<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>We recently observed a sudden <span><strong>165% spike in DNS requests</strong></span> to the domain <span><strong>posholnahuy[.]ru</strong></span>, primarily from Spain, Portugal, Ukraine, Russia, and Kyrgyzstan. This unusual traffic led us to investigate the domain’s activity, uncovering an ongoing malware campaign. The domain was registered in <a href="https://radar.cloudflare.com/domains/domain/posholnahuy.ru" rel="noopener" target="_blank">February 2025</a> and is fronted by Cloudflare’s infrastructure. By tracing the DNS queries back to their source processes, we discovered a <span><strong>suspicious executable</strong></span> named <span><strong>“dotaskinchanger.exe”.</strong></span> This file claimed to be a <i>“Dota 2 Skin Changer”</i> tool but was in fact malware. The surge in traffic corresponded with infections by this fake skin changer, as infected machines attempted to beacon out to the posholnahuy[.]ru C2. &nbsp;</p> <!--more--><p>They say never to publish a blog post on a Friday, but we figured this was interesting enough to send out!</p> <h3><strong>The Lure: Dota 2 and “Skin Changer” Mods</strong></h3> <p><span><strong>Dota 2</strong></span> is a hugely popular online game (a MOBA by Valve, released in 2013) with millions of players worldwide. While the game itself is free-to-play, Valve monetizes it by selling cosmetic items and skins that alter hero appearances. These cosmetic skins can be quite valuable, driving some players to seek unofficial methods to unlock them for free. A “skin changer” for Dota 2 is basically an unofficial mod or tool that lets players tweak the look of in-game items or heroes,&nbsp;unlocking skins they don’t actually own. But here’s the catch: downloading these from sketchy places is super risky. These programs are known for hiding malware or snatching your login info. It’s like stepping back in time to the “warez” days, where malware was a common thing in “cracked” software. Every time I see my kids trying to download something like this, I have to have a chat with them. How do you even explain malware to kids? Anyway.</p> <p>In this case, the attackers took advantage of that temptation. They packaged their malware as a fake <i>“Dota2 skinchanger” </i>tool. The malicious file, <span><strong>dotaskinchanger.exe</strong></span>, was found inside a ZIP archive named <span><strong>dota_skinchanger.zip</strong></span> (SHA-256: <a href="https://www.virustotal.com/gui/file/caa8ffe972315962b8ba4cede7d8cd195c74aa824ff837e7eb8fd152eca940a3" rel="noopener" target="_blank">caa8ffe9723...e940a3)</a>. The archive was distributed with a text file containing a password (file named “PASSWORD_0208”, SHA-256: <a href="https://www.virustotal.com/gui/file/62e2d97974d176cdafa4d899b76638686508143247afa628426a21e4987e6abe/detection" rel="noopener" target="_blank">62e2d97974...e6abe</a>) needed to extract the main EXE. This <span><strong>password-protected ZIP tactic</strong></span> is deliberate, requiring a user to manually enter a password (in this case “0208”), the malware can evade some automated scanners and sandboxes that don’t unpack archives. Both the ZIP and the EXE within it have been observed in the wild across the same regions mentioned above, and in fact <span style="font-weight: normal;">have been uploaded to VirusTotal hundreds of times</span>&nbsp;indicating widespread distribution.</p> <h3><strong>Unpacking the Trojan: “Kepavll” aka Salat Stealer</strong></h3> <p>Once extracted and run, the <span><strong>dotaskinchanger.exe</strong></span> does <i>not</i> grant any new skins,&nbsp;instead, it deploys a multi-purpose malware. Microsoft Defender detects this file with the generic signature <span><strong>Trojan:Win32/Kepavll!rfn. </strong></span>Multiple antivirus engines concur: the sample we analyzed was detected by <span style="font-weight: normal;">53 out of 72 AV scanners on VirusTotal.</span> The malware has been identified by the community as part of the <span><strong>“Salat Stealer”</strong></span> family, a name derived from the <span>/sa1at/</span> path seen in its network traffic (more on that shortly). A behavioral analysis showed Yara rules triggering on <i>“SalatStealer”</i> and even an embedded <span><strong>XMRig cryptominer</strong></span> payload.