Windows Bot Malware "Blitz" Abuses Hugging Face Services

Date: 04/28/2025

Severity: High

Summary

Since last year, we have been monitoring a Windows bot malware known as "Blitz." Its infection chain involves multiple stages, including an initial dropper, a downloader, and the main botnet component. The likely infection vectors are either backdoored game cheats in recent samples or installer files in older ones, with the cheats promoted via the threat actor’s Telegram channel. The attacker also exploits Hugging Face’s AI app directory, "Spaces," to host the malware and manage command-and-control (C2) operations, ultimately aiming to deploy a cryptocurrency miner on compromised systems.

Indicators of Compromise (IOC) List

Domains\URLs :

huggingface.co/spaces/e445a00fffe335d6dac0ac0fe0a5accc/9591beae439b860a9cf93b26b2dc97e0

huggingface.co/spaces/e445a00fffe335d6dac0ac0fe0a5accc/2c5dd233ee36705a817b323471be2fe5

huggingface.co/spaces/swizxx/blitz.net

e445a00fffe335d6dac0ac0fe0a5accc-9591beae439b860-b5c7747.hf.space

swizxx-blitz-net.hf.space

pool.supportxmr.com

t.me/sw1zzx_dev

youtube.com/@sw1zzzx

tiktok.com/@sw1zzxx

IP Address :

176.65.137.44

Hash :

