SYMBOLCOMMON_NAMEaka. SYNONYMS
win.supper (Back to overview)

Supper

aka: SocksShell, ZAPCAT

Actor(s): Vanilla Tempest

VTCollection    

Supper is a 64-bit Windows backdoor and tunnelling utility first observed in the wild in July 2024. This malware operates as both a Remote Access Trojan (RAT) and a SOCKS5 proxy, offering threat actors persistent access to infected systems and the ability to route arbitrary traffic through victim environments.

Once executed, it establishes a TCP connection to its primary C2 endpoint, i.e. hardcoded in the file, over port 443. A fallback mechanism allows the malware to retrieve alternate C2 IP addresses from an encoded file, %temp%/s01bafg, ensuring resilience in case the primary server is unavailable. The malware supports up to 16,384 concurrent sessions over a single TCP connection, each uniquely identified via a 16-bit session ID.

Communication begins with an unencrypted 300-byte handshake payload that includes a static bot identifier (0x00691155), system metadata (hostname, domain, OS version, integrity level), and a fixed flag. Following this, all network traffic is wrapped in a 12-byte obfuscated header and an encrypted payload (8 bytes) which consists of two encrypted IP addresses. The header is transformed using two hardcoded XOR keys: 0x4d4d4d4d4d4d4d4d and 0x4d4d4d4d. Payload encryption is performed with a non-standard, stateful XOR cipher, where each byte of the message is encrypted based on a calculated offset and a cycling key (xored with 0x4d4d4d4d) derived from the header.

It supports a range of C2 commands, including remote shell execution, session teardown, SOCKS5 proxy operations, self-deletion, and dynamic updating of fallback IPs. When executing commands, Supper spawns a hidden cmd.exe instance and forwards command outputs back to the C2 server after encryption. As a proxy, it accepts operator-specified connection requests, establishes TCP sessions to external targets, and forwards data between the target and the attacker, all managed under the session multiplexing framework.

If instructed or if a C2 session fails, the malware can delete itself using cmd.exe or schtasks.exe, often masquerading the operation under the guise of a scheduled task named "GoogleUpdateTask". The file used to store fallback C2 IPs (%temp%/s01bafg) is updated by the malware using its encryption routine.

References
2026-02-17CERT.PLCERT.PL
ClickFix in action: how a fake captcha can encrypt an entire company
Latrodectus Supper
2026-01-06Reversing LabsRobert Simmons
Unpacking the packer ‘pkr_mtsi’
Broomstick Supper
2025-11-05Huntress LabsAnna Pham
Gootloader Returns: What Goodies Did They Bring?
GootLoader Supper
2025-06-29Humpty's RE Blogcyb3rjerry
Supper is served
Supper
2025-04-16SekoiaSekoia TDR
Interlock ransomware evolving under the radar
Interlock Berserk Stealer Interlock Lumma Stealer Supper
2025-04-15Beazley Security LabsBeazley Security Labs
Hunting Mice In Tunnels II - Fake CAPTCHAs and Ransomware
Interlock Supper
2025-03-31VirusTotal
48157c03bf9731926f9567fe1fabc807bff166241f8d6c27e6308dde68112669
Supper
2024-11-29FortinetFred Gutierrez, Shunichi Imano
Ransomware Roundup - Interlock
Interlock Interlock Supper
Yara Rules
[TLP:WHITE] win_supper_auto         (20260504 | Detects win.supper.)
rule win_supper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.supper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.supper"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb610 83ea01 0fb6d2 ff15???????? 8b00 }
            // n = 5, score = 1300
            //   0fb610               | xor                 eax, eax
            //   83ea01               | dec                 eax
            //   0fb6d2               | mov                 ecx, dword ptr [ebx + 8]
            //   ff15????????         |                     
            //   8b00                 | mov                 edx, 1

        $sequence_1 = { 4885c9 74ed 8844242f e8???????? 0fb644242f 48c705????????00000000 }
            // n = 6, score = 1300
            //   4885c9               | dec                 eax
            //   74ed                 | add                 ebx, 1
            //   8844242f             | dec                 eax
            //   e8????????           |                     
            //   0fb644242f           | test                eax, eax
            //   48c705????????00000000     |     

        $sequence_2 = { 4531c0 488b4b08 ba01000000 41ffd4 85c0 }
            // n = 5, score = 1300
            //   4531c0               | movzx               eax, byte ptr [esp + 0x2f]
            //   488b4b08             | mov                 ebx, edx
            //   ba01000000           | dec                 eax
            //   41ffd4               | mov                 esi, ecx
            //   85c0                 | mov                 edx, 0xffffffff

        $sequence_3 = { 488b04d8 4885c0 7408 488338ff }
            // n = 4, score = 1300
            //   488b04d8             | dec                 eax
            //   4885c0               | mov                 eax, dword ptr [eax + ebx*8]
            //   7408                 | dec                 eax
            //   488338ff             | test                eax, eax

        $sequence_4 = { 4885c0 740d 48833800 7407 89d9 e8???????? 4883c301 }
            // n = 7, score = 1300
            //   4885c0               | je                  0xa
            //   740d                 | dec                 eax
            //   48833800             | cmp                 dword ptr [eax], -1
            //   7407                 | dec                 eax
            //   89d9                 | test                eax, eax
            //   e8????????           |                     
            //   4883c301             | je                  0x12

        $sequence_5 = { 4885c0 7416 488b4008 4885c0 }
            // n = 4, score = 1300
            //   4885c0               | dec                 eax
            //   7416                 | cmp                 dword ptr [eax], 0
            //   488b4008             | je                  0xd
            //   4885c0               | mov                 ecx, ebx

