A sophisticated Windows-based malware known as “Blitz” has recently been observed targeting Windows servers and desktops, utilizing an advanced infection chain to deploy a Monero cryptocurrency miner.
Blitz, first detected in late 2024 and updated in early 2025, highlights the growing trend of cybercriminals leveraging trusted developer platforms to orchestrate attacks and monetize compromised systems.
The most recent Blitz campaign distributed malicious payloads via backdoored game cheats, specifically targeting users of the popular mobile game “Standoff 2.”
Malware authors, using the handle “sw1zzx” on Telegram and other social channels, lured victims with ZIP archives such as Nerest_CrackBy@sw1zzx_dev.zip and Elysium_CrackBy@sw1zzx_dev.zip.
These contained Windows executable files that appeared to be legitimate cheats but were weaponized to begin the malware download chain.
Upon execution, these EXE files performed anti-analysis and anti-virtualization checks, displaying fake errors in sandboxed environments to evade detection.
If no sandbox was detected, the cheat would fetch the next malware stage via an obfuscated PowerShell command, leveraging Pastebin for redirection and hosting.
C2 Infrastructure Leveraging Hugging Face Spaces
A notable and novel aspect of the Blitz infrastructure is its abuse of Hugging Face Spaces, an AI-focused code repository, to host both malware payloads and provide command-and-control (C2) services.
The Blitz downloader and bot both communicate with FastAPI-based REST endpoints hosted on Hugging Face, where payloads like the Blitz bot and an XMRig Monero miner DLL are delivered on-demand.
The malware establishes persistence through multiple Windows Registry modifications, including HKCU\Environment\UserInitMprLogonScript and HKCU\Software\Microsoft\Windows\CurrentVersion\Run, ensuring the payload executes upon system login.
Technical Analysis of Blitz Payloads
Blitz operates in a two-stage process. The first-stage downloader (commonly saved as ieapfltr.dll) checks for internet connectivity and performs anti-sandboxing routines before retrieving the second-stage payload the Blitz bot from the hosted Hugging Face Space.
According to Palo Alto Networks’ Unit 42 Report, the downloader injects the bot directly into the RuntimeBroker.exe process to bypass security controls.
The second-stage Blitz bot is a modular payload capable of keylogging, screenshot capture, file upload/download, and injecting arbitrary code.
It utilizes embedded curl code for secure communications and employs mutexes to avoid duplicate infections.
Notably, upon execution, the bot exfiltrates hardware GUIDs, usernames, and base64-encoded working directory info to the C2 server.
If the bot determines that a Monero miner is not already running (via mutex checks), it downloads and injects an obfuscated XMRig miner into explorer.exe, immediately beginning illicit crypto-mining activity.
Collectively, over 289 infected hosts were identified as of April 2025, with the highest concentration in Russia, followed by Ukraine, Belarus, and Kazakhstan. Smaller outbreaks were also noted in Europe, North Africa, Asia, and North America.
Hugging Face has since locked the accounts used to distribute Blitz and blocked related blob IDs.
The malware author has publicly announced their departure and released a removal tool; however, experts recommend cautious manual remediation.
Security vendors such as Palo Alto Networks have deployed specific threat signatures and recommend users avoid downloading cracked software, especially game cheats frequently leveraged in such attack chains.
Blitz’s abuse of trusted platforms and game-related social engineering highlights the evolving sophistication of financially motivated malware campaigns targeting the Windows ecosystem.
Security teams are advised to remain vigilant and update detection rules to identify such advanced multistage threats.
Indicators of Compromise (IOC)
| Type | Value / Description |
|---|---|
| C2 Domains | e445a00fffe335d6dac0ac0fe0a5accc-9591beae439b860-b5c7747.hf[.]space swizxx-blitz-net.hf[.]space |
| Hugging Face Space | huggingface[.]co/spaces/e445a00fffe335d6dac0ac0fe0a5accc/9591beae439b860a9cf93b26b2dc97e0 |
| Mutex Names | 7611646b02ffd5de6cb3f41d0721f2ba (Blitz bot) 9bdcf5f16cb8331241b2997ef88d2a67 (XMRig miner) |
| Key URLs | pastebin[.]com/raw/FSziK5eW (hashes) pastebin[.]com/raw/RzLEd17Z (redirector) paste[.]rs/ABNe6 (downloader) |
| File Hashes (selected) | Blitz Bot: ae2f4c49f73f6d88b193a46cd22551bb31183ae6ee79d84be010d6acf9f2ee57 XMRig: 47ce55095e1f1f97307782dc4903934f66beec3476a45d85e33e48d63e1f2e15 |
| Telegram Channel | t[.]me/sw1zzx_dev |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
