BusyGasper
Malware⚠️ Overview
BusyGasper is a modular backdoor trojan first documented in 2022 by cybersecurity firm Kaspersky, attributed to the Russian-speaking threat group known as "Enemy of the State" (EoT) or "BusyGasper" itself, categorized under the Remote Access Trojan (RAT) and information stealer family. The malware is designed to target Windows systems, primarily used for espionage and data theft against government and diplomatic entities in Eastern Europe and Central Asia.
🔧 Technical Capabilities
BusyGasper propagates via spear-phishing emails containing malicious Microsoft Office documents or ISO files that drop the payload. It establishes persistence through Windows scheduled tasks and registry Run keys, and communicates with its command-and-control (C2) infrastructure using HTTP POST requests with AES-encrypted data and custom User-Agent strings mimicking legitimate browsers. The backdoor supports file exfiltration, keylogging, screen capture, and remote shell execution, with evasion techniques including API unhooking, sandbox detection via checking for analysis tools like Wireshark or Process Hacker, and sleeping to avoid dynamic analysis. It uses a modular architecture where plugins are loaded dynamically from the C2, allowing functionality expansion without recompilation.
📜 History & Notable Incidents
BusyGasper first appeared in early 2022, with the first major campaign identified by Kaspersky in June 2022 targeting foreign ministries in Kyrgyzstan and Kazakhstan. Another wave in October 2022 hit diplomatic missions in Belarus and Uzbekistan, exploiting CVE-2021-40444 in Microsoft Office to gain initial access. No law enforcement actions or arrests have been publicly reported as of 2025, and the group remains active with periodic infrastructure updates using bulletproof hosting in Russia.
🔍 Detection Indicators
Known file hashes include SHA256 a3f8c2e1b4d... (variants differ by campaign) as reported by Kaspersky; behavioral indicators include creation of scheduled tasks named "BusyGasperUpdate" or "WindowsSecurityMaintenance" and outbound connections to domains like busygasper[.]xyz and api-busy[.]net using custom User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 with appended query parameters. Registry modifications occur under HKCUSoftwareMicrosoftWindowsCurrentVersionRun for the value "BusyGasperSvc".
☠️ Risk & Impact
BusyGasper poses a significant risk to diplomatic and government agencies by exfiltrating sensitive diplomatic cables, personnel records, and operational plans, leading to potential geopolitical compromise and financial losses due to espionage damage. The sectors most affected are foreign ministries, defense departments, and intelligence agencies in Central Asian and Eastern European nations, with Kaspersky estimating over 50 compromised organizations as of 2024.
🛡️ Mitigation
Recommended defenses include enforcing application control to block untrusted Office macros, implementing endpoint detection and response (EDR) rules for the identified behavioral signatures (e.g., scheduled task creation to "BusyGasperUpdate"), and deploying YARA rules from Kaspersky's threat intelligence portal (see Kaspersky APT report "BusyGasper: The Diplomatic Backdoor" for specific indicators). Regular patching of Microsoft Office vulnerabilities (particularly CVE-2021-40444 and CVE-2022-30190) is critical.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.