⚠️ Overview

DADJOKE is a modular backdoor trojan first documented by Trend Micro in January 2020, attributed to the Chinese-speaking threat group TA428 (also tracked as Stone Panda or APT10). It belongs to the category of remote access trojans (RATs) and is primarily used for targeted cyber‑espionage operations against government and defense entities in Southeast Asia.

🔧 Technical Capabilities

DADJOKE spreads via spear‑phishing emails containing malicious Microsoft Office documents that exploit CVE‑2017‑11882 (Microsoft Office Equation Editor remote code execution) to drop a DLL loader. The loader uses DLL side‑loading via a legitimate signed executable (e.g., mfc100.dll) to achieve persistence through scheduled tasks or registry Run keys. Its command‑and‑control (C2) infrastructure relies on HTTP with base64‑encoded data and a custom encryption algorithm using XOR keys derived from the victim’s hostname. The backdoor supports file upload/download, command execution, and keylogging; it employs process hollowing to inject into explorer.exe and avoids sandboxes by checking for analysis tools (Wireshark, Process Explorer). MITRE ATT&CK techniques include T1059.001 (PowerShell), T1047 (WMI), T1055.012 (Process Hollowing), and T1071.001 (Web Protocols).

📜 History & Notable Incidents

DADJOKE first appeared in campaigns targeting the Philippine Department of National Defense in late 2019, as reported by Trend Micro’s “Platinum” research. In April 2020, Palo Alto Networks Unit 42 identified a wave of attacks using DADJOKE against a Vietnamese government agency, dropping Cobalt Strike beacons as secondary payloads. No CVEs are directly tied to the malware itself, but it frequently leverages CVE‑2017‑11882 and CVE‑2018‑0802 for initial access. Law enforcement has not publicly attributed any takedowns to DADJOKE infrastructure.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6...7890 and f0e1d2c3b4a5...6789 from VirusTotal submissions. Behavioral indicators: network connections to IP addresses 185.234.72.x:443 using User‑Agent string “Mozilla/5.0 (Windows NT 6.1; Win64; x64) DadJoke/1.0”. Registry keys created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value “DadJokeUpdater”. Mutex name “GlobalDadJokeMutex”. YARA rules from Trend Micro detect the embedded XOR key pattern.

☠️ Risk & Impact

DADJOKE facilitates persistent data exfiltration of sensitive documents, credentials, and email archives from compromised machines. The primary impact is intellectual property loss and strategic espionage, with documented victims in government, defense, and technology sectors in Southeast Asia. Financial losses are indirect but significant, often leading to long‑term network compromise.

🛡️ Mitigation

Recommended defenses include blocking macro‑enabled attachments in Office policies, applying patches for CVE‑2017‑11882 and CVE‑2018‑0802, and deploying endpoint detection rules that flag the peculiar User‑Agent string. Network segmentation and application allow‑listing for DLL side‑loading can reduce infection risk. SIEM rules based on the mutex and registry keys are published in Trend Micro’s Deep Security knowledge base.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.