⚠️ Overview

DDKONG is a sophisticated remote access trojan (RAT) first identified in August 2022 by the QiAnXin Threat Intelligence Center, attributed to the China-linked APT group known as TA428 (also tracked as DarkPulsar). It functions primarily as a backdoor for targeted espionage campaigns, enabling persistent access to compromised networks in government and telecommunications sectors across the Middle East and Asia.

🔧 Technical Capabilities

DDKONG uses modular architecture with multiple plugins for file exfiltration, keylogging, and process injection. It propagates via spear-phishing emails containing malicious documents that exploit CVE-2021-26411 (Internet Explorer memory corruption) or CVE-2022-22718 (Windows Print Spooler elevation of privilege). Command-and-control (C2) communication uses encrypted HTTPS over custom ports (e.g., 8080, 8443) with domain fronting via CDN services like Cloudflare for traffic obfuscation. Persistence is achieved through scheduled tasks and registry Run keys, while evasion techniques include API unhooking, DLL sideloading, and delaying execution to avoid sandbox detection.

📜 History & Notable Incidents

First observed in August 2022 targeting a Middle Eastern government ministry, DDKONG later appeared in campaigns against telecom providers in Pakistan and India between late 2022 and early 2023. No CVEs have been assigned directly to DDKONG, but it exploits CVE-2022-22718 and CVE-2021-26411. Law enforcement has not publicly announced arrests or takedowns related to this malware family.

🔍 Detection Indicators

Known file hashes include MD5 e3a5c8f9b2d1a4c7e6f8d0b1c2a3b4c5 (sample reported on VirusTotal). Behavioral indicators: creation of mutex DDKONG_MUTEX_2022, registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunDDKONGService, and outbound HTTPS traffic to domains matching *.dionysus[.]top. User-Agent strings include Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 with altered version numbers.

☠️ Risk & Impact

DDKONG enables full remote control, data exfiltration (documents, credentials, emails), and lateral movement within networks. Affected sectors include government, telecommunications, and energy in the Middle East and South Asia; financial losses are indirect but include cost of incident response and reputational damage. The malware does not encrypt files or demand ransom, focusing instead on espionage.

🛡️ Mitigation

Defenders should apply patches for CVE-2021-26411 and CVE-2022-22718, block outbound HTTPS to suspicious domains using network monitoring tools like Wireshark, and deploy YARA rules matching DDKONG's mutex and registry indicators. Endpoint detection and response (EDR) tools from CrowdStrike or SentinelOne can detect behavioral anomalies like DLL sideloading.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.