SilentFade virus strikes, Cyberstalking and Ransom user

Feb 26, 2021kate
Learn more about 360 Total Security

Recently, 360 Security Center monitored that the SlientFade virus was bundled with pirated software to spread. The infected users were mainly distributed in Malaysia, India, Brazil, Indonesia, Russia and other countries.

SlientFade has been active as early as 2019, and it has made a lot of money by stealing the victim’s login credentials and conducting advertising fraud. The Trojan uses various technologies such as bypassing anti-software and virtual machines, and cooperates with browser injection hijacking, malicious browser plug-ins, etc. to execute malicious code. In recent updates, it was discovered that the STOP ransomware was distributed through the update channel, causing Serious damage to the user’s computer.

Technical Analysis

SlientFade uses a variety of code obfuscation techniques to bypass the anti-virus virtual machine and some common debugging mechanisms:

Detect virtual machines such as vmware by detecting the device name:

Detect some anti-virus virtual machines by calling less commonly used system functions by reusing meaningless parameters:

SlientFade carries a powerful cyberstalking module that will steal user login credentials and Facebook account-related data, and will steal account passwords saved in the configuration files of Chrome, Edge, Yandex, Opera, Firefox, etc. Some of the code sequences are as follows:

It will also steal Facebook credentials and query Ads advertising data through the graph interface:

The plug-in is used to steal user’s Facebook friend information.

The plug-in is used to steal user’s Facebook friend information.

In addition to the cyberstalking module, SlientFade will download and execute other malicious software. The Thunder download plug-in is used during the download process. The relevant download logic is as follows:

We have monitored that SlientFade will download stop ransomware, encrypt user data, and the encrypted file extension “.qlkm”:

Related blackmail prompt information, as shown below:


SlientFade virus will steal the user’s login credentials and Facebook-related sensitive data, and will download and execute other malicious modules such as stop ransomware, which will cause great economic and data loss to users.

The virus depends on pirated software to spread. Therefore, we recommend that users reduce the use of pirated software and try to obtain such software through formal channels. At the same time, when using some potentially risky software, first use security software to scan.

The 360 Total Security already supports the detection and killing of the virus, users who are infected are recommended to install the detection and killing from our official website: website


Learn more about 360 Total Security