&nbsp;</p> <p>Once running, the malware exhibits typical info-stealer behavior: it attempts to <span><strong>exfiltrate sensitive data</strong></span> such as saved credentials, browser cookies, and even searches for cryptocurrency wallet strings on the victim’s system. We aren't going to do the typical malware breakdown blog post, instead we'll link to one by <a href="https://blog.dexpose.io/understanding-salatstealer-features-and-impact/" rel="noopener" target="_blank">DeXpose</a>. <a href="https://bazaar.abuse.ch/sample/f7e4a23b2a33e1cf5f86edf3b52b68e6466e13f4f5b181eea136249c14085f29/" rel="noopener" target="_blank">One analysis</a> noted <i>“found many strings related to crypto-wallets (likely being stolen)”</i>, indicating the stealer is hunting for keys or addresses for theft. In our case, the victim whose machine triggered the alert had their Steam session compromised within minutes of running the fake skin changer, the user’s Steam account was hijacked and valuable Dota 2 cosmetic items were stolen. Clearly, the malware operators are aiming to steal any profitable assets (gaming items, cryptocurrency, credentials) and possibly monetize further by mining cryptocurrency in the background.</p> <h3><strong>C2 Infrastructure: posholnahuy[.]ru, pidorasina[.]ru and Cloudflare Evasion</strong></h3> <p>After infecting a system, the malware establishes contact with its <span style="font-weight: normal;">Command-and-Control servers</span>. In our case, it reached out to URLs under the path <span><strong>/sa1at/</strong></span> on the domain <span><strong>posholnahuy[.]ru</strong></span>, and we also observed traffic to a second domain <span><strong>pidorasina[.]ru</strong></span> with the same <span>/sa1at/</span> path. Both domain names are crude Russian phrases (roughly translated, <i>“go f</i>** yourself”* and a slur, respectively). These domains are part of a broader cluster of malicious infrastructure attributed to a Russian-speaking group known as <span><strong>NyashTeam</strong></span>, which is known for spreading malware via fake game cheats and cracks. In fact, <a href="https://1275.ru/ioc/nyashteam-kak-kiberprestupniki-prodayut-vredonosnoe-po-pod-vidom-bezobidnyh-uslug_13334" rel="noopener" target="_blank">security researchers recently reported</a> that NyashTeam maintained an extensive network of hundreds of .ru domains for malware distribution and C2.</p> <p>Crucially, both posholnahuy[.]ru and pidorasina[.]ru are <span style="font-weight: normal;">proxied through Cloudflare</span> name servers. This means the malware’s traffic is going to Cloudflare’s servers (IP addresses in Cloudflare’s ranges) which then forward it to the attacker’s hidden backend. Using Cloudflare can help threat actors in several ways: it masks the true origin server’s IP, provides SSL certificates (the traffic is HTTPS), and can blend malicious traffic with legitimate Cloudflare CDN traffic. In our analysis, the malware made <span style="font-weight: normal;">HTTPS requests</span> to https://posholnahuy[.]ru/sa1at/&lt;random&gt; URLs, which resolved to Cloudflare IPs. These domains and URLs have been explicitly flagged as malicious C2 by threat intelligence sources. For example, Abuse.ch’s ThreatFox lists <i>https://posholnahuy[.]ru/sa1at/</i> as a <span style="font-weight: normal;">botnet C2 URL</span> associated with an <a href="https://threatfox.abuse.ch/browse/tag/SalatStealer/" rel="noopener" target="_blank">“Unknown Stealer” (SalatStealer)</a>. Correspondingly, <a href="https://rules.evebox.org/rule/abuse.ch/threatfox/91544719" rel="noopener" target="_blank">community IDS rules</a> were created to detect any HTTP traffic containing Host: posholnahuy[.]ru and the /sa1at/ path, as well as <a href="https://rules.evebox.org/rule/abuse.ch/threatfox/91544721" rel="noopener" target="_blank">DNS queries</a> for pidorasina[.]ru. &nbsp;While the rules are not from Cisco Talos, and therefore not part of the official ruleset, we still recommend deploying at least the first one if you have Snort 3 or above.</p> <p>It’s worth noting that the attackers attempted a further trick: DNS over HTTPS. We observed the malware querying Cloudflare’s DNS resolver (1.1.1.1) via HTTPS for certain domains like <span>websalat[.]top</span> and <span>sa1at[.]ru</span>. The presence of such behavior underscores the malware’s design to <span style="font-weight: normal;">hide its network footprint</span> within normal-looking Cloudflare traffic.