URGENT SUPPORT REQUEST: ADVANCED STEALER MALWARE INJECTION INTO KASPERSKY PROCESS (Revised for AI Credit)

[Lê Huy Hoàng]

1. Initial Context and Symptoms

• Infection Vector: Likely initiated by running a cracked tool/software.

• Symptoms: Received unsolicited Microsoft one-time codes and password reset emails.

• Security Setup: The affected machine runs Windows 10/11 with Kaspersky running in real-time (no alerts).

2. Technical Findings (Forensics)

The following critical findings were discovered not through manual user inspection, but through an AI-assisted diagnostic process:

• AI-Guided Diagnostics: I used an AI Assistant to analyze suspicious system behavior after initial self-detection failed. The AI guided me through terminal commands (such as netstat -ano and tasklist) to map network connections to running processes.

• Crucial Discovery (The Compromise):

  • The diagnostic process identified a highly suspicious external connection associated with PID 5752.

  • Mapping PID 5752 confirmed it belongs to the Kaspersky (32 bit) process.

  • The connection was directed to a foreign, non-Kaspersky IP: 81.19.104.253 (in Russia).

  • Conclusion: This provides strong evidence that a Stealer/Trojan malware used Process Injection to hide and operate within the trusted Kaspersky process space, thus neutralizing the protection and exfiltrating data.

3. Damage Assessment and Actions Taken

• Data Compromise: High risk that the Enpass Master Password and local files have been compromised.

• Immediate Actions:

  1. Network Disconnection: Permanently disconnected the machine from the internet.

  2. Emergency Password Change: Changed all critical passwords using a separate, trusted device.

  3. Future Plan: Planning a full, clean Windows reinstall.

4. Request to Kaspersky Experts

I am seeking the community's and Kaspersky's official guidance on:

1. Confirming the validity of this AI-assisted finding regarding Process Injection into the Kaspersky process.

2. Guidance on how to formally report this sample and the associated C2 IP (81.19.104.253) for analysis by Kaspersky Labs.

3. Any recommended steps for advanced artifact analysis that should be performed before the system is completely wiped.

[Berny]

@Lê Huy Hoàng Weclome.

20 minutes ago, Lê Huy Hoàng said:

Request to Kaspersky Experts

Please reach out to the Kaspersky Technical Support team via https://support.kaspersky.com/b2c

[Schulte]

Nice AI-generated text.
Can you please repost that in your own words?
There are a few inconsistencies. For example, what data was transferred to the unknown IP? Was it taken into account that Kaspersky essentially acts as a proxy? Who claims that the IP belongs to Russia (it is actually located in Frankfurt, Germany)?

With further information, it might be possible to make a statement, but not yet.

[andrew75]

[Lê Huy Hoàng]

34 minutes ago, Schulte said:

Nice AI-generated text.
Can you please repost that in your own words?
There are a few inconsistencies. For example, what data was transferred to the unknown IP? Was it taken into account that Kaspersky essentially acts as a proxy? Who claims that the IP belongs to Russia (it is actually located in Frankfurt, Germany)?

With further information, it might be possible to make a statement, but not yet.

As you said, that's why I emphasized that this is an AI-powered product.

The connection test result from my computer:

