How are hackers using Inno Setup Installer to deliver malware in 2025?

In 2025, cybercriminals are abusing the trusted Inno Setup Windows installer to deliver multi-stage malware such as RedLine Stealer by embedding malicious scripts in legitimate-looking installers. This sophisticated technique uses Inno Setup’s Pascal scripting capabilities to evade antivirus detection, perform system reconnaissance, and maintain persistence using Windows utilities like schtasks and MSBuild.exe. Researchers have uncovered malware campaigns that execute DLL side-loading, sandbox evasion, and XOR-based encryption within trusted installation frameworks, tricking users into installing dangerous payloads under the guise of genuine software.

Security News & Threat Intelligence Jul 5, 2025 21 Add to Reading List

Cybercriminals are increasingly misusing the Inno Setup Windows installer framework to slip malicious code past unsuspecting users and security tools. By embedding multi‑stage payloads inside seemingly harmless installers, attackers are quietly delivering RedLine Stealer, HijackLoader, and other info‑stealing malware while evading signature‑based defenses.

Why Legitimate Installers Are Becoming a Go‑To Attack Vector

Users naturally trust well‑known installation wizards.
Security products often grant installers elevated privileges to finish setup tasks.
Popular frameworks such as Inno Setup and NSIS support powerful scripting engines that can be hijacked for covert behavior.

What Makes Inno Setup Attractive to Threat Actors

Inno Setup is an open‑source tool designed to simplify software deployment. Key features that attackers abuse include:

Pascal scripting that can download, unpack, or run additional payloads.
Customizable GUI elements that disguise malware as genuine apps.
Built‑in compression that hides large binaries in a single executable.

By leveraging these capabilities, adversaries produce installers that look and feel legitimate while executing malicious logic in the background.

Inside the Latest Malware Campaign Uncovered by Splunk

Stage One – Weaponized Installer

The installer’s Pascal script uses XOR‑encrypted strings to hide command‑line arguments and URLs until run time. It then extracts embedded resources and launches a decoy program so the user sees a normal setup window.

Stage Two – Environment Reconnaissance

A burst of Windows Management Instrumentation (WMI) queries checks running processes and hardware profiles. If sandbox tools or virtual‑machine artifacts appear, the installer immediately exits to avoid analysis.

Stage Three – Persistence & Payload Deployment

The script drops an encrypted DLL to %APPDATA%\Roaming\controlExplore\ and registers a hidden scheduled task that runs at reboot. A legitimate binary (ScoreFeedbackTool.exe) later side‑loads the trojanized QtGuid4.dll, which decrypts HijackLoader and finally launches RedLine Stealer inside MSBuild.exe to blend with trusted Windows processes.

Infection Chain at a Glance

Component / Step	Purpose	Notable Technique
Weaponized Inno Setup installer	Initial execution	Pascal scripting, XOR‑encrypted strings
Decoy application	User distraction	Genuine GUI, signed binary
WMI reconnaissance	Sandbox evasion	`Select * from Win32_Process` queries
Hidden scheduled task	Persistence	`schtasks /Create … WhatsAppSyncTaskMachineCore`
DLL side‑loading	Stealth execution	Trojanized QtGuid4.dll
MSBuild.exe payload	Final stage	In‑memory RedLine Stealer injection

Advanced Evasion Tactics Observed

Filename pattern checks (e.g., application_stable_release) to decide when to run.
Multiple layers of XOR encryption around configuration data.
Abuse of trusted Windows utilities to blend malicious activity with normal OS behavior.
Early termination if debugging or monitoring tools are present.

Understanding RedLine Stealer – The Endgame

Once running, RedLine Stealer harvests browser passwords, session cookies, and cryptocurrency wallet files before exfiltrating them to a command‑and‑control server. Because the stealer rides inside MSBuild.exe, many endpoint products treat the process as benign, giving attackers an extended window to siphon data.

Indicators of Compromise (IOCs)

Unexpected scheduled tasks referencing WhatsAppSyncTaskMachineCore.
Executions of MSBuild.exe from user‑profile paths.
Outbound traffic to rare or newly registered domains over ports 443 and 18852.
Presence of ScoreFeedbackTool.exe alongside a modified QtGuid4.dll.

How to Defend Against Inno Setup Abuse

Block unsigned or unknown installers via application‑allow‑listing tools.
Enforce digital‑signature validation for all internal software packages.
Deploy behavior‑based detections that flag installers spawning scripting engines, WMI queries, or MSBuild.exe children.
Inspect scheduled‑task creation in user contexts; flag invisible or oddly named tasks.
Train users to verify download sources and checksum values before launching any installer.

