What We Do
How We Do
Get Started

XRed Backdoor: The Hidden Threat in Trojanized Programs

BY eSentire Threat Response Unit (TRU)

February 28, 2024 | 7 MINS READ


Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?


Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In early February, the eSentire Threat Response Unit (TRU) identified a malicious backdoor disguised as Synaptics.exe (MD5: 54efba3a1e800e0a0cccddc7950476c646935d28), which was detected and quarantined by eSentire MDR. Synaptics (Synaptics Pointing Device Driver) is a software that enables the functionality of touchpads on laptops and other devices.

The backdoor, known as “XRed,” has been in existence since at least 2019. This article highlights the identification of the XRed backdoor, its delivery using trojanized software, and notable persistence and propagation capabilities.

While doing additional research on the backdoor, we found a Twitter post from 2020 by The DFIR Report mentioning the backdoor, attributing it to njRAT (Figure 1). Considering that njRAT is written in C#, we decided to look further to confirm the accuracy.

Figure 1: The mention of XRed backdoor on Twitter

Upon further investigation, it was determined that the malicious binary we received originated from a file named "Windows InstantView.exe". Although the file itself could not be retrieved from the host system, we identified several similar samples on VirusTotal.

Windows InstantView.exe is developed by SiliconMotion (the company that specializes in creating NAND flash controllers for SSDs and various solid-state storage devices) and comes with some USB docks.

Interestingly enough, we found a review on Amazon on one of the USB-C hub products being sold, as shown in Figure 2. The user reported that the binary was flagged by Symantec AV with W32.Zorex and Backdoor.Graybird signatures.

Figure 2: Amazon review on the USB-C Hub being sold

We found a malicious sample named “Windows InstantView.exe” (MD5: 8fe9734738d9851113a7ac5f8f484d29) on VirusTotal with the mentioned signature (Figure 3).

Figure 3: VirusTotal results for Windows InstantView.exe

The trojanized “Windows InstantView.exe” is not signed and has “Synaptics Pointing Device Driver” for Product and Description names (Figure 4).

Figure 4: Trojanized Windows InstantView.exe

The legitimate binary is signed by Silicon Motion, as shown in Figure 5.

Figure 5: Legitimate Windows InstantView.exe binary

Upon executing the trojanized binary, it downloads the legitimate copy of InstantView.exe from siliconmotion[.]com and launches it as a decoy (Figures 6-7).

Figure 6: Decoy InstantView.exe file
Figure 7: Legitimate InstantView executables downloaded and executed as decoy

The trojanized version of Windows InstantView.exe drops Synaptics.exe payload under C:\ProgramData\Synaptics\ that we have mentioned earlier. The folder was hidden to ensure stealthiness (Figure 7).

Figure 8: Hidden Synaptics folder and binary

The payload is embedded within the trojanized binary. The persistence is achieved via the Registry Run Key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) with the value name “Synaptics Pointing Device Driver” and value data “C:\ProgramData\Synaptics\Synaptics.exe”.

Let’s look at Synaptics.exe binary, which is the XRed backdoor. The binary will terminate if the mutex “Synaptics2X” is found, which means only one instance of the binary can be run (Figure 8).

Figure 9: Mutex check

The payload contains the functionality to retrieve additional payload from the URLs that can be hardcoded in the binary as shown in Figure 8. The URLs are currently down.

Figure 10: Additional payloads

The resource “EXEVSNX” contains the version of the payload, which is 106 (Figure 11).

Figure 11: EXEVSNX resource (payload version)

XRed collects system information, including the MAC address, username, and computer name, and transmits this data to the attacker using SMTP to email addresses shown in Figure 12. Additionally, the backdoor features keylogging functionality through keyboard hooking, as illustrated in Figure 13, with key mappings detailed in Figure 14.

Figure 12: Attacker's email addresses
Figure 13: Keyboard hooking
Figure 14: Key mappings

The following remote commands can be executed from attacker’s server (Figure 15):

Figure 15: Remote commands

The XRed backdoor also possesses worm-like USB propagation capabilities. It verifies the presence of an “autorun.inf” file on any inserted drive; if absent, it generates the file and includes the following:

shellexecute= Synaptics.exe

The autorun.inf file is designed to automatically execute the specified payload when the USB drive is inserted into a computer. This behavior leverages the AutoRun feature that was more prominently used in older versions of Windows to launch programs automatically from removable media.

The presence of both open=Synaptics.exe and shellexecute=Synaptics.exe commands in an autorun.inf file indicates an intention to execute system.exe automatically.

It's also worth mentioning that the backdoor has an embedded password-protected VBA script. The script creates a copy of already existing XLSM files on the disk and injects the malicious VBA code into them. The malicious VBA script disables security warnings for VBA macros via the registry, as shown in Figure 16.

Figure 16: VBA script snipper responsible for disabling security warnings

The script then copies Synaptics.exe from %USERPFORILE%/Synaptics and places it under the directory where the legitimate XLSM file exists with a hidden file attribute under the “~$cache1” name (Figure 17).

Figure 17: Snippet that copies malicious Synaptics.exe binary to the directory where XLSM files reside

If none of the specified files are found locally (Figure 18), the macro attempts to download a file from one of the provided URLs (Figure 19). At the moment of writing this article, all of the URLs are offline.

Figure 18: Snippet that checks if Synaptics.exe exists in the specified paths
Figure 19: URLs to retrieve the backdoor from

We assess with high confidence that the developer of the backdoor is a native Turkish speaker, as evidenced by the presence of the Turkish language within the code. We also found multiple payloads potentially related to the same malware developer, you can access the indicators in the Indicators of Compromise section.

What did we do?

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU):

Detection Rules

You can access the detection rules here.

Indicators of Compromise

You can access the indicators of compromise here.


eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire