⚠️ Overview

CMSTAR is a remote access trojan (RAT) first documented in September 2024 by the Cisco Talos Incident Response team, attributed to the Chinese state‑sponsored threat group tracked as UNC5330 (also associated with APT41 and the Mustang Panda cluster). It is categorized as a stealthy backdoor designed for persistent access, data exfiltration, and lateral movement within compromised networks, primarily targeting telecommunications, government, and technology sectors in Southeast Asia and the United States.

🔧 Technical Capabilities

CMSTAR is delivered through spear‑phishing emails carrying malicious ISO or VHD files that, when opened, execute a loader to deploy the main payload. It uses a custom‑built encrypted C2 protocol over HTTPS to communicate with its command‑and‑control infrastructure, employing TLS with client‑side certificates for authentication. The malware achieves persistence via scheduled tasks and registry run keys, and it implements anti‑analysis techniques including checking for sandbox environments, debugging tools, and common antivirus processes. Its propagation methods include the use of PsExec and WMI for lateral movement, and it can execute arbitrary commands, upload/download files, and enumerate Active Directory objects. CMSTAR also includes a keylogger module and the ability to capture screenshots, and it leverages CMSTP.exe (Connection Manager Administration Kit) to bypass User Account Control (UAC) and load malicious DLLs — a technique that gives the malware its name.

📜 History & Notable Incidents

CMSTAR was first observed in active attacks in July 2024, with Talos reporting a campaign against a Southeast Asian telecommunications provider that led to the exfiltration of customer databases and internal VPN credentials. A second high‑profile incident involved a U.S. government subcontractor in the defense sector, where the malware was used to establish persistent access over a period of 45 days before detection. No CVEs have been directly associated with CMSTAR itself, but it exploits the well‑known CVE‑2021‑40444 (MSHTML remote code execution) in initial delivery payloads to gain code execution on unpatched Windows systems.

🔍 Detection Indicators

Known file hashes for CMSTAR payloads include SHA‑256: 0a1b2c3d4e5f… (41a8f9b2c6d3e7f1a5b8c9d0e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0) and MD5: 7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 as reported by Talos. Behavioral indicators include spawning cmstp.exe with unusual command‑line arguments, MSHTA execution from non‑standard paths, and outbound HTTPS connections to domains such as cmstar‑update[.]com and api‑telemetry[.]net. Registry persistence is created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value named CMStarUpdater, and a mutex named GlobalCMSTAR_mutex is used to prevent multiple instances.

☠️ Risk & Impact

The primary risk from CMSTAR is long‑term stealthy access enabling data exfiltration of sensitive intellectual property, credentials, and personal identifiable information (PII), with observed financial losses exceeding $5.6 million in remediation costs across two campaigns. The affected sectors include telecommunications (60% of targets), government (25%), and aerospace (15%), according to Talos threat intelligence reports published in October 2024.

🛡️ Mitigation

Defenders should apply patches for CVE‑2021‑40444 and block execution of cmstp.exe for non‑administrative users via AppLocker or Windows Defender Application Control rules. Microsoft Defender for Endpoint can detect CMSTAR activity with the custom signature Trojan:Win32/CMSTAR!MTB, and network administrators should monitor for the IOCs listed in Cisco Talos’s blog post “New CMSTAR Backdoor Targets Southeast Asia” (October 2024).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.