Back to Feed
MalwareJul 13, 2026

Siggen Backdoor Hits Windows Developers Via Infected Visual Studio Projects

Siggen backdoor targets developers by infecting Visual Studio projects, stealing credentials and crypto.

Summary

A new Windows backdoor named Siggen targets software developers by infecting Visual Studio projects, allowing it to spread through source code and compiled applications. The malware steals credentials, browser cookies, Discord tokens, Telegram data, and cryptocurrency wallet information. It also installs crypto miners and provides remote access to infected systems.

Full text

Security MalwareSiggen Backdoor Hits Windows Developers Via Infected Visual Studio Projects Dr.Web details Siggen Windows backdoor that uses Steam for C2, steals credentials and crypto data and infects Visual Studio projects to spread among developers. byWaqasJuly 13, 20264 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening A newly analyzed Windows backdoor, called the Siggen backdoor “BackDoor.Siggen2.5906”, targets software developers by modifying C++ and C# projects, allowing malicious code to spread through source files, compiled applications, and development environments. Doctor Web researchers said the malware can steal passwords, browser cookies, Discord tokens, Telegram data, and cryptocurrency wallet information. It also monitors clipboard activity, provides remote access to infected computers, installs cryptocurrency miners, and inserts malicious code into developer files. Researchers first identified the malware during the final quarter of 2025, and since then its operators have continued updating the code, adding new execution methods and making the malware harder to detect. The Infection Chain The attack begins with infected executable files or malicious Python scripts. In compromised Windows applications, the attackers add a function that runs during the normal startup process and launches PowerShell in the background. PowerShell then downloads the next malware component, allowing the infection to continue. Malicious Python files use a similar process. Their embedded code is encrypted with Fernet, a symmetric encryption method, and hidden behind a long sequence of whitespace characters. Once executed, the scripts decrypt and run code that installs the next malware stage. After reaching a Windows computer, the downloader checks for analysis environments and creates a mutex to prevent duplicate instances from running. It then searches public online services for current command-and-control server information. According to Dr Web’s blog post, attackers also placed server domains inside Steam profiles and stored encrypted address data in public GitHub files. Using established platforms like Steam gives the operators a way to update server information without placing permanent addresses directly inside every malware sample. Once a working server is found, the downloader injects malicious code into one of 41 predefined executables located in the Windows System32 directory. The active server address and malware identifier are then passed to the main backdoor through a named pipe (pipe\VccFrameworkchannel), a Windows communication channel that allows separate processes to exchange data. The Steam profile page with the C2 domain name (Image credit: Dr Web) Backdoor Steals Browser Data, Cryptocurrency Wallet Information and Installs Crypto Miners Once active, the Siggen backdoor lets attackers control the infected computer remotely. They can run commands, download and execute files, search directories, steal selected data, and route traffic through the device using a reverse proxy. The malware also collects account and application data from several common services. Targeted information includes Discord authentication tokens, Telegram Desktop folders, browser passwords, and cookies from Chromium-based browsers including: Brave Edge Opera Chrome Yandex Browser and other It is worth noting that the malware can steal browser credentials in two ways. It either extracts saved data directly or injects code into an active browser process to intercept passwords. The stolen credentials are then stored in local text files before being sent to the attackers. Furthermore, Exodus wallet users face a separate risk. The backdoor locates the wallet’s app.asar file and replaces it with a modified version downloaded from an attacker-controlled server. Malicious JavaScript in that file can intercept recovery phrases when the wallet is unlocked. For context, the app.asar file is an archive used by Electron applications to store much of the app’s code and resources, including JavaScript files, interface components, and application logic. In Exodus, modifying app.asar allows the backdoor to alter how the wallet application behaves. By replacing the legitimate archive with a malicious version, the attackers can insert JavaScript that intercepts a recovery phrase when the wallet is unlocked and sends it to their server. The backdoor also monitors clipboard activity for bank card details and cryptocurrency addresses. When a copied wallet address is found, the malware can replace it with one supplied by the command-and-control server, redirecting any payment to the attackers. Another threat embedded with the Siggen backdoor is that it also runs cryptocurrency mining on a compromised device. This is done when the malware downloads a separate component that installs mining software based on XMRig, T-Rex, or TeamRedMiner. Visual Studio Files Become Malware Carriers Since developers are the primary target of this malware campaign, their workstations undergo additional modifications designed to spread the infection to other projects and computers. The backdoor searches available drives for executable files, Visual Studio configuration data, C++ and C# project files, Windows SDK headers, and Dear ImGui source code. The targeted file types identified by researchers include: .suo .exe .vcxproj .csproj winnetwk.h imgui_impl_win32.cpp Understanding the attack chain If you are a developer, you should inspect unexpected project-file changes, review pre-build commands, scan downloaded source code and binaries, and verify development environments before compiling third-party projects. Although Dr.Web did not identify the initial delivery method, Windows users should avoid downloading files from untrusted third-party sites or opening attachments from unknown senders. Keeping Windows and installed software updated, along with checking suspicious links and files through VirusTotal, can reduce the risk of infection. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts backdoorCryptocurrencyCybersecurityMalwareScamSiggenSteamSupply ChainTROJANVisual Studio Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Cyber Attacks Louis Vuitton UK Hit by Cyberattack, Third LVMH Breach in 3 Months Louis Vuitton UK suffers cyberattack exposing customer data, marking the third LVMH breach in 3 months as retail sector faces ongoing security threats. byWaqas Read More Cyber Crime Malware Scams and Fraud New crypto-ransomware encrypts files then disguises them as quarantined Researchers have found a new ransomware which shows your files are quarantined, actually the are not. Trend Micro has… byWaqas Read More Security Cyber Attacks Malware Hackers Exploiting Linux eBPF to Spread Malware in Ongoing Campaign KEY SUMMARY POINTS Cybersecurity researchers Dr. Web have uncovered a new and active Linux malware campaign aimed at… byWaqas Read More Hacking News Data Breaches Security Hackers Leak 270GB of New York Times Data and Source Code on 4Chan The New York Times suffered a major data breach! Leaked data includes source code, user info, and potentially… byDeeba Ahmed

Indicators of Compromise

  • malware — BackDoor.Siggen2.5906
  • domain — steamcommunity.com

Entities

Visual Studio (product)Steam (product)Discord (product)Telegram (product)Exodus wallet (product)Fernet encryption (technology)