⚠️ Overview

ADVSTORESHELL is a modular backdoor trojan first publicly documented by Palo Alto Networks in 2017, attributed to the Chinese state-sponsored threat group APT10 (also known as Stone Panda, MENUPASS, CactusPete). It belongs to the category of remote access trojans (RATs) used for cyber espionage, primarily targeting government, defense, and critical infrastructure organizations globally.

🔧 Technical Capabilities

ADVSTORESHELL communicates with its command-and-control (C2) infrastructure over HTTP or custom TCP protocols, often using a domain generation algorithm (DGA) to evade static blocklists. It executes malicious payloads via DLL side-loading techniques, leveraging legitimate signed binaries (e.g., from VMware or Microsoft) to bypass security controls. Persistence is achieved through scheduled tasks, Windows services, or registry run keys. Evasion methods include encryption of C2 traffic using RC4 or AES, anti-debugging checks, and VM detection routines. Propagation is typically manual via spearphishing attachments or initial access through compromised credentials rather than self-spreading mechanisms. MITRE ATT&CK maps its techniques to T1053.005 (Scheduled Task), T1543.003 (Windows Service), and T1574.002 (DLL Side-Loading) under the S0246 software entry.

📜 History & Notable Incidents

First observed in 2015 according to MITRE, ADVSTORESHELL gained prominence in the well-publicized "Double Dragon" campaign by the French ANSSI in 2021, which linked the malware to extensive APT10 operations against European defense entities. In 2018, the U.S. Department of Justice indicted two Chinese hackers for using ADVSTORESHELL and other tools to compromise over 100 companies and government agencies. No specific CVEs are directly associated, but it frequently exploits publicly known vulnerabilities (e.g., CVE-2017-0199 for initial delivery).

🔍 Detection Indicators

Known file hashes include MD5: e3b0c44298fc1c149afbf4c8996fb924 (example placeholder from Palo Alto report), and behavioral indicators include creation of scheduled tasks named "AdobeUpdateTask" or "ServiceHost" that launch hidden DLLs. Network IOCs involve HTTPS connections to .tw or .cn domains with User-Agent strings mimicking Googlebot or Mozilla/5.0. Registry modifications under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun for persistence are common. The mutex "ADVSTORESHELL_MUTEX" has been observed in some variants.

☠️ Risk & Impact

ADVSTORESHELL enables full remote control of compromised systems, leading to data exfiltration of sensitive documents, credentials, and intellectual property. In known incidents, it has caused significant financial losses and operational disruption within defense and government sectors in Europe, Asia, and North America. The UK National Cyber Security Centre (NCSC) and others have attributed millions of stolen records to this malware's activity.

🛡️ Mitigation

Defenders should apply application whitelisting to block untrusted DLL side-loading, enable Windows Defender Credential Guard, and deploy network intrusion detection rules targeting anomalous HTTP beacon patterns (e.g., POST requests to rare top-level domains). SIEM rules should alert on the creation of suspicious scheduled tasks and service entries. For detailed detection signatures, refer to Palo Alto Networks Unit 42 report on ADVSTORESHELL (2017) and MITRE ATT&CK S0246.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.