</p> <h3><strong>Detection Shortfalls: AV vs. Network Monitoring</strong></h3> <p>While many antivirus vendors detected this file, it appears that <span style="font-weight: normal;">network-based detection was lagging</span>. At the time of our investigation, we found <i>no official rules in public IDS/IPS databases (like Snort or Suricata community rulesets)</i> specifically flagging this malware’s traffic. In other words, an organization that relied <span><strong>solely on IDS/IPS or network firewall signatures might not have caught the C2 traffic</strong></span> to posholnahuy[.]ru or recognized dotaskinchanger.exe as malicious. The use of Cloudflare further complicated detection,&nbsp;an analyst watching network logs might just see TLS connections to Cloudflare IPs, which by itself is not suspicious, and the domain name might be encrypted (if DNS over HTTPS is used or if SNI is not inspected). Only with full DNS logging or decrypted TLS inspection would the malicious domain be visible. Indeed, the <span style="font-weight: normal;">first alerts for this incident came from DNS telemetry,</span> not from any perimeter IDS. &nbsp;Relying on IP blocking would not have helped at all.</p> <p>This highlights a common scenario: endpoint protection did its job on many machines (quarantining the Trojan on execution), but if an endpoint was unprotected or the malware evaded it, the <span style="font-weight: normal;">network monitoring layers<span style="font-weight: bold;">&nbsp;</span>needed to pick up the slack</span>.&nbsp;</p> <h3><strong>Layered Defense: How Protective DNS Foiled the Attack</strong></h3> <p>Thankfully, our Protective DNS service acted as a crucial safety net. It detected unusual DNS activity to posholnahuy[.]ru and blocked it at the DNS layer for all customers, preventing the infection from downloading anything else. Protective DNS blocks domain resolutions for known malicious domains, similar to how a web filter blocks URLs. posholnahuy[.]ru was identified as a C2, and any device protected by our DNS service was prevented from resolving that domain, cutting off the malware’s communication channel. We confirmed that several customers had machines attempting to phone home to posholnahuy[.]ru and pidorasina[.]ru, but those DNS queries were blocked in real time, preventing the C2 connection. As a result, the Trojan’s commands and data exfiltration failed, and the infected hosts could be identified and remediated.</p> <p>Just a friendly reminder that if these organizations had only relied on endpoint or IDS alerts, the C2 traffic might have slipped through the cracks. The malware’s clever use of Cloudflare and its absence of an IPS signature allowed it to quietly lurk in the background. By using a layered defense strategy, like combining endpoint AV, network IDS, and Protective DNS, our customers had several opportunities to spot the threat. In this case, DNS-based blocking was the ultimate safeguard once other defenses were bypassed. Even the malware’s attempt to hide DNS lookups through Cloudflare’s resolver was spotted by our DNS monitoring. Our solution gives us that visibility, which an organization without DNS logging might have missed.</p> <h3><strong>Conclusion: Lessons Learned</strong></h3> <p>This incident serves as a reminder that <span style="font-weight: normal;">attackers will leverage any popular trend – even game mods – to distribute malware.</span> The fake Dota 2 skin changer Trojan spread by enticing gamers with free cosmetics, only to steal their data and digital goods. For defenders, several takeaways are clear:</p> <ul> <li> <p><span><strong>Defense in Depth is critical:</strong></span> No single security layer catches everything. In our case, endpoint antivirus caught many instances, but only DNS monitoring illuminated the full scope of the campaign. Ensure you have overlapping controls (endpoint, network, DNS, etc.) so that if one fails, others can still protect you.</p> </li> <li> <p><span><strong>DNS is a valuable sensor and enforcement point:</strong></span> The DNS spike was the early warning of compromise, and DNS blocking immediately neutralized the threat’s C2. Monitoring DNS traffic for anomalies (like a 165% jump to an obscure .ru domain) and using a protective DNS service to block malicious domains can drastically reduce incident impact.