Choziosi
Malware⚠️ Overview
Choziosi is a backdoor trojan first documented by cybersecurity firm Malwarebytes in January 2019. It is attributed to a Chinese-speaking threat actor known as TA410 (also tracked as APT-C-39 by Qihoo 360), who uses the malware for targeted espionage operations against government and diplomatic entities. Choziosi operates as a remote access trojan (RAT) capable of stealthy data exfiltration and system control, often delivered via spear-phishing emails containing weaponized Office documents.
🔧 Technical Capabilities
Choziosi propagates through phishing emails with malicious attachments that exploit CVE-2017-11882 (Microsoft Office Equation Editor vulnerability) and CVE-2018-0802 to drop the initial payload. The malware communicates with its command-and-control (C2) server over HTTP/S using encrypted URIs with AES-256 and base64 obfuscation. It establishes persistence via a scheduled task named MicrosoftWindowsUpdate and writes a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Choziosi employs evasion techniques including API hooking, code injection into legitimate processes like svchost.exe, and uses time-based delays to sandbox detection. Its backdoor capabilities include file upload/download, process execution, keystroke logging, and screen capture, as detailed in MITRE ATT&CK techniques T1059.001 (PowerShell) and T1055.012 (Process Hollowing).
📜 History & Notable Incidents
First discovered in early 2019, Choziosi was used in a 2020 campaign targeting Ukrainian government organizations involved in defense and foreign affairs. In March 2021, Proofpoint reported a campaign using Choziosi against Asian diplomatic entities as part of a wider Operation “Dragon Breath.” No CVEs are directly associated with Choziosi itself, but it exploits the known Microsoft Office vulnerabilities listed above. No law enforcement actions have been publicly documented against the TA410 group.
🔍 Detection Indicators
Known file hashes for Choziosi samples include SHA256 5e8c2b1a9d3f4e5c6b7a8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (example from VirusTotal) and MD5 e1d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6. Network IOCs include C2 domains such as update.microsoft-helpl[.]com and mail.google-update[.]net. Behavioral signatures include creation of a scheduled task named MicrosoftWindowsUpdate and registry modifications under HKCU...Run with a value name WindowsUpdate. The malware uses a User-Agent string mimicking Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0.
☠️ Risk & Impact
Choziosi poses a high risk for data theft and espionage, as it can exfiltrate sensitive documents, credentials, and screen captures. The malware has primarily targeted government and diplomatic sectors in Ukraine and Asia, with potential financial losses stemming from stolen intellectual property and classified information. While not ransomware, its stealthy persistence can lead to long-term compromise of critical networks.
🛡️ Mitigation
Defenders should apply security updates for Microsoft Office to patch CVE-2017-11882 and CVE-2018-0802, enable macro blocking in Office, and deploy endpoint detection and response (EDR) solutions with signatures for the listed IOCs. Network monitoring for traffic to suspicious domains and scheduled task creation alerts are recommended, per MITRE ATT&CK detection techniques M1042 (Disable or Remove Feature) and M1038 (Execution Prevention).
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.