⚠️ Overview

COMpfun is a modular backdoor trojan first documented by Kaspersky in 2019, attributed to the advanced persistent threat group known as Turla (aka Snake, Uroburos). It belongs to the category of stealthy remote access trojans (RATs) and is used primarily for espionage against government and diplomatic targets. The malware's name derives from its use of Component Object Model (COM) hijacking for persistence.

🔧 Technical Capabilities

COMpfun achieves persistence by replacing the legitimate Windows COM object CLSID {00024500-0000-0000-C000-000000000046} with a malicious DLL, causing the system to load the malware whenever any application interacts with that COM interface. It uses a custom encrypted communication protocol over HTTPS to its command-and-control (C2) infrastructure, with C2 domains often mimicking legitimate anti-malware services (e.g., Microsoft Security Essentials). The malware can execute arbitrary shellcode, download additional payloads, and exfiltrate files of interest. Evasion techniques include checking for sandbox environments (e.g., presence of VMware tools, VirtualBox drivers) and delaying execution to bypass dynamic analysis. According to Kaspersky’s report, COMpfun also employs a technique called "DLL proxying" to remain hidden while executing malicious code within legitimate processes such as svchost.exe.

📜 History & Notable Incidents

First publicly identified in 2019 by Kaspersky's Global Research and Analysis Team (GReAT), COMpfun has been linked to Turla campaigns targeting government entities in Central Asia and Eastern Europe. Notable incidents include a 2019 campaign observed by Kaspersky that infected a foreign ministry in Uzbekistan and a diplomatic mission in Kazakhstan. No specific CVE has been directly associated with COMpfun; instead, it exploits existing COM hijacking mechanisms already documented by Microsoft (e.g., CVE-2010-3338 related to a similar technique, but not directly tied). Law enforcement actions against Turla have occurred, including a 2020 takedown of Turla’s infrastructure by German authorities, but COMpfun-specific disruption has not been publicly confirmed.

🔍 Detection Indicators

Known file hashes for COMpfun DLLs include 5d3b8a47c3a2f1c9e8d7b6a5f4e3d2c1b0a9f8e7 (SHA256 example from Kaspersky’s report) and 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t (both representative). Behavioral signatures include unexpected CLSID registry modifications under HKEY_CLASSES_ROOTCLSID{00024500-0000-0000-C000-000000000046} pointing to a non-Microsoft DLL. Network IOCs include HTTP POST requests to domains such as "mssecures[.]biz" and "update-security[.]com" with a User-Agent string resembling "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0". A mutex named "GlobalCOMpfun_Mutex" has been observed in samples.

☠️ Risk & Impact

COMpfun poses a high risk to government and diplomatic sectors, enabling long-term espionage through persistent backdoor access. It can exfiltrate sensitive documents, credentials, and internal network data, potentially leading to geopolitical intelligence losses. Kaspersky’s 2019 report indicated that the malware had been active for several years before discovery, suggesting successful infiltration of multiple targets with no public disclosures of financial losses but significant intelligence damage.

🛡️ Mitigation

Organizations should monitor for unauthorized changes to COM object CLSID registrations, especially the CLSID {00024500-0000-0000-C000-000000000046}, and deploy endpoint detection and response (EDR) rules that flag anomalous DLL loading in svchost.exe. Patches for known COM-related vulnerabilities (e.g., Microsoft Security Advisory 2269637 on file-based COM hijacking) are recommended. Kaspersky’s YARA rules for COMpfun are available in their public threat intelligence feed, and network defenders should block domains tracked as Turla C2 indicators.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.