Key Takeaways

Attackers are capitalizing on the implicit trust users place in installers like Inno Setup.
Multi‑layer evasion—encryption, sandbox checks, DLL side‑loading—keeps detection rates low.
Security teams should treat installer abuse as a rising threat class and update controls accordingly.
Proactive monitoring of scheduled tasks, MSBuild.exe spawn patterns, and unusual outbound domains is critical to spotting infections early.

FAQs

What is Inno Setup and why is it being misused by hackers?

Inno Setup is a popular Windows installer framework. Hackers misuse its scripting features to deliver hidden malware in trusted-looking installers.

What type of malware is delivered using Inno Setup?

RedLine Stealer, HijackLoader, and other info-stealing malware are commonly delivered using modified Inno Setup installers.

How does Pascal scripting help attackers?

Pascal scripting in Inno Setup enables attackers to embed logic that downloads payloads, encrypts strings, and evades detection.

Why do users trust Inno Setup installers?

Because they resemble standard Windows installers and often mimic legitimate apps, users assume they are safe.

What is DLL side-loading in malware attacks?

It’s a technique where a legitimate program loads a malicious DLL instead of the intended one, allowing silent execution of malware.

How does the malware avoid detection?

It uses XOR encryption, WMI queries to detect sandbox environments, and avoids suspicious behavior until execution conditions are met.

What is MSBuild.exe used for in this attack?

Attackers inject the final payload into MSBuild.exe, a trusted Microsoft development tool, to hide malicious behavior.

How is persistence achieved in this campaign?

By creating hidden scheduled tasks that auto-run malware at reboot using Windows Task Scheduler.

What signs should users watch for?

Unexpected installer behavior, scheduled tasks with strange names, or unknown apps spawning MSBuild.exe.

What is RedLine Stealer?

RedLine Stealer is a malware that steals browser data, saved passwords, and cryptocurrency wallet info from infected systems.

How does the malware detect virtual machines?

It uses WMI queries like Select * from Win32_Processor to identify VMs used in malware analysis labs.

Why is this malware hard to detect?

Because it mimics legitimate software behavior and delays suspicious actions to evade sandboxes and antivirus.

What is XOR encryption in malware?

It’s a simple form of obfuscation used to hide strings and configuration data until runtime.

What does ScoreFeedbackTool.exe do in this attack?

It is a legitimate application used to load the malicious QtGuid4.dll via DLL side-loading.

What is the role of QtGuid4.dll in this chain?

It’s a trojanized DLL that decrypts and runs the final stage malware hidden in the installer.

How are phishing campaigns delivering this malware?

Attackers disguise the malicious installer as software updates or tools in phishing emails or fake websites.

Can antivirus detect these Inno Setup-based threats?

Traditional AV may miss them due to obfuscation and legitimate software wrappers; behavior-based EDR is more effective.

How can system admins detect infected systems?

Monitor for unauthorized scheduled tasks, unusual MSBuild.exe executions, or communication to rare domains.

What is HijackLoader?

HijackLoader is a malware loader used to deploy other malicious components stealthily in memory.

How do attackers ensure their malware is only run once?

They use filename checks and system profiling to avoid repeating the attack or triggering detection.

What command is used for persistence in this malware?

schtasks /Create /xml %temp%\lang WhatsAppSyncTaskMachineCore /f is used to create a hidden task.

Why are installer frameworks targeted?

They offer trust, elevated permissions, and scripting capabilities—ideal for stealth malware delivery.

What is WMI and how is it used here?

WMI allows querying system data; malware uses it to check for analysis environments before running.

Are only Inno Setup installers being exploited?

No, but Inno Setup is a common target due to its popularity and scripting support.

How can users protect themselves from such threats?

Download software only from official sources, verify checksums, and avoid opening installers from unknown emails.

What is sandbox evasion in malware?

It’s the technique of detecting whether the malware is being analyzed in a test environment and then halting execution.

How do attackers hide the final payload?

They embed it in a DLL, delay execution, or inject it into trusted processes like MSBuild.exe.

Can this malware infect enterprise networks?

Yes, especially through phishing campaigns or compromised repositories targeting multiple users.

What organizations identified this threat?

Security researchers from Splunk published a detailed analysis of this advanced malware campaign.