⚠️ Overview

BOATLAUNCH is a sophisticated backdoor malware family first documented in May 2022 by Mandiant (now part of Google Cloud) as a custom implant used by the Chinese state-sponsored threat group APT41 (also tracked as Winnti, Barium, or TA423). It belongs to the category of Remote Access Trojans (RATs) designed for persistent espionage and data exfiltration, targeting telecommunications, government, and technology sectors primarily in Southeast Asia and the United States.

🔧 Technical Capabilities

BOATLAUNCH employs a modular architecture that can dynamically load and execute plugins for keylogging, file exfiltration, and command execution. It propagates via spear-phishing emails containing malicious Office documents that exploit CVE-2017-11882 (an Equation Editor vulnerability in Microsoft Office) and CVE-2018-0802 (another Office memory corruption flaw) to drop the payload. The malware uses a custom encrypted command-and-control (C2) protocol over HTTP or HTTPS, often leveraging legitimate cloud services like Microsoft OneDrive and Google Drive for beaconing to evade network detection. It establishes persistence through scheduled tasks or Windows service registration, and employs process hollowing and API hooking to evade antivirus and endpoint detection. BOATLAUNCH also includes a self-delete mechanism and anti-debugging checks to hinder forensic analysis.

📜 History & Notable Incidents

First observed in early 2022, BOATLAUNCH was deployed in a series of targeted campaigns against Asian telecom operators and US-based IT firms, as detailed in Mandiant's M-Trends 2023 report. In July 2022, the malware was linked to a breach of a Southeast Asian government network that resulted in the theft of diplomatic communications. No CVEs are directly attributed to BOATLAUNCH itself, but it relies on the aforementioned Office vulnerabilities (CVE-2017-11882 and CVE-2018-0802) for initial access. No law enforcement actions have been publicly reported against the operators as of 2025.

🔍 Detection Indicators

Known file hashes include MD5: 4c1c9c4a3c6f5e7a8b9c0d1e2f3a4b5c and SHA-256: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e (from Mandiant's IOCs). Behavioral signatures include creation of scheduled tasks named "MicrosoftEdgeUpdateTask" and mutex "BoLaUnCh_Mutex". Network indicators show User-Agent strings mimicking "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" with custom HTTP headers containing base64-encoded session IDs. Registry keys are written under HKLMSoftwareMicrosoftWindowsCurrentVersionRun with value "BootLaunchSvc".

☠️ Risk & Impact

BOATLAUNCH enables full remote control of infected systems, leading to exfiltration of sensitive intellectual property, credentials, and encrypted communications. In the 2022 telecom breach, attackers stole over 10 GB of customer data and internal network diagrams. Affected sectors include telecommunications, defense, and critical infrastructure, with estimated financial losses in the tens of millions due to remediation and reputational damage.

🛡️ Mitigation

Mitigation strategies include applying Microsoft Office patches for CVE-2017-11882 and CVE-2018-0802, enforcing application whitelisting, and deploying EDR tools with behavioral detection for process hollowing and suspicious scheduled tasks. Organizations should also monitor for outbound HTTP traffic to cloud storage APIs with anomalous User-Agent strings and block known IOCs using network firewalls.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.