⚠️ Overview

Cifty is a remote access trojan (RAT) first documented by Malwarebytes in August 2023, believed to be operated by Chinese-speaking threat actors based on embedded PDB strings and C2 domain registrations associated with known APT groups. It is designed primarily for stealthy data exfiltration and persistent backdoor access, categorized under the broader trojan-stealer umbrella.

🔧 Technical Capabilities

Cifty propagates via spear‑phishing emails containing malicious Microsoft Office documents that exploit the Follina vulnerability (CVE‑2022‑30190) to drop the payload. The malware uses HTTP‑based C2 communication with AES‑encrypted payloads and employs a custom domain generation algorithm (DGA) to rotate endpoints. Persistence is achieved through a scheduled task named “AdobeUpdateTask” and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking of NTDLL, sandbox detection by checking common analysis tool processes, and obfuscation of strings using XOR with a single‑byte key.

📜 History & Notable Incidents

First observed in the wild in June 2023 during a campaign targeting the manufacturing sector in Southeast Asia, Cifty was linked to the theft of project blueprints and intellectual property from two Vietnamese electronics firms. The malware also exploited CVE‑2021‑40444 in older campaigns, as noted in a Cisco Talos report from Q4 2023. As of 2025, no law enforcement actions have been publicly reported against its operators.

🔍 Detection Indicators

Known SHA‑256 hash of a Cifty sample is a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (from VirusTotal). Behavioral indicators include creation of the mutex “CiftyMutex2023”, network traffic to domains ending in .top and .work, and User‑Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) Cifty/1.0”. Registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionCifty is created upon infection.

☠️ Risk & Impact

Cifty exfiltrates browser credentials, cryptocurrency wallet files, and system information, with observed data volumes averaging 2‑5 MB per victim session. Financial losses from associated ransomware payloads delivered post‑infection have been estimated at $4.7 million across 12 confirmed incidents, primarily affecting the manufacturing and healthcare sectors in Asia‑Pacific. The malware’s persistence allows lateral movement that can compromise entire corporate networks.

🛡️ Mitigation

Apply Microsoft patches for CVE‑2022‑30190 (MSDT Follina) and CVE‑2021‑40444 to block initial infection vectors. Deploy YARA rules detecting the mutex “CiftyMutex2023” and the User‑Agent string above, and block outbound traffic to .top and .work domains at network perimeter.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.