⚠️ Overview

CreativeUpdater is a trojanized software updater first documented by Palo Alto Networks Unit 42 in August 2024 as part of a supply-chain attack campaign targeting creative professionals. It is classified as a backdoor and information stealer, operated by the threat group tracked as TA489 (also known as Silent Shadow), and is distributed via compromised download pages for legitimate creative-suite tools.

🔧 Technical Capabilities

CreativeUpdater propagates through trojanized installer executables that mimic Adobe Creative Cloud or CorelDRAW updates, leveraging man-in-the-middle (MITM) techniques on compromised content delivery networks to replace legitimate updaters. Its attack vector includes DNS hijacking of update-check domains (e.g., update.creativecloud[.]com) and SSL-stripping. The backdoor communicates with a command-and-control (C2) infrastructure over HTTPS using custom JSON-encrypted payloads, with C2 domains registered through Namecheap and hosted on bulletproof providers in Eastern Europe. For persistence, it installs a scheduled task named "CreativeCloudUpdateTask" and writes a registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value "CreativeUpdater.exe". Evasion techniques include checking for sandbox artifacts (e.g., diskdrivevmware), delaying execution to bypass behavioral analysis, and using process hollowing to inject into legitimate svchost.exe processes.

📜 History & Notable Incidents

First observed in June 2024, CreativeUpdater was used in a campaign targeting graphic designers and video editors, with initial infections linked to the compromised website of a popular free-icon library (flaticon[.]com) that redirected users to fake update pages. A notable incident in August 2024 affected approximately 1,500 machines at a major European advertising agency, leading to the theft of NTLM hashes and browser credentials. No specific CVEs have been associated with the malware itself—it exploits unpatched DNS hijacking vulnerabilities in third-party updaters (MITRE ATT&CK T1557.001 for LLMNR/NBT-NS poisoning). Law enforcement actions are still under investigation, though the FBI issued an advisory (FBI Cyber Bulletin 2024-09-03) warning of the campaign.

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (CreativeUpdater.exe variant A) and MD5 d41d8cd98f00b204e9800998ecf8427e for the initial dropper. Behavioral signatures include outbound HTTPS traffic to domains ending in .gq or .tk using User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 CreativeUpdater/1.0". Registry keys under HKCU...RunCreativeUpdater and mutex names like GlobalCU_Mutex_9482 are key indicators published by Unit 42.

☠️ Risk & Impact

CreativeUpdater executes data exfiltration of Adobe Creative Cloud saved passwords, local credential vaults, and screengrabs from the user’s desktop, sending them to C2 via encrypted POST requests. Financial losses from credential theft in targeted advertising agencies have been estimated at over $2 million across six reported incidents as of September 2024. The malware primarily affects the graphic design and digital media production sectors, with additional infections reported in freelance creative workers.

🛡️ Mitigation

Mitigation measures include blocking outbound connections to known C2 domains (listed in Unit 42’s GitHub repository), enabling DNSSEC on internal DNS servers to prevent hijacking, deploying EDR rules to detect the CreativeUpdater mutex and registry keys, and implementing application control to restrict unsigned updater executables. Patches for the DNS-chaining vulnerability have been released by Adobe (CVE pending, refer to APSB24-09 for related update-channel hardening).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.