Trojan:Win32/Kepavll!rfn. Multiple antivirus engines concur: the sample we analyzed was detected by 53 out of 72 AV scanners on VirusTotal. The malware has been identified by the community as part of the “Salat Stealer” family, a name derived from the /sa1at/ path seen in its network traffic (more on that shortly). A behavioral analysis showed Yara rules triggering on “SalatStealer” and even an embedded XMRig cryptominer payload. 

Once running, the malware exhibits typical info-stealer behavior: it attempts to exfiltrate sensitive data such as saved credentials, browser cookies, and even searches for cryptocurrency wallet strings on the victim’s system. We aren't going to do the typical malware breakdown blog post, instead we'll link to one by DeXpose. One analysis noted “found many strings related to crypto-wallets (likely being stolen)”, indicating the stealer is hunting for keys or addresses for theft. In our case, the victim whose machine triggered the alert had their Steam session compromised within minutes of running the fake skin changer, the user’s Steam account was hijacked and valuable Dota 2 cosmetic items were stolen. Clearly, the malware operators are aiming to steal any profitable assets (gaming items, cryptocurrency, credentials) and possibly monetize further by mining cryptocurrency in the background.

C2 Infrastructure: posholnahuy[.]ru, pidorasina[.]ru and Cloudflare Evasion

After infecting a system, the malware establishes contact with its Command-and-Control servers. In our case, it reached out to URLs under the path /sa1at/ on the domain posholnahuy[.]ru, and we also observed traffic to a second domain pidorasina[.]ru with the same /sa1at/ path. Both domain names are crude Russian phrases (roughly translated, “go f** yourself”* and a slur, respectively). These domains are part of a broader cluster of malicious infrastructure attributed to a Russian-speaking group known as NyashTeam, which is known for spreading malware via fake game cheats and cracks. In fact, security researchers recently reported that NyashTeam maintained an extensive network of hundreds of .ru domains for malware distribution and C2.

Crucially, both posholnahuy[.]ru and pidorasina[.]ru are proxied through Cloudflare name servers. This means the malware’s traffic is going to Cloudflare’s servers (IP addresses in Cloudflare’s ranges) which then forward it to the attacker’s hidden backend. Using Cloudflare can help threat actors in several ways: it masks the true origin server’s IP, provides SSL certificates (the traffic is HTTPS), and can blend malicious traffic with legitimate Cloudflare CDN traffic. In our analysis, the malware made HTTPS requests to https://posholnahuy[.]ru/sa1at/<random> URLs, which resolved to Cloudflare IPs. These domains and URLs have been explicitly flagged as malicious C2 by threat intelligence sources. For example, Abuse.ch’s ThreatFox lists https://posholnahuy[.]ru/sa1at/ as a botnet C2 URL associated with an “Unknown Stealer” (SalatStealer). Correspondingly, community IDS rules were created to detect any HTTP traffic containing Host: posholnahuy[.]ru and the /sa1at/ path, as well as DNS queries for pidorasina[.]ru.  While the rules are not from Cisco Talos, and therefore not part of the official ruleset, we still recommend deploying at least the first one if you have Snort 3 or above.

It’s worth noting that the attackers attempted a further trick: DNS over HTTPS. We observed the malware querying Cloudflare’s DNS resolver (1.1.1.1) via HTTPS for certain domains like websalat[.]top and sa1at[.]ru. The presence of such behavior underscores the malware’s design to hide its network footprint within normal-looking Cloudflare traffic.

Detection Shortfalls: AV vs. Network Monitoring

While many antivirus vendors detected this file, it appears that network-based detection was lagging. At the time of our investigation, we found no official rules in public IDS/IPS databases (like Snort or Suricata community rulesets) specifically flagging this malware’s traffic. In other words, an organization that relied solely on IDS/IPS or network firewall signatures might not have caught the C2 traffic to posholnahuy[.]ru or recognized dotaskinchanger.exe as malicious. The use of Cloudflare further complicated detection, an analyst watching network logs might just see TLS connections to Cloudflare IPs, which by itself is not suspicious, and the domain name might be encrypted (if DNS over HTTPS is used or if SNI is not inspected). Only with full DNS logging or decrypted TLS inspection would the malicious domain be visible. Indeed, the first alerts for this incident came from DNS telemetry, not from any perimeter IDS.  Relying on IP blocking would not have helped at all.

