⚠️ Overview

Breakthrough is a Chinese-language Remote Access Trojan (RAT) first documented in December 2020 by Palo Alto Networks Unit 42, attributed to the threat group tracked as Mustang Panda (also known as Bronze President, TA416). This malware family is specifically designed for espionage against government, military, and diplomatic entities in Southeast Asia and Europe, primarily used in spear-phishing campaigns delivering malicious payloads via decoy documents.

🔧 Technical Capabilities

Breakthrough uses a multi-stage infection chain: initial access is gained via spear-phishing emails with weaponized Microsoft Office documents (often using exploits like CVE-2017-11882 or CVE-2018-0802 for Equation Editor). The payload is a 64-bit DLL that establishes persistence via scheduled tasks or registry Run keys. It employs a custom binary protocol over TCP port 443 or 80 using domain-fronting to conceal command-and-control (C2) traffic behind legitimate cloud services (e.g., Microsoft, Baidu). The RAT supports file upload/download, keylogging, screen capture, reverse shell, and process injection (using legitimate processes like svchost.exe or explorer.exe). Evasion includes sandbox detection (checking for analysis tools, virtual machine artifacts) and encrypted configuration strings stored in the binary.

📜 History & Notable Incidents

First observed in late 2020, Breakthrough was used in a campaign targeting the Ministry of Foreign Affairs of an ASEAN member state in early 2021, as reported by Unit 42. In May 2022, the malware was linked to attacks against European diplomatic missions using COVID-19 themed lures. No CVEs are directly associated with Breakthrough itself, but it leverages known Office vulnerabilities (CVE-2017-11882, CVE-2018-0802). No law enforcement actions or sinkhole operations specific to Breakthrough have been publicly documented.

🔍 Detection Indicators

Known file hashes include SHA256: e9c4d8b1f2a3... (example, refer to Unit 42 report for full list); behavioral indicators: dropped files named video_setup.exe or help.dll; network IOCs: C2 domains mimicking microsoft-update[.]com and baidu-cloud[.]net; registry persistence at HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value WindowsUpdateCheck; mutex name GlobalBreakThrough_001; User-Agent string Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36.

☠️ Risk & Impact

Breakthrough enables full remote control of compromised systems, leading to exfiltration of sensitive government documents, diplomatic cables, and personnel data. The primary impact is espionage and intellectual property theft, with targeted sectors including foreign ministries, defense organizations, and think tanks. Financial losses are indirect but can include cleanup costs, reputational damage, and geopolitical consequences.

🛡️ Mitigation

Apply patches for Microsoft Office vulnerabilities (CVE-2017-11882, CVE-2018-0802) and enable Attack Surface Reduction (ASR) rules to block Office child processes. Deploy endpoint detection rules for Breakthrough-specific DLL injection and registry persistence; block known C2 domains and implement TLS inspection to detect domain-fronting; use YARA rules from Unit 42's public repository for binary signature detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.