Skip to main content

You’ll never guess what hackers are using Microsoft Calculator for

Hackers have found an unusual and unconventional method to infect PCs with malware: distributing dangerous code with Windows Calculator.

The individuals behind the well-known QBot malware have managed to find a way to use the program to side-load malicious code on infected systems.

A depiction of a hacker breaking into a system via the use of code.
Getty Images

As reported by Bleeping Computer, Dynamic Link Libraries (DLLs) side-loading is when an actual DLL is spoofed, after which it is moved to a folder in order to trick the machine’s operating system to load the doctored version as opposed to the real DLL files.

Recommended Videos

QBot, a strain of Windows malware, was initially known as a banking trojan. However, ransomware gangs now rely on it due to its evolution into a malware distribution platform.

QBot has been utilizing the Windows 7 Calculator program in particular to execute DLL side-loading attacks, according to security researcher ProxyLife. These attacks have been infecting PCs since at least July 11, and it’s also an effective method for carrying out malicious spam (malspam) campaigns.

Emails that contain the malware in the form of an HTML file attachment include a ZIP archive that comes with an ISO file, which contains a .LNK file, a copy of ‘calc.exe’ (Windows Calculator), as well as two DLL files: WindowsCodecs.dll, joined by a malicious payload (7533.dll).

Opening the ISO file eventually executes a shortcut, which upon further investigation of the properties dialog for the files, is linked to Windows’ Calculator app. Once that shortcut has been opened, the infection infiltrates the system with QBot malware through Command Prompt.

The new version of the Calculator app in Windows 11.
Image used with permission by copyright holder

Due to the fact that Windows Calculator is obviously a trusted program, tricking the system to distribute a payload through the app means security software could fail to detect the malware itself, making it an extremely effective — and creative — way to avoid detection.

That said, hackers can no longer use the DLL sideloading technique on Windows 10 or Windows 11, so anyone with Windows 7 should be wary of any suspicious emails and ISO files.

Windows Calculator is not a program commonly used by threat actors to infiltrate targets with, but when it comes to the current state of hacking and its advancement, nothing seems to be beyond the realm of possibility. The first appearance of QBot itself occurred more than a decade ago, and it has previously been used for ransomware purposes.

Elsewhere, we’ve been seeing an aggressive rate of activity in the malware and hacking space throughout 2022, such as the largest HTTPS DDoS attack in history. Ransomware gangs themselves are also evolving, so it’s not a surprise they’re continuously finding loopholes to benefit from.

With the alarming rise in cybercrime in general, technology giant Microsoft has even launched a cybersecurity initiative, with the “security landscape [becoming] increasingly challenging and complex for our customers.”

Zak Islam
Former Computing Writer
Zak Islam was a freelance writer at Digital Trends covering the latest news in the technology world, particularly the…
Your PC’s security is being attacked on two new fronts
Person using Windows 11 laptop on their lap by the window.

Your PC is facing a double whammy of cyber threats, both of them built into basic Windows features -- one that exploits Windows search and another a Wi-Fi vulnerability.

The first vulnerability allows hackers to exploit search in what researchers have called a "clever" way, as reported by Trustwave. It begins when users are tricked into downloading malware, starting with phishing emails with malicious .ZIP attachments containing HTML files disguised as invoices or something along those lines.

Read more
What is the Antimalware Service Executable, and should you disable it?
Person using Windows 11 laptop on their lap by the window.

The Antimalware Service Executable is a process you might see pop-up in Task Manager's task list now and again, beavering away at ... something. While it's not always obvious what it's up to, and the sign of "malware" in your process list might put the fear in you, you needn't fret. It's an important component in your Windows security, working as part of the iconic Windows Defender suite of tools.

In the past, older PCs may have seen a performance advantage from disabling the antimalware service executable, but unless you really, really have to for some very specific reasons, you shouldn't need to on a modern Windows 11 PC. Indeed, it would be better if you didn't.
What is the antimalware service executable?
The antimalware service executable, or MsMpEng.exe, to use the name you'll probably see crop up in Task Manager, is a component of the Windows Defender antimalware suite of tools. Together they help protect your Windows PC from viruses and other malware that might otherwise try to steal your data or corrupt your system files.

Read more
You’ll never guess what this YouTuber built into a PC this time
A woman stands next to a custom-built gaming PC with a coffee maker inside.

There are gaming PCs, and there are coffee makers -- and the two do not mix. After all, who would want boiling hot coffee inside their high-end gaming desktop? The idea alone makes me shiver, but Nerdforge's Martina was brave enough to come up with this project and create a fully custom-built PC that doesn't just run, but it also makes coffee at the press of a button.

Nerdforge is a YouTube channel run by a Norwegian couple, Martina and Hansi, who dabble in all sorts of innovative crafts. And it's safe to say that this falls under that category. The project started with an idea: What if, instead of having to get up to fetch a cup of coffee, you could have a coffee maker installed right inside your PC?

Read more