This highlights a common scenario: endpoint protection did its job on many machines (quarantining the Trojan on execution), but if an endpoint was unprotected or the malware evaded it, the network monitoring layers needed to pick up the slack

Layered Defense: How Protective DNS Foiled the Attack

Thankfully, our Protective DNS service acted as a crucial safety net. It detected unusual DNS activity to posholnahuy[.]ru and blocked it at the DNS layer for all customers, preventing the infection from downloading anything else. Protective DNS blocks domain resolutions for known malicious domains, similar to how a web filter blocks URLs. posholnahuy[.]ru was identified as a C2, and any device protected by our DNS service was prevented from resolving that domain, cutting off the malware’s communication channel. We confirmed that several customers had machines attempting to phone home to posholnahuy[.]ru and pidorasina[.]ru, but those DNS queries were blocked in real time, preventing the C2 connection. As a result, the Trojan’s commands and data exfiltration failed, and the infected hosts could be identified and remediated.

Just a friendly reminder that if these organizations had only relied on endpoint or IDS alerts, the C2 traffic might have slipped through the cracks. The malware’s clever use of Cloudflare and its absence of an IPS signature allowed it to quietly lurk in the background. By using a layered defense strategy, like combining endpoint AV, network IDS, and Protective DNS, our customers had several opportunities to spot the threat. In this case, DNS-based blocking was the ultimate safeguard once other defenses were bypassed. Even the malware’s attempt to hide DNS lookups through Cloudflare’s resolver was spotted by our DNS monitoring. Our solution gives us that visibility, which an organization without DNS logging might have missed.

Conclusion: Lessons Learned

This incident serves as a reminder that attackers will leverage any popular trend – even game mods – to distribute malware. The fake Dota 2 skin changer Trojan spread by enticing gamers with free cosmetics, only to steal their data and digital goods. For defenders, several takeaways are clear:

  • Defense in Depth is critical: No single security layer catches everything. In our case, endpoint antivirus caught many instances, but only DNS monitoring illuminated the full scope of the campaign. Ensure you have overlapping controls (endpoint, network, DNS, etc.) so that if one fails, others can still protect you.

  • DNS is a valuable sensor and enforcement point: The DNS spike was the early warning of compromise, and DNS blocking immediately neutralized the threat’s C2. Monitoring DNS traffic for anomalies (like a 165% jump to an obscure .ru domain) and using a protective DNS service to block malicious domains can drastically reduce incident impact.

  • Beware of tools from unverified sources: This goes for end-users and enterprise alike – whether it’s a game cheat, a “cracked” software, or any free utility, if it’s not from a reputable source, assume it could be malware. User education is vital: had our victim known the risks (account theft, etc.), they might not have run the skin changer. Remind your community that if something seems too good (e.g., free expensive skins), it probably is.

In summary, our investigation into posholnahuy[.]ru revealed a covert malware operation exploiting Dota 2 fans. Thanks to proactive telemetry and our Protective DNS solution, we detected and blocked the threat before further damage was done. We will continue to monitor the evolving infrastructure (the presence of multiple domains like pidorasina.ru, websalat.top, etc. suggests the attackers may rotate domains) and ensure they are contained. This case reinforces that a multi-layered security strategy – including modern DNS security – is an effective approach to catching novel threats that might slip past traditional defenses.

For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!

Connect with Customers, Disconnect from Risks.

MITRE ATT&CK Mapping for This Campaign

 

Tactic

Technique

ID

Observed in Campaign

Initial Access

User Execution: Malicious File

T1204.002

Victims tricked into running dotaskinchanger.exedisguised as a skin changer

Execution

Command and Scripting Interpreter / Binary Execution

T1059 / T1204

Malware EXE launched by user

Persistence

Boot or Logon Autostart Execution

T1547

Likely (typical for stealer families; further analysis ongoing)

Defense Evasion

Encrypted/Obfuscated Files (Password-Protected Archive)

T1027.004

Archive required password to bypass automated scanning

Credential Access

Credential Dumping / Credential Theft from Web Browsers

T1555.003

Stealing saved browser credentials and Steam session tokens

Discovery

Query Registry / File and Directory Discovery

T1012 / T1083

Identifying wallet files and system info

Collection

Archive Collected Data

T1560

Packaging stolen data for exfiltration

Exfiltration

Exfiltration Over Command and Control Channel

T1041

Data sent to /sa1at/ endpoints at posholnahuy[.]ru / pidorasina[.]ru

Command & Control

Application Layer Protocol: HTTPS

T1071.001

Encrypted C2 traffic hidden inside HTTPS via Cloudflare

Command & Control

Encrypted Channel / Use of Trusted Third-Party Infrastructure

T1573 / T1090

Cloudflare used to mask attacker C2 and blend in with normal traffic

Impact

Resource Hijacking

T1496

XMRig cryptominer component observed