Intel Name: Windows bot malware “blitz” abuses hugging face services
Date of Scan: April 28, 2025
Impact: High
Summary: Since last year, we have been monitoring a Windows bot malware known as “Blitz.” Its infection chain involves multiple stages, including an initial dropper, a downloader, and the main botnet component. The likely infection vectors are either backdoored game cheats in recent samples or installer files in older ones, with the cheats promoted via the threat actor’s Telegram channel. The attacker also exploits Hugging Face’s AI app directory, “Spaces,” to host the malware and manage command-and-control (C2) operations, ultimately aiming to deploy a cryptocurrency miner on compromised systems.
