MALWARE FAMILY

Supper

Internal ID: win.supper
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Supper is a 64-bit Windows backdoor and tunnelling utility first observed in the wild in July 2024. This malware operates as both a Remote Access Trojan (RAT) and a SOCKS5 proxy, offering threat actors persistent access to infected systems and the ability to route arbitrary traffic through victim environments.

Once executed, it establishes a TCP connection to its primary C2 endpoint, i.e. hardcoded in the file, over port 443. A fallback mechanism allows the malware to retrieve alternate C2 IP addresses from an encoded file, %temp%/s01bafg, ensuring resilience in case the primary server is unavailable. The malware supports up to 16,384 concurrent sessions over a single TCP connection, each uniquely identified via a 16-bit session ID.

Communication begins with an unencrypted 300-byte handshake payload that includes a static bot identifier (0x00691155), system metadata (hostname, domain, OS version, integrity level), and a fixed flag. Following this, all network traffic is wrapped in a 12-byte obfuscated header and an encrypted payload (8 bytes) which consists of two encrypted IP addresses. The header is transformed using two hardcoded XOR keys: 0x4d4d4d4d4d4d4d4d and 0x4d4d4d4d. Payload encryption is performed with a non-standard, stateful XOR cipher, where each byte of the message is encrypted based on a calculated offset and a cycling key (xored with 0x4d4d4d4d) derived from the header.

It supports a range of C2 commands, including remote shell execution, session teardown, SOCKS5 proxy operations, self-deletion, and dynamic updating of fallback IPs. When executing commands, Supper spawns a hidden cmd.exe instance and forwards command outputs back to the C2 server after encryption. As a proxy, it accepts operator-specified connection requests, establishes TCP sessions to external targets, and forwards data between the target and the attacker, all managed under the session multiplexing framework.

If instructed or if a C2 session fails, the malware can delete itself using cmd.exe or schtasks.exe, often masquerading the operation under the guise of a scheduled task named "GoogleUpdateTask". The file used to store fallback C2 IPs (%temp%/s01bafg) is updated by the malware using its encryption routine.

Threat Analysis

Supper is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.supper

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.