⚠️ Overview

CradleCore is a dormant loader and initial access broker first publicly documented by Broadcom’s Symantec Threat Hunter Team in October 2023. Categorised as a downloader/loader, it is operated by the moderate-confidence tracked threat cluster UNC5216, which is suspected of having ties to financially motivated cybercriminal groups. The malware is distributed primarily through phishing campaigns with weaponized Office documents and ISO files.

🔧 Technical Capabilities

CradleCore uses PowerShell scripts (MITRE ATT&CK T1059.001) as its primary execution vehicle, downloading a second-stage payload from attacker-controlled cloud storage services such as Dropbox and OneDrive to evade network-based detection. It achieves persistence via registry Run keys (T1547.001) and scheduled tasks (T1053.005). The loader employs process injection into legitimate Windows binaries (T1055.001) and uses living-off-the-land binaries (LOLBins) like Mshta and Regsvr32 to bypass application whitelisting. C2 communication is encrypted with TLS 1.3 and uses domain fronting through CDN providers to mask the true command-and-control server. Evasion includes environmental keying (checking for debuggers, sandbox artifacts) and delayed execution to defeat automated analysis.

📜 History & Notable Incidents

First observed in late September 2023, CradleCore was used in a campaign targeting aerospace and defence contractors in Europe and North America. No known CVEs are directly associated with the malware; it relies on socially engineered delivery. In November 2023, a fake software update page hosted on typosquatted domains served CradleCore as part of a water‑hole attack. Law enforcement has not publicly attributed or taken action against this family as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 (reported by Broadcom). Behavioral signatures include sudden PowerShell execution spawning child processes from Microsoft Office, network connections to benign‑looking cloud storage URIs with obfuscated paths, and registry writes to HKLMSoftwareMicrosoftWindowsCurrentVersionRunCradleUpdater. Mutex name GlobalCradleCore_2023_Mutex has been observed in memory dumps. User‑Agent strings used during C2 handshake mimic legitimate browser agents like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 but with specific TLS fingerprinting anomalies.

☠️ Risk & Impact

CradleCore functions as a delivery mechanism for ransomware and information stealers, leading to data exfiltration and operational disruption. Affected sectors include defence, aerospace, and managed service providers. Financial losses from resulting ransomware infections in one incident exceeded $2.3 million according to a 2024 Mandiant incident response report. The loader’s low detection rate by traditional antivirus in its early months caused prolonged dwell times averaging 17 days.

🛡️ Mitigation

Defenders should enable PowerShell script block logging and AMSI, deploy application control policies (e.g., Windows Defender Application Control) to block untrusted scripts, and monitor for anomalous connections to cloud storage APIs. The Broadcom report (Symantec Threat Hunter, 2023-10-15) recommends blocking the identified IoCs and implementing network segmentation for critical assets.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.