        $sequence_6 = { 89d3 4889ce baffffffff 488b0d???????? }
            // n = 4, score = 1300
            //   89d3                 | je                  0x1b
            //   4889ce               | dec                 eax
            //   baffffffff           | mov                 eax, dword ptr [eax + 8]
            //   488b0d????????       |                     

        $sequence_7 = { 31d2 4889cb 31c9 ffd6 4531c0 31d2 }
            // n = 6, score = 1300
            //   31d2                 | dec                 eax
            //   4889cb               | test                eax, eax
            //   31c9                 | dec                 eax
            //   ffd6                 | test                ecx, ecx
            //   4531c0               | je                  0xfffffff2
            //   31d2                 | mov                 byte ptr [esp + 0x2f], al

        $sequence_8 = { e8???????? 488b4510 488b00 4885c0 }
            // n = 4, score = 1100
            //   e8????????           |                     
            //   488b4510             | call                esi
            //   488b00               | inc                 ebp
            //   4885c0               | xor                 eax, eax

        $sequence_9 = { 488b4518 8b00 8945d4 488d55b0 488d45d0 4883c004 }
            // n = 6, score = 300
            //   488b4518             | xor                 edx, edx
            //   8b00                 | inc                 ebp
            //   8945d4               | xor                 eax, eax
            //   488d55b0             | dec                 eax
            //   488d45d0             | mov                 ecx, dword ptr [ebx + 8]
            //   4883c004             | mov                 edx, 1

        $sequence_10 = { e8???????? 4881c440020000 5d c3 55 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   4881c440020000       | xor                 eax, eax
            //   5d                   | dec                 eax
            //   c3                   | mov                 ecx, dword ptr [ebx + 0x10]
            //   55                   | mov                 edx, 1

        $sequence_11 = { e8???????? 488b8580010000 48c74018ffffffff 488b8580010000 488b4008 4883f8ff }
            // n = 6, score = 300
            //   e8????????           |                     
            //   488b8580010000       | mov                 edx, 0xffffffff
            //   48c74018ffffffff     | cmp                 bx, 0x3fff
            //   488b8580010000       | movzx               edx, byte ptr [eax]
            //   488b4008             | sub                 edx, 1
            //   4883f8ff             | movzx               edx, dl

        $sequence_12 = { 80bddb00000000 757b 8b85d4000000 4898 488d148500000000 }
            // n = 5, score = 300
            //   80bddb00000000       | test                al, al
            //   757b                 | je                  0xb
            //   8b85d4000000         | dec                 eax
            //   4898                 | add                 esp, 0x38
            //   488d148500000000     | pop                 ebx

        $sequence_13 = { 48c74010ffffffff 488b4510 488b00 4883f8ff 741a 488b4510 }
            // n = 6, score = 300
            //   48c74010ffffffff     | dec                 eax
            //   488b4510             | cmp                 ebx, 0x4000
            //   488b00               | jne                 0xffffffe1
            //   4883f8ff             | mov                 ebx, edx
            //   741a                 | dec                 eax
            //   488b4510             | mov                 esi, ecx

        $sequence_14 = { 4889c1 e8???????? 85c0 747b 488b45f0 }
            // n = 5, score = 300
            //   4889c1               | mov                 eax, dword ptr [eax]
            //   e8????????           |                     
            //   85c0                 | xor                 ecx, ecx
            //   747b                 | call                esi
            //   488b45f0             | inc                 ebp

        $sequence_15 = { 83bde400000002 750d c785ec00000002000000 eb01 90 8b85ec000000 4881c478010000 }
            // n = 7, score = 300
            //   83bde400000002       | inc                 ecx
            //   750d                 | call                esp
            //   c785ec00000002000000     | test    eax, eax
            //   eb01                 | je                  9
            //   90                   | mov                 ecx, ebx
            //   8b85ec000000         | dec                 eax
            //   4881c478010000       | add                 ebx, 1

    condition:
        7 of them and filesize < 517120
}
[TLP:WHITE] wun_unidentified_119_w0 (20250417 | No description)
rule wun_unidentified_119_w0 {

    meta:
        author = "defender2yara"
        detection_name = "Backdoor:Win64/Supper.A!ldr"
        threat_id = "2147917250"
        type = "Backdoor"
        platform = "Win64: Windows 64-bit platform"
        family = "Supper"
        severity = "Critical"
        info = "ldr: loader component of a malware"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "Low"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.supper"
        malpedia_rule_date = "20250417"
        malpedia_hash = ""
        malpedia_version = "20250417"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $x_1_1 = {48 8b 04 1f 48 33 45 f0 48 89 04 1e e8 ?? ?? ?? ?? 48 3b 45 e0 0f 83 ?? ?? ?? ?? 48 31 c9 51 48 8d}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
[TLP:WHITE] wun_unidentified_119_w1 (20250417 | No description)
rule wun_unidentified_119_w1 {

    meta:
        author = "defender2yara"
        detection_name = "Backdoor:Win64/Supper.B"
        threat_id = "2147920400"
        type = "Backdoor"
        platform = "Win64: Windows 64-bit platform"
        family = "Supper"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "Low"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.supper"
        malpedia_rule_date = "20250417"
        malpedia_hash = ""
        malpedia_version = "20250417"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $x_1_1 = {66 81 7d 10 ff 3f 0f ?? ?? ?? ?? ?? 0f b7 45 10 48 98 48 8d 14 c5 00 00 00 00 48 8d}  //weight: 1, accuracy: Low
        $x_1_2 = {81 7d fc ff 3f 00 00 0f ?? ?? ?? ?? ?? 48 8b 05 5e 3e 02 00 48 85 c0 74 ?? 48 8b 05 52 3e 02 00 48 89 c1 e8}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (1 of ($x*))
}
Download all Yara Rules