C:\Users\hoang>netstat -ano | findstr ESTABLISHED
  TCP    127.0.0.1:49671         127.0.0.1:57083         ESTABLISHED     5664
  TCP    127.0.0.1:49671         127.0.0.1:58190         ESTABLISHED     5664
  TCP    127.0.0.1:49671         127.0.0.1:60717         ESTABLISHED     5664
  TCP    127.0.0.1:49671         127.0.0.1:61434         ESTABLISHED     5664
  TCP    127.0.0.1:49671         127.0.0.1:63858         ESTABLISHED     5664
  TCP    127.0.0.1:50576         127.0.0.1:50577         ESTABLISHED     5664
  TCP    127.0.0.1:50577         127.0.0.1:50576         ESTABLISHED     5664
  TCP    127.0.0.1:57083         127.0.0.1:49671         ESTABLISHED     15832
  TCP    127.0.0.1:58190         127.0.0.1:49671         ESTABLISHED     15832
  TCP    127.0.0.1:60717         127.0.0.1:49671         ESTABLISHED     15832
  TCP    127.0.0.1:61434         127.0.0.1:49671         ESTABLISHED     15832
  TCP    127.0.0.1:63858         127.0.0.1:49671         ESTABLISHED     15832
  TCP    192.168.1.20:51834      4.145.79.80:443         ESTABLISHED     5728
  TCP    192.168.1.20:52977      4.1.82.185:443          ESTABLISHED     5664
  TCP    192.168.1.20:54839      79.133.168.9:443        ESTABLISHED     5664
  TCP    192.168.1.20:55155      79.133.168.9:443        ESTABLISHED     5664
  TCP    192.168.1.20:55794      185.201.3.101:443       ESTABLISHED     5664
  TCP    192.168.1.20:56194      212.5.110.163:443       ESTABLISHED     10984
  TCP    192.168.1.20:56198      185.201.1.202:443       ESTABLISHED     5664
  TCP    192.168.1.20:57174      82.202.184.185:443      ESTABLISHED     5664
  TCP    192.168.1.20:57486      142.250.197.202:443     ESTABLISHED     15832
  TCP    192.168.1.20:58380      199.165.136.100:443     ESTABLISHED     7304
  TCP    192.168.1.20:58953      4.145.79.81:443         ESTABLISHED     5728
  TCP    192.168.1.20:60420      4.145.79.82:443         ESTABLISHED     16972
  TCP    192.168.1.20:60708      20.50.201.203:443       ESTABLISHED     16972
  TCP    192.168.1.20:62190      40.74.78.229:443        ESTABLISHED     19460
  TCP    192.168.1.20:62195      185.201.3.101:443       ESTABLISHED     5664
  TCP    192.168.1.20:64597      65.109.109.243:443      ESTABLISHED     15832
  TCP    [2402:800:6195:ec43:d05c:566a:9e1c:a1d8]:51763 [2001:4860:4860::8888]:443 ESTABLISHED 15832
  TCP    [2402:800:6195:ec43:d05c:566a:9e1c:a1d8]:53218 [2404:6800:4005:817::200e]:443 ESTABLISHED 15832
  TCP    [2402:800:6195:ec43:d05c:566a:9e1c:a1d8]:54584 [2404:6800:4008:c13::bc]:5228 ESTABLISHED 15832
  TCP    [2402:800:6195:ec43:d05c:566a:9e1c:a1d8]:54700 [2404:6800:4005:817::200e]:443 ESTABLISHED 15832
  TCP    [2402:800:6195:ec43:d05c:566a:9e1c:a1d8]:54874 [2001:4860:4860::8888]:443 ESTABLISHED 15832
  TCP    [2402:800:6195:ec43:d05c:566a:9e1c:a1d8]:56561 [2404:6800:4005:805::200e]:443 ESTABLISHED 15832
  TCP    [2402:800:6195:ec43:d05c:566a:9e1c:a1d8]:57338 [2404:6800:4005:805::200e]:443 ESTABLISHED 15832
  TCP    [2402:800:6195:ec43:d05c:566a:9e1c:a1d8]:57649 [2803:f800:53::3]:443 ESTABLISHED 15832
  TCP    [2402:800:6195:ec43:d05c:566a:9e1c:a1d8]:59536 [2001:4860:4860::8888]:443 ESTABLISHED 15832
  TCP    [2402:800:6195:ec43:d05c:566a:9e1c:a1d8]:61934 [2603:1047:1:188::80]:443 ESTABLISHED 16972
  TCP    [2402:800:6195:ec43:d05c:566a:9e1c:a1d8]:65204 [2404:6800:4005:81e::200a]:443 ESTABLISHED 15832

The process 5664 belongs to Kaspersky.

The reason I suspect my computer has been compromised is that while my computer was online and I was not actively using it, I received emails regarding Microsoft login OTP and password change OTP. I am certain that I did not log in to my account on multiple devices, which led me to suspect that my computer was compromised (despite running Kaspersky).

[Berny]

22 minutes ago, Lê Huy Hoàng said:

I received emails regarding Microsoft login OTP

If you suspect a brute force login cancel email and switch to an Authenticator app or sms ?