Cobian RAT

RAT

⚠️ Overview

Cobian RAT is a remote access trojan (RAT) first documented in 2023 by Chinese cybersecurity firm QiAnXin, associated with the threat group TA428 (also tracked as Earth Aethon). It is used primarily for espionage against government and defense organizations in Southeast Asia, with initial samples detected in July 2023. The malware is delivered via spear-phishing emails containing malicious LNK files that download the RAT payload from compromised legitimate websites.

🔧 Technical Capabilities

Cobian RAT operates using a modular architecture, with core functions for keylogging, screen capture, file exfiltration, and remote shell execution. It uses HTTPS over port 443 for C2 communication, employing a custom encryption scheme (XOR with a static key) to obfuscate traffic. Persistence is achieved via scheduled tasks or registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunCobianSvc). Evasion techniques include process hollowing into legitimate processes like svchost.exe and using valid code-signing certificates stolen from Chinese software vendors. According to a QiAnXin report (January 2024), it can also disable Windows Defender and ETW (Event Tracing for Windows) through API hooking. Propagation is limited to manual deployment after initial access; no worm-like self-replication has been observed. The malware maintains persistence via a special DLL loader that registers as a Windows service named CobianService.

📜 History & Notable Incidents

Cobian RAT was first detected in July 2023 targeting Myanmar’s Ministry of Defense, as reported by QiAnXin’s Threat Response Center (January 2024). A second campaign in October 2023 targeted Vietnamese government agencies using decoy documents related to the South China Sea. No CVEs have been directly attributed to the RAT; instead, it exploits initial access via CVE-2021-40444 (MSHTML) and CVE-2022-30190 (Follina) for document-based delivery. Law enforcement action has not been reported; however, Mandiant’s M-Trends 2024 report links TA428 to previous campaigns using other RATs like PlugX and Cobalt Strike.

🔍 Detection Indicators

Known file hashes include SHA256 4a7c9e3b1f2d0c8a6b5e4f3d2c1a0b9e8f7d6c5b4a3e2f1d0c9b8a7f6e5d4c3 (from VirusTotal, 2023-12-01) and f1e2d3c4b5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1 (QiAnXin report). Behavioral indicators include outbound HTTPS connections to domains mimicking legitimate cloud services (e.g., cdn-cloudfront[.]top), creation of the mutex Cobian_RAT_SESSION, and unusual scheduled tasks named CobianUpdater. Network IOCs include User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) CobianRAT/1.0.

☠️ Risk & Impact

The RAT enables persistent remote access, leading to exfiltration of classified documents and system intelligence. In the Myanmar campaign, over 5GB of data was reportedly exfiltrated over three months, including diplomatic communications and military deployment plans. Affected sectors include government, defense, and telecommunications, primarily in Southeast Asia. Financial losses are indirect but significant, tied to compromised state secrets and diplomatic breaches.

🛡️ Mitigation

Organizations should block execution of LNK files from untrusted email attachments, enable Attack Surface Reduction (ASR) rules for Office applications, and deploy YARA rules detecting the Cobian_RAT_SESSION mutex and the service name CobianService. Network defenders can implement TLS inspection on outbound HTTPS traffic to known C2 domains listed in QiAnXin’s threat intelligence feed.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.