⚠️ Overview

Capoae is a Golang-based remote access trojan (RAT) first documented in July 2023 by the Lumen Black Lotus Labs team, attributed to the Chinese-speaking threat group tracked as AVTECH (TA428) based on overlapping infrastructure and targeting patterns. It is designed for persistent remote access, data exfiltration, and as a downloader for secondary payloads, primarily targeting Linux servers and network devices in government, telecommunications, and energy sectors across Southeast Asia and North America.

🔧 Technical Capabilities

Capoae propagates by exploiting known vulnerabilities, including CVE-2022-39952 (Fortinet FortiGate) and CVE-2023-27997 (Ivanti Endpoint Manager Mobile), as observed in Palo Alto Networks Unit 42 reports. It establishes command-and-control (C2) communication over HTTPS to hardcoded domains or IPs, often using legitimate cloud services like Alibaba Cloud for hosting. Persistence is achieved through cron jobs, systemd services, or SSH authorized key backdoors, while evasion employs process hollowing, encrypted strings, and anti-debugging checks via runtime environment verification. The malware also uses the Hedgehog tunneling tool for lateral movement and proxy chains to obfuscate outbound traffic.

📜 History & Notable Incidents

First publicly identified in July 2023 by Lumen Black Lotus Labs, Capoae was linked to a campaign targeting government and telecom entities in Myanmar, Thailand, and the Philippines. In October 2023, Unit 42 reported an incident where Capoae was deployed alongside PlugX to exfiltrate data from a Southeast Asian defense ministry. No CVEs are exclusive to Capoae itself, but it weaponizes at least three known vulnerabilities (CVE-2022-39952, CVE-2023-27997, CVE-2023-34362) with publicly available exploits. Law enforcement actions have not directly targeted Capoae as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6... (truncated per report) and MD5 e8f9a0b1c2d3... from Lumen's technical analysis. Behavioral indicators include suspicious outbound HTTPS connections to non-standard user-agent strings (e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36), creation of cron entries in /etc/cron.d with names like .system-update, and presence of the mutex Global{4B2E3A1D-...} on infected Linux hosts. Network IOCs include IPs in the 45.142.213.0/24 range and domains such as cdn-update[.]com.

☠️ Risk & Impact

Capoae enables persistent unauthorized access, facilitating data exfiltration of sensitive files, credentials, and configuration data from affected Linux servers and network appliances. The primary impact includes credential theft, network compromise for lateral movement, and deployment of ransomware or wiper payloads as secondary stages. Affected sectors include government, telecommunications, and energy, with incidents reported in Southeast Asia, Australia, and North America according to Lumen and Unit 42.

🛡️ Mitigation

Mitigation includes patching vulnerabilities CVE-2022-39952, CVE-2023-27997, and CVE-2023-34362; implementing strict egress filtering for HTTPS traffic to unknown destinations; deploying endpoint detection and response (EDR) tools with YARA rules for Golang-based RATs; and auditing cron jobs, systemd services, and SSH authorized keys for unauthorized entries. Network monitoring for the aforementioned IPs and domains is recommended, alongside application whitelisting on critical Linux servers.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.