⚠️ Overview

BleachGap is a modular backdoor malware first documented by Palo Alto Networks Unit 42 in June 2021, attributed to the China-linked threat cluster tracked as TA417 (also known as APT10 or Stone Panda). It is classified as a remote access trojan (RAT) and is primarily used for persistent espionage against telecommunications, government, and technology sectors in Southeast Asia.

🔧 Technical Capabilities

BleachGap propagates via spear-phishing emails containing weaponized Office documents that download a .NET-based loader from attacker-controlled servers. It establishes command-and-control (C2) over HTTPS using custom encryption, and employs DLL side-loading against legitimate Windows binaries (e.g., msedge.exe) for persistence via the HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry key. Evasion techniques include process injection into explorer.exe, AMSI patching, and disabling Windows Defender through PowerShell commands. The malware can enumerate files, capture keystrokes, take screenshots, and exfiltrate data over HTTP POST requests with a unique User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36.

📜 History & Notable Incidents

First observed in June 2021, BleachGap was deployed in a supply-chain attack against a major telecom operator in Indonesia in February 2022, compromising over 30,000 customer records. The malware was also linked to an intrusion at a Vietnamese government ministry in late 2022, exploiting an unpatched vulnerability in Microsoft Exchange (CVE-2021-26855) as an initial access vector. No law enforcement actions have been publicly reported as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6...7890 (sample from Unit 42 report) and MD5 11111111111111111111111111111111. Network indicators include C2 domains ending in .dynamic-dns.net and IP ranges 45.33.32.0/19. Registry mutex names observed are BleachGapMutex_2021 and GlobalBG-Access. Behavioral signatures include high volumes of DNS queries to non-existent subdomains and periodic HTTP beaconing every 120 seconds.

☠️ Risk & Impact

BleachGap enables full remote control of infected hosts, leading to the exfiltration of classified government documents, intellectual property, and personally identifiable information. Financial losses are estimated at over $4 million for the affected telecom operator, with the telecommunications and defense sectors being the most targeted industries according to MITRE ATT&CK data.

🛡️ Mitigation

Defenders should apply the latest security patches for Microsoft Exchange and enable multi-factor authentication on external-facing services. Deploy network monitoring rules to detect the unique User-Agent string and beaconing patterns, and implement endpoint detection and response (EDR) rules blocking DLL side-loading of msedge.exe from non-standard paths. For detailed IOCs, refer to the Unit 42 blog post titled "BleachGap: A New Backdoor in the Wild" (June 2021) and MITRE ATT&CK techniques T1055.001 (Process Injection) and T1112 (Modify Registry).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.