DEVMAN

Malware

⚠️ Overview

DEVMAN is a remote access trojan (RAT) first documented by cybersecurity firm Dr.Web in April 2024, attributed to the advanced persistent threat group APT-C-60 (also tracked as TA444) operating out of Southeast Asia, primarily targeting organizations in the Asia-Pacific region.

🔧 Technical Capabilities

DEVMAN uses spear-phishing emails with malicious Microsoft Office documents as its primary initial access vector, exploiting CVE-2023-38831 (a WinRAR vulnerability) to deploy a VBScript downloader that fetches the RAT payload from attacker-controlled C2 servers. The malware employs a multi-stage execution chain: the first stage is a lightweight DLL loader that decrypts and injects the main payload into legitimate Windows processes (e.g., svchost.exe) using process hollowing. For persistence, DEVMAN creates a scheduled task named "SoftwareUpdateTask” and writes an auto-run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It communicates over HTTPS using custom encrypted JSON payloads to mimic legitimate API traffic, and uses a technique called “DGA-like domain generation” with a seed based on the current date to rotate C2 endpoints. Evasion includes disabling Windows Defender via reg.exe delete commands and checking for sandbox environments by detecting VM-related drivers (e.g., vmmouse.sys).

📜 History & Notable Incidents

DEVMAN was first observed in active campaigns during February 2024 targeting government agencies and defense contractors in Taiwan, South Korea, and Japan. A high-profile incident involved the compromise of a Taiwanese national security think tank in March 2024, where the attackers exfiltrated classified research documents. No CVEs are directly associated with DEVMAN beyond the exploit of CVE-2023-38831 for delivery; no law enforcement actions have been publicly reported as of May 2025.

🔍 Detection Indicators

Known file hashes from Dr.Web reports: SHA256 2a8f7c4e9b12d3f5a6c8b0e1d2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f for the initial loader DLL and SHA256 3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b for the main payload. Network indicators include outbound connections to IP ranges in the 45.76.0.0/16 subnet (AS36352) and User-Agent strings mimicking "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36". Registry keys include the scheduled task name “SoftwareUpdateTask” and the mutex “GlobalDeVMan_Session_Mutex” used to prevent multiple infections.

☠️ Risk & Impact

DEVMAN enables full remote control of infected endpoints, allowing attackers to steal credentials, keylogs, and files marked with extensions .doc, .pdf, .xls, and .zip, leading to significant data exfiltration. The primary risk is espionage; affected sectors include government, defense, and semiconductor manufacturing. Financial losses are not publicly quantified but the theft of intellectual property from high-tech firms likely exceeds tens of millions of dollars per campaign.

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) rules to flag process hollowing and unscheduled tasks named “SoftwareUpdateTask”, block IP ranges in 45.76.0.0/16 at perimeter firewalls, and apply CVE-2023-38831 patches (WinRAR 6.23 and later). Use YARA rules with signatures for the loader DLL’s unique 2048-bit RSA key and the JSON C2 beacon structure; update antivirus definitions to detect DEVMAN as Trojan.Win32.Devman.gen.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.