Trojanized WinDirStat & LightShot apps load a Go DLL backconnect proxy, using C2, yamux multiplexing, and Microsoft Store distribution to abuse system
blog.lukeacha.com
Executive Summary
I analyzed a suspicious Microsoft Store utility package, focusing in particular on a WinDirStat impersonator. The analysis combined manual reverse engineering and runtime testing with AI-assisted workflows using REMnux MCP, Malcat MCP with Claude, and automated sandbox analysis.
The application presented itself as a normal Electron-based utility, but loaded a native Go DLL named client.dll through the Node.js FFI library koffi. Dynamic testing showed that this DLL registers with remote helper infrastructure and enters a server-controlled heartbeat loop.
Static analysis, debugger strings, and independent tooling confirmed embedded backconnect/proxy components, including server/src/backconnect/* source paths, yamux multiplexing references, machine-ID fingerprinting, and proxy/session strings. Related samples and YARA pivots suggest the same payload family appears across multiple utility-themed Microsoft Store packages, including WinDirStat and LightShot impersonators.
The strongest conclusion is that these apps act as user-facing decoys and loaders for a Go-based backconnect proxy implant, likely intended to enroll victim systems into proxy infrastructure.
