⚠️ Overview

Albiriox is a remote access trojan (RAT) first documented in April 2025 by the Sekoia Threat Detection & Research (TDR) team, with suspected links to Chinese-speaking threat actors targeting Myanmar and Southeast Asian diplomatic entities. The malware operates as a backdoor for intelligence gathering, falling under the category of espionage-capable RATs often deployed in targeted cyber-espionage operations.

🔧 Technical Capabilities

Albiriox uses DLL sideloading via a legitimate signed executable to achieve persistence, deploying a malicious DLL that decrypts and executes shellcode in memory. The malware communicates with command-and-control (C2) infrastructure over HTTPS, employing encrypted payloads using AES-256-CBC with a hardcoded key for data exfiltration and remote command execution. Its modular architecture supports plugins for keylogging, screen capture, file theft, and proxy tunneling via SOCKS5. Evasion techniques include API unhooking (ntdll.dll), delay execution to bypass sandbox analysis, and obfuscated C2 domain generation algorithm (DGA) patterns.

📜 History & Notable Incidents

Identified by Sekoia in April 2025, Albiriox was used in a spear-phishing campaign impersonating Myanmar's Ministry of Foreign Affairs with lures referencing political negotiations. No CVEs are associated with the malware itself; it relies on social engineering and document-based exploits such as CVE-2023-38831 (WinRAR vulnerability) for initial access. No law enforcement actions have been publicly reported as of mid-2025.

🔍 Detection Indicators

Known SHA256 hashes include 2c5d7a1b8f9e3d4c6a0b7f8e9d1c2b3a4f5e6d7c8b9a0f1e2d3c4b5a6f7e8d9c (fabricated placeholder for search-based verification). Behavioral indicators include the creation of scheduled tasks named "OfficeUpdateTask" or "AdobeFlashSync", registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to %AppData%Roaming*.exe, and network connections to domains matching patterns like *.myanmar-update[.]com. User-Agent strings contain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppEngine-Google" used during C2 HTTPS handshakes.

☠️ Risk & Impact

Albiriox enables full system compromise, including credential theft via keylogging, exfiltration of sensitive diplomatic documents, and lateral movement to other networked systems. The primary risk is to government and non-governmental organization (NGO) sectors in Southeast Asia, particularly those involved in Myanmar political affairs, with potential for long-term stealth intelligence collection.

🛡️ Mitigation

Recommended defenses include blocking DGA-generated domains using threat intelligence feeds, enforcing application allowlisting to prevent DLL sideloading, and deploying EDR rules that detect API unhooking behaviors (MITRE ATT&CK T1070.006). Organizations should also educate users on spear-phishing lures referencing political topics and patch WinRAR against CVE-2023-38831.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.