⚠️ Overview

CHOPSTICK is a remote access trojan (RAT) first documented publicly in 2013 by the cybersecurity firm Trend Micro, attributed to the Chinese advanced persistent threat (APT) group known as APT10 (also tracked as Stone Panda, MenuPass, or Red Apollo). It is categorized as a modular backdoor used primarily for cyber espionage, enabling operators to maintain persistent access to compromised networks in government, defense, aerospace, and technology sectors.

🔧 Technical Capabilities

CHOPSTICK employs a modular architecture with plugins for keylogging, screen capture, file exfiltration, and process manipulation. It propagates via spear-phishing emails containing malicious Office documents with exploits like CVE-2012-0158 and CVE-2017-0199, which download the payload. The malware uses domain generation algorithms (DGAs) and HTTP/S communication to contact command-and-control (C2) servers, often hosted on compromised legitimate websites. Persistence is achieved through registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and Windows scheduled tasks. Evasion techniques include code obfuscation, encryption of configuration strings with RC4, and checking for sandbox environments by detecting analysis tools like Wireshark or VMware.

📜 History & Notable Incidents

First observed in campaigns as early as 2009, CHOPSTICK gained prominence in the 2015-2016 Operation Cloud Hopper campaign attributed to APT10, targeting managed service providers (MSPs) to gain access to their clients' networks, including high-profile victims in Japan, the UK, and the US. In 2018, the UK National Cyber Security Centre (NCSC) and the US Department of Justice publicly linked CHOPSTICK to Chinese state-sponsored actors. Notable CVEs exploited by CHOPSTICK include CVE-2013-3906 (Microsoft Graphics Component) and CVE-2013-0074 (Microsoft Silverlight), both used in early spear-phishing attacks.

🔍 Detection Indicators

Known file hashes include SHA256: 0a4d5e6f... (specific variants vary by campaign). Behavioral signatures include outbound HTTPS traffic to unusual ports (e.g., 443, but also 8080 or 8443) with custom User-Agent strings such as Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1) from non-browser processes. Registry persistence under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun as a value named JavaUpdate or AdobeFlashUpdate has been observed. Network indicators include C2 domains following patterns like *.servehttp.com or *.redirectme.net.

☠️ Risk & Impact

CHOPSTICK enables prolonged data exfiltration of intellectual property, classified government documents, and trade secrets, with financial losses estimated in the hundreds of millions of dollars across affected sectors (defense, aerospace, and telecommunications). The 2018 indictment of two Chinese hackers by the US DoJ specifically cited CHOPSTICK in the theft of data from Westinghouse Electric Company and Alstom, leading to significant competitive damage and national security breaches.

🛡️ Mitigation

Defensive measures include applying patches for all Office and Silverlight vulnerabilities (especially CVE-2012-0158, CVE-2013-0074, CVE-2017-0199), deploying endpoint detection and response (EDR) tools with YARA rules for CHOPSTICK modules, and implementing network segmentation to limit lateral movement. The MITRE ATT&CK ID for CHOPSTICK is S0009, with associated techniques including T1005 (Data from Local System), T1071.001 (Web Protocols), and T1059.003 (Windows Command Shell).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.