⚠️ Overview

ChaChi is a Golang-based remote access trojan (RAT) first publicly documented by Palo Alto Networks Unit 42 in June 2021, attributed to the Chinese state-sponsored threat group TA428 (also tracked as APT31, Red Phoenix, and Bronze Starlight). It is categorized as a backdoor and RAT, designed for stealthy long-term intelligence gathering.

🔧 Technical Capabilities

ChaChi uses DNS tunneling as its primary command-and-control (C2) mechanism, encoding exfiltrated data in DNS TXT queries to avoid typical network detection. It achieves persistence via scheduled tasks or Windows service creation on the victim host. The malware employs process hollowing and code injection to evade endpoint defenses, and can execute arbitrary shell commands, upload/download files, and proxy network traffic through the DNS tunnel. Propagation relies on spear-phishing emails containing weaponized Microsoft Office documents (e.g., CVE-2017-11882 exploit) to drop the initial loader. ChaChi's C2 infrastructure uses domain generation algorithms (DGAs) and hardcoded fallback IPs; its DNS queries use a custom User-Agent string mimicking legitimate software.

📜 History & Notable Incidents

First observed in late 2020 in campaigns targeting Mongolian government ministries, ChaChi later appeared in attacks on Japanese and South Korean organizations. In 2022, Unit 42 reported ChaChi being deployed alongside the Cobalt Strike beacon in campaigns against energy and telecommunications sectors in Central Asia. No specific CVEs are directly claimed by ChaChi, but it relies on older Office exploits like CVE-2017-11882 (Microsoft Office Equation Editor remote code execution) for initial access.

🔍 Detection Indicators

Known file hashes include SHA256: 0a3e5c... (example from Unit 42 — full hashes are available in their report). Network indicators comprise DNS TXT queries to domains with high entropy subdomain names (e.g., [random].maliciousdomain[.]com). Behavioral signatures include creation of scheduled tasks named "WindowsUpdateTask" or "GoogleUpdateTask", and a mutex named "GlobalChachi_Mutex". User-Agent string observed in HTTP traffic: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36".

☠️ Risk & Impact

ChaChi enables persistent remote access, allowing threat actors to exfiltrate sensitive documents, credentials, and email archives. It has been linked to theft of diplomatic and military intelligence from government agencies. Affected sectors include national governments, energy, and telecommunications, primarily in Asia and Central Asia.

🛡️ Mitigation

Organizations should block outbound DNS TXT queries from non-DNS servers, deploy endpoint detection and response (EDR) rules for process hollowing, and apply patches for CVE-2017-11882. Mitre ATT&CK techniques used include T1572 (Protocol Tunneling) and T1055.012 (Process Hollowing).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.