Hackers abuse Microsoft Fondue.exe to side-load APPWIZ.cpl and deploy Sliver malware

Threat actors are abusing Microsoft’s legitimate Fondue.exe utility to side-load a malicious APPWIZ.cpl file and execute malware on Windows systems. The campaign uses fake software installers, hidden staging folders, and a trusted Windows binary to make malicious activity look like normal system behavior.

According to Cyber Security News, the attack chain starts with malicious MSI installers disguised as StarDebug and AlphaFly drone-related applications. The campaign mainly targets government organizations, military personnel, and people involved in drone manufacturing and engineering.

The technique is not a new Microsoft security patch issue. It abuses how a trusted executable loads a control panel file from the same directory, a behavior also documented by HijackLibs as an APPWIZ.cpl side-loading opportunity involving Fondue.exe.

How the Fondue.exe attack works

Fondue.exe is a legitimate Windows tool. Microsoft says the fondue command enables optional Windows features by downloading required files from Windows Update or another source defined by Group Policy.

Attackers copy Fondue.exe into a hidden directory and place a malicious APPWIZ.cpl file next to it. When Fondue.exe runs from that folder, it can load the attacker-controlled control panel file instead of the normal Windows file.

This gives attackers a way to run malicious code inside a trusted Microsoft-signed process. That can help them evade simple allowlists, reputation checks, and detections that focus only on unknown executables.

Element	Role in the attack
Fondue.exe	Legitimate Microsoft utility abused to load the malicious file
APPWIZ.cpl	Malicious control panel applet placed beside Fondue.exe
MSI installer	Initial fake application used to deliver the malware chain
Sliver implant	Post-exploitation payload used for remote control
Scheduled task	Persistence method designed to blend in with update tasks

Why APPWIZ.cpl side-loading is effective

APPWIZ.cpl is normally associated with Windows Programs and Features. HijackLibs says APPWIZ.cpl is expected in System32 and SysWOW64, and warns that loading it from unusual locations can indicate hijacking activity.

That makes the campaign useful for defenders as well as attackers. Fondue.exe execution from outside the Windows system directory is suspicious, especially if it loads APPWIZ.cpl from a hidden folder under ProgramData or another user-writable path.

MITRE ATT&CK describes DLL side-loading as a technique where adversaries plant a malicious library and invoke a legitimate application that loads it. This campaign follows the same general pattern, although it uses a CPL file.

The campaign used fake drone and Starlink-themed lures

The Fondue.exe campaign appears tied to a wider espionage theme involving drone and Starlink-related lures. BI.ZONE reported earlier that several threat clusters distributed malware disguised as Starlink device registration services and drone pilot training applications.

That context helps explain why the latest campaign used fake software that would appeal to military, engineering, and drone-related targets. The lure does not need to reach millions of users to work. It only needs to convince a small number of high-value victims to run the installer.

Cyber Security News said the attackers used StarDebug and AlphaFly-themed installers, with one route tied to a fake developer-style application and another tied to a drone simulation or training theme.

• The user downloads a fake MSI installer from a deceptive website.
• The installer drops scripts, loaders, and an inner setup package.
• The inner package stages Fondue.exe and malicious APPWIZ.cpl in a hidden folder.
• Fondue.exe loads the malicious CPL file from the same directory.
• The payload deploys a Sliver implant and creates persistence.

Sliver gives attackers a remote foothold

Once the malicious APPWIZ.cpl is loaded, the campaign deploys a Sliver implant. Sliver is an open-source cross-platform adversary emulation framework used by red teams for security testing, but attackers also abuse it for command-and-control activity.

The official Sliver project supports implants for Windows, macOS, and Linux, with C2 over protocols such as mTLS, WireGuard, HTTP(S), and DNS. In malicious hands, those capabilities can support remote commands, reconnaissance, and lateral movement.

In this campaign, the Sliver implant reportedly connects to an attacker-controlled domain and creates a mutex named MediumTurquoiseBeige to avoid running duplicate instances on the same host.

