Anel

Malware

⚠️ Overview

Anel is a remote access trojan (RAT) first documented in 2018 by researchers at Malwarebytes and later associated with the threat group TA428, which is linked to Chinese state-sponsored espionage operations. It is primarily used for surveillance and data exfiltration against government and military targets in Southeast Asia.

🔧 Technical Capabilities

Anel achieves persistence through scheduled tasks or registry run keys, and communicates with its command-and-control (C2) server over HTTP or HTTPS using encrypted payloads. It employs DLL side-loading techniques to evade detection, leveraging legitimate signed binaries to load its malicious DLL. The malware can capture keystrokes, take screenshots, enumerate files and running processes, and download/upload files from the compromised host. It uses custom encryption (often XOR with a hardcoded key) for its configuration data and C2 communications, and it can self-terminate when it detects analysis tools or virtual environments.

📜 History & Notable Incidents

First identified in mid-2018, Anel was deployed in spear-phishing campaigns targeting Myanmar’s military and government entities as part of Operation StealthyPanda, an espionage campaign attributed to TA428. In 2020, the malware was used in attacks against Philippine government agencies, exploiting vulnerabilities in Microsoft Office (CVE-2017-11882) to deliver its payload. No major law enforcement actions have been reported against the operators.

🔍 Detection Indicators

Known file hashes include SHA256: 7a3f5c8e... (variant dependent); behavioral indicators include the presence of scheduled tasks named “WindowsUpdateTask” or “AdobeFlashUpdate.” Network IOCs include HTTP POST requests to domains ending in ‘.top’ or ‘.xyz’ with User-Agent strings such as “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36.” Registry keys created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun are also common persistence indicators.

☠️ Risk & Impact

Anel poses a high risk of data exfiltration, particularly of classified documents and diplomatic communications. The malware has been linked to the theft of sensitive military plans and diplomatic cables from Southeast Asian nations, potentially affecting regional security dynamics. Sectors most impacted include defense, government, and diplomatic missions.

🛡️ Mitigation

Defenders should implement email filtering to block spear-phishing attachments, apply patches for CVE-2017-11882 and other Office vulnerabilities, and deploy endpoint detection rules for DLL side-loading and anomalous scheduled tasks. The MITRE ATT&CK techniques T1059.001 (PowerShell), T1547.001 (Registry Run Keys), and T1573.001 (Encrypted C2) are relevant for detection rule creation.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.