Skip to content
MalwareWiki

Malware

Supper

aka SocksShell · ZAPCAT

Supper is a 64-bit Windows backdoor and tunnelling utility first observed in the wild in July 2024.

Supper, also known as SocksShell, ZAPCAT, is a Windows malware family operated by Vanilla Tempest.

Background

Supper is a 64-bit Windows backdoor and tunnelling utility first seen in the wild in July 2024. It functions simultaneously as a Remote Access Trojan (RAT) and a SOCKS5 proxy, giving attackers durable access to compromised hosts and a way to relay arbitrary traffic through victim networks.

On launch, it opens a TCP connection over port 443 to a primary C2 endpoint hardcoded in the binary. For resilience, a fallback routine can pull alternate C2 IP addresses from an encoded file, %temp%/s01bafg, when the primary server is unreachable. A single TCP connection can carry up to 16,384 simultaneous sessions, each tagged with a 16-bit session ID.

The exchange opens with an unencrypted 300-byte handshake that carries a static bot identifier (0x00691155), system metadata (hostname, domain, OS version, integrity level), and a fixed flag. After that, every packet is wrapped in a 12-byte obfuscated header plus an 8-byte encrypted payload holding two encrypted IP addresses. The header is scrambled with two hardcoded XOR keys, 0x4d4d4d4d4d4d4d4d and 0x4d4d4d4d. The payload uses a non-standard, stateful XOR cipher in which each byte is encrypted from a computed offset and a cycling key (xored with 0x4d4d4d4d) taken from the header.

Its C2 command set covers remote shell execution, session teardown, SOCKS5 proxy actions, self-deletion, and on-the-fly updating of fallback IPs. To run commands, Supper launches a hidden cmd.exe and returns the encrypted output to the C2. Acting as a proxy, it takes operator-supplied connection requests, opens TCP sessions to external destinations, and shuttles data between the target and the attacker, all coordinated through its session multiplexing framework.

When ordered to, or if a C2 session breaks, the malware can remove itself via cmd.exe or schtasks.exe, frequently disguising the cleanup as a scheduled task called "GoogleUpdateTask". It also rewrites the fallback C2 IP store (%temp%/s01bafg) using its own encryption routine.

Source: Malpedia (Fraunhofer FKIE).