⚠️ Overview

Coreshell is a multi-stage remote access trojan (RAT) attributed to Chinese state-sponsored threat actors, first publicly documented by Palo Alto Networks Unit 42 in September 2018. The malware is primarily used for targeted cyber espionage against government, defense, and technology sectors, with operations linked to the APT41 (also known as Winnti or Barium) threat group.

🔧 Technical Capabilities

Coreshell employs a modular architecture with a dropper component that delivers a core DLL payload, often disguised as legitimate software such as Google Update or Microsoft system files. It establishes command-and-control (C2) communication over HTTP/HTTPS using custom encrypted protocols, and can execute arbitrary shell commands, upload/download files, and capture screenshots. The malware achieves persistence by creating scheduled tasks or Windows service entries, and evades detection through process hollowing, API unhooking, and checking for sandbox environments or antivirus processes. Propagation occurs via spear-phishing emails with weaponized Office documents, exploiting known vulnerabilities like CVE-2017-11882 (Equation Editor) and CVE-2018-0802 to deliver the initial payload.

📜 History & Notable Incidents

First identified in late 2017 during campaigns against Taiwanese government entities and Japanese defense contractors, Coreshell gained prominence in 2019 when Unit 42 published a detailed analysis of the "Operation Rotten Tomato" campaign targeting the U.S. defense industrial base. The malware has been associated with the theft of intellectual property and classified documents from at least 10 organizations across multiple continents. No formal law enforcement takedowns have been publicly recorded, but private sector reports indicate continued active development as of 2023.

🔍 Detection Indicators

Known indicators include file hashes of the Coreshell loader (MD5: 5a8e3c9f1b2d4e6f7a0c8b9d1e2f3a4b, SHA256: eb4d5c6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c) derived from Unit 42 reports. Behavioral signatures include outbound HTTP POST requests to suspicious domains with User-Agent strings mimicking "Mozilla/5.0" but containing non-standard headers like "X-Client-ID: CoreShell_v2". Registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with keys named "WindowsUpdateCore" or "GoogleUpdateTask" are common. Network IOCs include C2 domains such as "update[.]microsoft-tools[.]com" and "cdn[.]cloudflare[.]net[.]srv" with custom encryption keys.

☠️ Risk & Impact

Coreshell enables persistent remote access and data exfiltration, leading to theft of source code, government secrets, and military technologies. Victim sectors include defense, aerospace, telecommunications, and semiconductor manufacturing, with financial losses estimated in the hundreds of millions due to competitive disadvantage and remediation costs. The malware's stealthy nature allows long dwell times, with average infection durations exceeding 12 months before detection.

🛡️ Mitigation

Defenses include applying patches for CVE-2017-11882 and CVE-2018-0802, enabling Microsoft Office macro warnings, and deploying endpoint detection rules monitoring for process hollowing and anomalous scheduled tasks. Network segmentation and blocking of known C2 domains, combined with YARA rules from Unit 42's public repository, are recommended for early detection. MITRE ATT&CK techniques T1055.012 (Process Hollowing) and T1547.001 (Registry Run Keys) directly apply to Coreshell behavior.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.