Persistence uses a fake update-style task

The malware creates a Windows scheduled task that runs every minute. The task name follows a Microsoft Edge update-style pattern, such as MicrosoftEdgeUpdateTaskMachineUA followed by a GUID.

That naming choice matters because many administrators expect to see update-related scheduled tasks on Windows endpoints. Attackers use that familiarity to reduce the chance that a suspicious task stands out during a quick review.

MITRE’s side-loading technique page notes that this kind of execution flow hijacking can support defense evasion, persistence, and payload execution through a trusted program.

Hunting signal	Why it matters
Fondue.exe outside C:\Windows\System32	Legitimate Fondue.exe normally runs from a Windows system path
APPWIZ.cpl loaded from ProgramData or temp folders	APPWIZ.cpl should normally load from trusted Windows directories
New MicrosoftEdgeUpdateTaskMachineUA-style task	Attackers may imitate update task naming for persistence
UPX-packed or protected CPL files	Obfuscation can indicate an attempt to slow analysis
Sliver-like network behavior	May indicate post-exploitation command-and-control activity

SoullessRAT shows the campaign has more than one tool

The same wider threat activity also includes SoullessRAT, a JavaScript-based remote access trojan. It reportedly supports remote command execution, screenshot capture, system information gathering, and file upload functions.

BI.ZONE’s research also said the Versatile Werewolf cluster used generative AI to develop tools used in its attacks. That does not make every file fully AI-written, but it points to a faster development cycle for threat actors.

For defenders, the important point is that this campaign does not rely on one binary or one payload. It uses layered delivery, decoy applications, trusted Windows components, and different malware families depending on the target.

Key indicators reported in the campaign

The following indicators were reported with the activity and should be treated as investigation leads. Security teams should search for them across endpoint, DNS, proxy, SIEM, EDR, and scheduled task telemetry.

Type	Indicator	Description
Domain	curtainbeatdisturbance[.]com	Reported Sliver command-and-control server
Domain	stardebug[.]app	Reported malware distribution site
Domain	alphafly-drones[.]com	Reported fake drone application site
Domain	newfolder[.]click	Reported SoullessRAT payload delivery domain
Mutex	MediumTurquoiseBeige	Mutex created by the Sliver implant
Directory	%PROGRAMDATA%\29167fc2-cdc7-490d-9c70-96bfb9b58225	Reported hidden staging path

How organizations can detect and block the attack

Organizations should start by monitoring execution of Fondue.exe. Microsoft’s Fondue.exe documentation shows its legitimate use case, so unexplained execution from a copied location deserves review.

Security teams should also monitor image-load events for APPWIZ.cpl from non-standard paths. That signal can reveal side-loading even when the parent executable looks trusted.

Endpoint controls should focus on behavior rather than names alone. Attackers can rename installers, rotate domains, and alter hashes, but they still need to stage files, run Fondue.exe, load the CPL payload, create persistence, and communicate with infrastructure.

• Block or alert on Fondue.exe running outside C:\Windows\System32.
• Alert when APPWIZ.cpl loads from ProgramData, temp folders, downloads, or user profiles.
• Review new scheduled tasks with Microsoft Edge or Office-style names.
• Restrict users from running unsigned or untrusted MSI installers.
• Use application control rules for high-risk directories.
• Hunt for Sliver implant behavior and unusual outbound C2 traffic.
• Train high-risk teams to verify drone, satellite, and engineering software sources.

Bottom line

This campaign shows how attackers can turn a normal Windows utility into part of a stealthy malware chain. Fondue.exe is not malicious on its own, but copying it beside a rogue APPWIZ.cpl file gives attackers a way to execute code through a trusted Microsoft binary.

The broader risk is especially high for organizations in government, defense, drone engineering, and related supply chains. These targets should assume that fake industry-specific tools will keep appearing as lures.

The best defense combines software source verification, application control, scheduled task monitoring, image-load telemetry, and behavior-based detection for side-loading. Simple hash blocking will not be enough when attackers hide behind trusted Windows binaries.

FAQ