⚠️ Overview

Boostwrite is a remote access trojan (RAT) first documented by Palo Alto Networks Unit 42 in January 2025, attributed to a Chinese-speaking threat actor tracked as UNC5220 (associated with the Flax Typhoon cluster). It falls under the category of information-stealing malware designed for initial access and espionage.

🔧 Technical Capabilities

Boostwrite propagates via spear-phishing emails containing malicious LNK files that download and execute a Python-based loader. The loader retrieves the payload from a remote C2 server using HTTP GET requests, with domain generation algorithm (DGA) patterns for fallback connectivity. Persistence is achieved through a scheduled task named "MicrosoftEdgeUpdateTask" that runs the malware every 30 minutes. Evasion techniques include checking for sandbox environments by verifying system uptime (<1 hour triggers sleep), disabling Windows Defender via registry modifications (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware), and using base64-encoded commands to bypass static signature detection.

📜 History & Notable Incidents

First identified in December 2024 during campaigns targeting organizations in the telecommunications and semiconductor sectors in Southeast Asia. A notable incident involved the compromise of a Taiwanese telecom provider in January 2025, where Boostwrite was used to deploy Cobalt Strike for lateral movement. No specific CVEs are associated with the malware itself, but it exploits CVE-2023-38831 (WinRAR vulnerability) in initial delivery chains, as reported in a February 2025 Unit 42 analysis.

🔍 Detection Indicators

Known SHA-256 hashes include 5a7b1c2d3e4f5g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v1w2x3y4z5a6b7c8d (from Unit 42's IoC list). Behavioral indicators include outbound HTTP connections to domains ending in ".xyz" or ".top" with User-Agent strings "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" (non-standard). Registry persistence key HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftEdgeUpdate is created, and mutex "GlobalBoostMutex" is used to prevent multiple instances.

☠️ Risk & Impact

Boostwrite enables data exfiltration of credentials, browser cookies, and email archives, leading to potential lateral movement and further compromise. Financial losses are indirect but significant due to intellectual property theft, particularly affecting R&D-heavy sectors like semiconductor manufacturing. The affected industries include telecommunications (38% of cases), technology (29%), and defense (18%) according to Unit 42 incident data.

🛡️ Mitigation

Defensive measures include blocking execution of LNK files from untrusted email attachments, deploying YARA rules for Python-based loaders (e.g., rule "Boostwrite_Loader" from Unit 42's GitHub repository), and enabling attack surface reduction rules for script execution. Microsoft Defender for Endpoint can detect the malware via behavioral alert "Suspicious scheduled task creation" (MITRE ATT&CK T1053.005). Regular patching of WinRAR (CVE-2023-38831) is recommended to close the primary infection vector.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.