6a55b7b01a8f7001e0e654f5feddcd0561b3694bcd2a9f9ca3e5f5e33dbbfc11

8ed77eb6cd203e20b467d308bf7ee5213cbb2c055c4896b0af04e323bf67b887

ce1940eb26f0609fc25aaecbf998d01f5a7d5420c91bfe5c4b710d057981850c

056fb07672dac83ef61c0b8b5bdc5e9f1776fc1d9c18ef6c3806e8fb545af78c

14467edd617486a1a42c6dab287ec4ae21409a5dc8eb46d77b853427b67d16d6

1697daef685ce47578e44e2d19fa8e01c755de7fa297716b89e764ea046db1a0

1bd55796ec712a98cf30fac404b29fcb2cdaa355cb596edcc12d8fbd918b4138

1d9f12e356367c533ef756ab74d70fc537a580ec5ab904a4d583cebe0b89b4c4

2007069b32bb9a7f87298fe3c1a87443c21f187ab8465c5b4a1505f0e5c7b898

23086a1d207166154a1b1451f3174f7c5f5299dd4385d83fd8199833ce34325f

5ef29d6d4f72e62e0d5a1d0b85eed70b729cd530c8cb2745c66a25f5b5c7299e

5fc132b054099a1a65f377a3a22b003a6507107f3095371b44dbf5e098b02295

a34a4a7c71de2d4ec4baf56fd143d27eeedebb785a2ba3e0740b92e62efd81ea

aa5cd0219e8a0bd2e7d6c073f611102d718387750198bff564c20ca7ebada309

b18e21e50f1c346c83c4cba933b6466ada22febaafa25c03ac01122a12164375

bedeafd3680cad581a619fb58aa4f57ed991c4a8dd94df46ef9cbd08a8dd6052

cacc1f36b3817e8b48fabbb4b4bd9d2f1949585c2f5170e3d2d04211861ef2ac

ae2f4c49f73f6d88b193a46cd22551bb31183ae6ee79d84be010d6acf9f2ee57

47ce55095e1f1f97307782dc4903934f66beec3476a45d85e33e48d63e1f2e15

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Domains\URLs :	domainname like "pool.supportxmr.com" or url like "pool.supportxmr.com" or siteurl like "pool.supportxmr.com" or domainname like "huggingface.co/spaces/e445a00fffe335d6dac0ac0fe0a5accc/9591beae439b860a9cf93b26b2dc97e0" or url like "huggingface.co/spaces/e445a00fffe335d6dac0ac0fe0a5accc/9591beae439b860a9cf93b26b2dc97e0" or siteurl like "huggingface.co/spaces/e445a00fffe335d6dac0ac0fe0a5accc/9591beae439b860a9cf93b26b2dc97e0" or domainname like "huggingface.co/spaces/e445a00fffe335d6dac0ac0fe0a5accc/2c5dd233ee36705a817b323471be2fe5" or url like "huggingface.co/spaces/e445a00fffe335d6dac0ac0fe0a5accc/2c5dd233ee36705a817b323471be2fe5" or siteurl like "huggingface.co/spaces/e445a00fffe335d6dac0ac0fe0a5accc/2c5dd233ee36705a817b323471be2fe5" or domainname like "e445a00fffe335d6dac0ac0fe0a5accc-9591beae439b860-b5c7747.hf.space" or url like "e445a00fffe335d6dac0ac0fe0a5accc-9591beae439b860-b5c7747.hf.space" or siteurl like "e445a00fffe335d6dac0ac0fe0a5accc-9591beae439b860-b5c7747.hf.space" or domainname like "swizxx-blitz-net.hf.space" or url like "swizxx-blitz-net.hf.space" or siteurl like "swizxx-blitz-net.hf.space" or domainname like "t.me/sw1zzx_dev" or url like "t.me/sw1zzx_dev" or siteurl like "t.me/sw1zzx_dev" or domainname like "youtube.com/@sw1zzzx" or url like "youtube.com/@sw1zzzx" or siteurl like "youtube.com/@sw1zzzx" or domainname like "tiktok.com/@sw1zzxx" or url like "tiktok.com/@sw1zzxx" or siteurl like "tiktok.com/@sw1zzxx" or domainname like "huggingface.co/spaces/swizxx/blitz.net" or url like "huggingface.co/spaces/swizxx/blitz.net" or siteurl like "huggingface.co/spaces/swizxx/blitz.net"
IP Address :	dstipaddress IN ("176.65.137.44") or srcipaddress IN ("176.65.137.44")
Hash :	sha256hash IN ("a34a4a7c71de2d4ec4baf56fd143d27eeedebb785a2ba3e0740b92e62efd81ea","6a55b7b01a8f7001e0e654f5feddcd0561b3694bcd2a9f9ca3e5f5e33dbbfc11","5ef29d6d4f72e62e0d5a1d0b85eed70b729cd530c8cb2745c66a25f5b5c7299e","14467edd617486a1a42c6dab287ec4ae21409a5dc8eb46d77b853427b67d16d6","bedeafd3680cad581a619fb58aa4f57ed991c4a8dd94df46ef9cbd08a8dd6052","47ce55095e1f1f97307782dc4903934f66beec3476a45d85e33e48d63e1f2e15","056fb07672dac83ef61c0b8b5bdc5e9f1776fc1d9c18ef6c3806e8fb545af78c","1d9f12e356367c533ef756ab74d70fc537a580ec5ab904a4d583cebe0b89b4c4","8ed77eb6cd203e20b467d308bf7ee5213cbb2c055c4896b0af04e323bf67b887","ce1940eb26f0609fc25aaecbf998d01f5a7d5420c91bfe5c4b710d057981850c","b18e21e50f1c346c83c4cba933b6466ada22febaafa25c03ac01122a12164375","aa5cd0219e8a0bd2e7d6c073f611102d718387750198bff564c20ca7ebada309","2007069b32bb9a7f87298fe3c1a87443c21f187ab8465c5b4a1505f0e5c7b898","1697daef685ce47578e44e2d19fa8e01c755de7fa297716b89e764ea046db1a0","1bd55796ec712a98cf30fac404b29fcb2cdaa355cb596edcc12d8fbd918b4138","23086a1d207166154a1b1451f3174f7c5f5299dd4385d83fd8199833ce34325f","5fc132b054099a1a65f377a3a22b003a6507107f3095371b44dbf5e098b02295","cacc1f36b3817e8b48fabbb4b4bd9d2f1949585c2f5170e3d2d04211861ef2ac","ae2f4c49f73f6d88b193a46cd22551bb31183ae6ee79d84be010d6acf9f2ee57")

Reference:

https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-25-IOCs-for-Blitz-malware.txt

Windows Bot Malware "Blitz" Abuses Hugging Face Services

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Windows Bot Malware "Blitz" Abuses Hugging Face Services

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments