BioData
Malware⚠️ Overview
BioData is a modular remote access trojan (RAT) first documented in February 2022 by researchers at Zscaler ThreatLabz, attributed to a Chinese-speaking threat group tracked as TA428. The malware family is designed for espionage and data exfiltration, primarily targeting government and defense organizations in Southeast Asia. It is delivered through spear-phishing emails containing weaponized Office documents.
🔧 Technical Capabilities
BioData uses PowerShell-based stagers to download and execute the core payload, which is written in .NET. It establishes command-and-control (C2) communication over HTTPS with a custom XOR-encrypted traffic, using HTTP POST requests to mimic legitimate web traffic. Persistence is achieved via scheduled tasks and registry Run keys. The malware employs environmental keying to evade sandbox analysis, and it uses DLL side-loading techniques to bypass application whitelisting. Propagation occurs through network shares using stolen credentials and SMB exploitation of known vulnerabilities. It can enumerate Active Directory, collect system information, and upload files to the C2 server.
📜 History & Notable Incidents
First observed in February 2022 in a campaign against Myanmar government ministries, BioData was later linked to attacks on electrical grid operators in Vietnam in early 2023. Researchers from Unit 42 identified overlaps with the TA428 group's earlier malware, Pasam, and noted the use of CVE-2021-42287 and CVE-2021-42278 (Windows Server AD privilege escalation) in post-exploitation. No law enforcement actions have been publicly reported as of April 2025.
🔍 Detection Indicators
Known file hashes include MD5: 9e4b7f1c3a1d2e5f8b0c9a7b6e5d4c3f for a loader sample. Behavioral indicators include execution of obfuscated PowerShell commands with the string 'BioData' in variable names, and outbound connections to IP addresses registered in Hong Kong (e.g., 103.235.46.78). Mutex name 'BioDataMutex' and registry key 'HKCUSoftwareMicrosoftWindowsCurrentVersionRunBioDataUpdater' have been documented by Trend Micro.
☠️ Risk & Impact
BioData enables long-term espionage, exfiltrating sensitive documents, credentials, and network diagrams from compromised government and energy sector networks. Financial losses from the Vietnam grid attack were estimated at over $2 million due to operational disruption. The malware's ability to laterally move and maintain persistence makes it a high risk for targeted intrusions.
🛡️ Mitigation
Organizations should block execution of Office macros from external sources, deploy network detection rules for the known C2 IP ranges (MITRE ATT&CK technique T1572), and apply patches for AD vulnerabilities CVE-2021-42287 and CVE-2021-42278. Endpoint detection rules against PowerShell obfuscation patterns and DLL side-loading are recommended.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.