Hackers abuses OBS Studio to Spread BIOPASS Malware

Researchers from Trend Micro revealed a new malware dubbed BIOPASS, that abuses Open Broadcaster Software (OBS) Studio’s live-streaming app to capture the screen of its victims to attackers.

Threat actors behind the new malware planted a malicious JavaScript code on support chat pages of Chinese gambling-related sites to redirect visitors to pages offering the malicious installers.

The attack involves deceiving gaming website visitors into downloading a malware loader camouflaged as a legitimate installer for popular but deprecated apps such as Adobe Flash Player or Microsoft Silverlight, only for the loader to act as a conduit for fetching next-stage payloads.

On Friday Trend Micro researchers published an analysis of the loader revealed that it loads either a Cobalt Strike shellcode or a new Python backdoor tracked by the experts as BIOPASS RAT.

OBS Studio is open-source software for video recording and live streaming, enabling users to stream to Twitch, YouTube, and other platforms.

BIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts, the researchers said. It Has basic features found in common RAT such as file system assessment, remote desktop access, file exfiltration, and shell command execution. The malware is also able to steal private information from web browsers and instant messaging clients installed on the victim’s device.


Besides featuring an array of capabilities that run the typical spyware gamut, BIOPASS is equipped to establish live streaming to a cloud service under the attacker’s control via Real-Time Messaging Protocol (RTMP), in addition to communicating with the command-and-control (C2) server using the Socket.IO protocol.

According to Trend Micro, the BIOPASS RAT could be linked to the Chinese Winnti APT group (aka APT41).

Leave a Reply

Your email address will not be published.