Skip to main content

You’ll never guess what hackers are using Microsoft Calculator for

Hackers have found an unusual and unconventional method to infect PCs with malware: distributing dangerous code with Windows Calculator.

The individuals behind the well-known QBot malware have managed to find a way to use the program to side-load malicious code on infected systems.

A depiction of a hacker breaking into a system via the use of code.
Getty Images

As reported by Bleeping Computer, Dynamic Link Libraries (DLLs) side-loading is when an actual DLL is spoofed, after which it is moved to a folder in order to trick the machine’s operating system to load the doctored version as opposed to the real DLL files.

QBot, a strain of Windows malware, was initially known as a banking trojan. However, ransomware gangs now rely on it due to its evolution into a malware distribution platform.

QBot has been utilizing the Windows 7 Calculator program in particular to execute DLL side-loading attacks, according to security researcher ProxyLife. These attacks have been infecting PCs since at least July 11, and it’s also an effective method for carrying out malicious spam (malspam) campaigns.

Emails that contain the malware in the form of an HTML file attachment include a ZIP archive that comes with an ISO file, which contains a .LNK file, a copy of ‘calc.exe’ (Windows Calculator), as well as two DLL files: WindowsCodecs.dll, joined by a malicious payload (7533.dll).

Opening the ISO file eventually executes a shortcut, which upon further investigation of the properties dialog for the files, is linked to Windows’ Calculator app. Once that shortcut has been opened, the infection infiltrates the system with QBot malware through Command Prompt.

The new version of the Calculator app in Windows 11.
Image used with permission by copyright holder

Due to the fact that Windows Calculator is obviously a trusted program, tricking the system to distribute a payload through the app means security software could fail to detect the malware itself, making it an extremely effective — and creative — way to avoid detection.

That said, hackers can no longer use the DLL sideloading technique on Windows 10 or Windows 11, so anyone with Windows 7 should be wary of any suspicious emails and ISO files.

Windows Calculator is not a program commonly used by threat actors to infiltrate targets with, but when it comes to the current state of hacking and its advancement, nothing seems to be beyond the realm of possibility. The first appearance of QBot itself occurred more than a decade ago, and it has previously been used for ransomware purposes.

Elsewhere, we’ve been seeing an aggressive rate of activity in the malware and hacking space throughout 2022, such as the largest HTTPS DDoS attack in history. Ransomware gangs themselves are also evolving, so it’s not a surprise they’re continuously finding loopholes to benefit from.

With the alarming rise in cybercrime in general, technology giant Microsoft has even launched a cybersecurity initiative, with the “security landscape [becoming] increasingly challenging and complex for our customers.”

Editors' Recommendations

Zak Islam
Former Digital Trends Contributor
Zak Islam was a freelance writer at Digital Trends covering the latest news in the technology world, particularly the…
Chrome is making a key change to protect you from phishing
Google Chrome with pinned tabs on a MacBook on a table.

Phishing campaigns -- where a fraudulent website or email is made to look like it comes from a legitimate source -- have caused a huge amount of destruction, leading to untold numbers of virus infections and money lost through scams. Google has just rolled out a powerful way to fight phishing in its Chrome browser, however, and it could help you avoid falling victim.

As part of Chrome’s 15th-anniversary update, Google will be pushing its Enhanced Safe Browsing feature to all users in the coming weeks. This checks website URLs against a list of malicious sites stored on Google’s cloud servers, all in real time. If a match is found, the website is blocked and a warning is displayed to users.

Read more
No, Intel’s Lunar Lake CPUs aren’t being delayed
Intel keynote.

Intel's hotly-anticipated Lunar Lake CPUs look like they're suffering a delay, at least according to a report from DigiTimes. The outlet, which covers semiconductor news, says that shipments of the chips are arriving in September and that they were originally planned for June. Intel says otherwise, however.

When Intel first announced Lunar Lake, it said they would arrive between July and September of this year. More specifically, the company pointed out that they'd be available before the holiday shopping season. If June was the original plan, we'd already have a lot more details about the processors. It looks like September was the target all along.

Read more
Hacker claims to have hit Apple days after hacking AMD
The Apple logo is displayed at the Apple Store June 17, 2015 on Fifth Avenue in New York City

Data breaches happen all the time, but when the giants get hit, it's impossible not to wonder what kind of critical data may become exposed. Earlier this week, notorious cybercriminal Intelbroker reported that they managed to hack AMD. Now, they followed up with claims about hacking Apple, and went as far as to share some internal source code on a hacking forum.

As Apple has yet to comment, all we have to go off is the forum post, first shared by HackManac on X (formerly Twitter). In the post, Intelbroker states that Apple suffered a data breach that led to the exposure of the source code for some of its internal tools. The tools include AppleConnect-SSO, Apple-HWE-Confluence-Advanced. There's been no mention of any customer data being leaked, which is good news, but there could still be some impact on Apple if this proves to be true.

Read more