APT-Q-27 Targets Web3 Support Staff with Fake Screenshot Backdoor Campaign

APT-Q-27 Targets Web3 Support Staff with Fake Screenshot Backdoor Campaign

First seen 26 Mar 2026, 14:47 UTC GbhackersCybersecuritynews 86% similarity 72.5

Article Content

Browse articles
ThreatCluster

A campaign linked to the Chinese threat group APT-Q-27 is targeting Web3 customer support teams by deploying a multi-stage backdoor via fake screenshot links. The attack exploits live chat workflows, utilizing signed .NET loaders and AWS S3 dead drops to deliver a memory-resident Farfli backdoor. This operation focuses on support agents, the human element of organizations, to gain access to sensitive systems. The specific tools and methods employed indicate a sophisticated approach to compromise victim machines without detection. The current status of the campaign suggests ongoing activity, with potential impacts on multiple organizations within the Web3 sector. The attack emphasizes the need for heightened vigilance among support teams in the cryptocurrency space.

Key Points: • APT-Q-27 is using fake screenshots to target Web3 customer support staff. • The attack involves a multi-stage backdoor delivery method using .NET loaders. • Organizations in the Web3 sector are at risk due to the human-centric nature of the attack.

ThreatCluster AI

Timeline

2026-03-26
APT-Q-27 campaign reported targeting Web3 support teams
Recent
Fake screenshot links identified as attack vector
Recent
Farfli backdoor confirmed as part of the attack

Community

Browse all →