</p> </li> <li> <p><span><strong>Beware of tools from unverified sources:</strong></span> This goes for end-users and enterprise alike – whether it’s a game cheat, a “cracked” software, or any free utility, if it’s not from a reputable source, assume it could be malware. User education is vital: had our victim known the risks (account theft, etc.), they might not have run the skin changer. Remind your community that if something seems too good (e.g., free expensive skins), it probably is.</p> </li> </ul> <p>In summary, our investigation into posholnahuy[.]ru revealed a covert malware operation exploiting Dota 2 fans. Thanks to proactive telemetry and our Protective DNS solution, we detected and <span><strong>blocked the threat before further damage was done</strong></span>. We will continue to monitor the evolving infrastructure (the presence of multiple domains like pidorasina.ru, websalat.top, etc. suggests the attackers may rotate domains) and ensure they are contained. This case reinforces that a multi-layered security strategy – including modern DNS security – is an effective approach to catching novel threats that might slip past traditional defenses. <span></span><span></span></p> <p><strong>For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our </strong><a href="/threatstop-platform" rel="noopener" target="_blank"><strong>product page</strong></a><strong>. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! <a href="https://admin.threatstop.com/register?hsLang=en" rel="noopener" target="_blank">Get started with a Demo today!</a></strong></p> <p><strong>Connect with Customers, Disconnect from Risks.</strong></p> <h3><strong>MITRE ATT&amp;CK Mapping for This Campaign</strong></h3> <p>&nbsp;</p> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <thead> <tr> <th> <p><strong>Tactic</strong></p> </th> <th> <p><strong>Technique</strong></p> </th> <th> <p><strong>ID</strong></p> </th> <th> <p><strong>Observed in Campaign</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>Initial Access</p> </td> <td> <p>User Execution: Malicious File</p> </td> <td> <p>T1204.002</p> </td> <td> <p>Victims tricked into running <span>dotaskinchanger.exe</span>disguised as a skin changer</p> </td> </tr> <tr> <td> <p>Execution</p> </td> <td> <p>Command and Scripting Interpreter / Binary Execution</p> </td> <td> <p>T1059 / T1204</p> </td> <td> <p>Malware EXE launched by user</p> </td> </tr> <tr> <td> <p>Persistence</p> </td> <td> <p>Boot or Logon Autostart Execution</p> </td> <td> <p>T1547</p> </td> <td> <p>Likely (typical for stealer families; further analysis ongoing)</p> </td> </tr> <tr> <td> <p>Defense Evasion</p> </td> <td> <p>Encrypted/Obfuscated Files (Password-Protected Archive)</p> </td> <td> <p>T1027.004</p> </td> <td> <p>Archive required password to bypass automated scanning</p> </td> </tr> <tr> <td> <p>Credential Access</p> </td> <td> <p>Credential Dumping / Credential Theft from Web Browsers</p> </td> <td> <p>T1555.003</p> </td> <td> <p>Stealing saved browser credentials and Steam session tokens</p> </td> </tr> <tr> <td> <p>Discovery</p> </td> <td> <p>Query Registry / File and Directory Discovery</p> </td> <td> <p>T1012 / T1083</p> </td> <td> <p>Identifying wallet files and system info</p> </td> </tr> <tr> <td> <p>Collection</p> </td> <td> <p>Archive Collected Data</p> </td> <td> <p>T1560</p> </td> <td> <p>Packaging stolen data for exfiltration</p> </td> </tr> <tr> <td> <p>Exfiltration</p> </td> <td> <p>Exfiltration Over Command and Control Channel</p> </td> <td> <p>T1041</p> </td> <td> <p>Data sent to <span>/sa1at/</span> endpoints at posholnahuy[.]ru / pidorasina[.]ru</p> </td> </tr> <tr> <td> <p>Command &amp; Control</p> </td> <td> <p>Application Layer Protocol: HTTPS</p> </td> <td> <p>T1071.001</p> </td> <td> <p>Encrypted C2 traffic hidden inside HTTPS via Cloudflare</p> </td> </tr> <tr> <td> <p>Command &amp; Control</p> </td> <td> <p>Encrypted Channel / Use of Trusted Third-Party Infrastructure</p> </td> <td> <p>T1573 / T1090</p> </td> <td> <p>Cloudflare used to mask attacker C2 and blend in with normal traffic</p> </td> </tr> <tr> <td> <p>Impact</p> </td> <td> <p>Resource Hijacking</p> </td> <td> <p>T1496</p> </td> <td> <p>XMRig cryptominer component observed</p> </td> </tr> </tbody> </table> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p></span>
