Electron Bot: Malware in Microsoft Store infects over 5,000 machines

Sicherheit (Pexels, allgemeine Nutzung)[German]Security vendor Check Point has come across a new type of malware that enables a complete takeover of systems through a backdoor. In addition, the malware can take control of social media accounts from Facebook, Google and Sound Cloud. The malware was spread via games offered for download in the official Microsoft Store. And the tragic thing is that virus scanners like Microsoft Defender did not detect this malware.


German blog reader Lucifer pointed to this discovery by CheckPoint in the discussion area (thanks for that), which is described in this blog post dated February 24, 2022. Subsequent tweet also addresses this malware. 

Electron Bot Malware

Check Point Research (CPR) has come across the malware, which has been actively spread via Microsoft's official store and has already affected more than 5,000 computers. The security researchers call the new malware Electron Bot – in reference to the C&C domain of the last campaign Electron-Bot[.]s3[.]eu-central-1[.]amazonaws.com.

Electron Bot is a modular SEO poisoning malware used for social media promotion and click fraud. It is mainly distributed via Microsoft Store platform and is stuck in dozens of infected applications. It mostly involves popular games like "Temple Run" or "Subway Surfer", which are constantly uploaded by the attackers.

The malware can constantly execute new commands from the attackers via C&C servers. This includes controlling social media accounts on Facebook, Google and Sound Cloud. The malware can register new accounts, log in, comment and "like" other posts. The attackers can use the installed malware as a backdoor to gain full control over the victim's computer. Most victims are from Sweden, Bulgaria, Russia, Bermuda and Spain.

Active since 2018, virus protection tricked out

The attackers' activities started as early as the end of 2018 with an ad click campaign, according to Check Point Research. The malware in question hid in the Microsoft Store as an app called "Album by Google Photos," pretending to be published by Google LLC. The malware has been constantly evolving over the years as attackers add new features and techniques.


The bot was created using Electron, a framework for building cross-platform desktop applications using web scripts. The framework combines the Chromium rendering engine and the Node.js runtime, giving it the capabilities of a browser driven by scripts such as JavaScript.

To avoid detection, most of the scripts that drive the malware are dynamically loaded from the attackers' servers at runtime. This allows the attackers to modify the malware's payload and change the bots' behavior at any time. If the user loads an infected Elektron app from the Microsoft Store, a dropper later starts downloading the malware and installs it.

The dropper first checks whether an antivirus product is installed on the infected computer. For this purpose, a list of hard-coded antivirus products is matched. If an antivirus product is found, the script stops its execution. As a result, the malware could not be detected by antivirus software such as Microsoft Defender or VirusTotal. The details – including how to detect and remove the malware – can be found in this article.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *