Malicious Signal, Line, and Gmail Installers Target Chinese-Speaking Users with Backdoors

This report analyzes a campaign that used deceptive download pages hosted on a small set of Alibaba-hosted servers to distribute backdoored Windows executables masquerading as popular apps (Signal, Line, Gmail, BitBrowser). Dynamic analysis indicates the samples perform temporary extraction, spawn nested executables, inject processes, modify Windows Defender to exclude the C: drive, and conduct network communications; the report provides domains, IPs, and multiple SHA-256 file hashes to aid detection and mitigation.