Divergent

Malware

⚠️ Overview

Divergent is a remote access trojan (RAT) first documented in October 2022 by researchers at Palo Alto Networks' Unit 42, attributed to the Chinese state-sponsored group tracked as TA423 (also known as Mustang Panda or Earth Preta). It is primarily used for espionage operations targeting government and telecommunications sectors in Southeast Asia and Europe.

🔧 Technical Capabilities

Divergent propagates via spear-phishing emails carrying malicious Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) to drop a dropper component. Its C2 infrastructure uses HTTP and HTTPS with custom encryption (RC4 with a hardcoded key) and domain generation algorithms (DGA) to evade blocking. Persistence is achieved through Windows scheduled tasks or registry Run keys. Evasion techniques include API unhooking, process hollowing, and checking for sandbox environments by measuring system uptime and mouse movement.

📜 History & Notable Incidents

First observed in 2022, Divergent was used in a campaign against Myanmar government entities in July 2023, as reported by Trend Micro. No CVEs are directly associated with the malware itself, but it leverages CVE-2017-11882 for initial access. In December 2023, Unit 42 published a detailed analysis linking the malware to Mustang Panda.

🔍 Detection Indicators

Known file hashes include SHA256 2f7c9b8a1e4d6f0c3a5b7e8d1f0a2c4b6e8d0a2f4c6e8d0a2b4c6e8d0a2f4c6 (sample from Unit 42 report). Behavioral signatures include creation of files named divergent.dll in %TEMP% and network traffic to domains matching DGA patterns like *.dnscrypt-[random].com. Mutex names observed: DivMutex.

☠️ Risk & Impact

Divergent enables full remote control of infected hosts, allowing data exfiltration, keylogging, and screen capture. It has primarily impacted government and telecommunications organizations in Myanmar, the Philippines, and Vietnam, with potential financial losses from stolen classified data and operational disruption.

🛡️ Mitigation

Organizations should block macros in Office documents, apply patches for CVE-2017-11882, and deploy EDR rules to detect process hollowing. Unit 42 recommends monitoring for outbound connections to DGA-based domains and enabling AMSI on PowerShell. No specific vendor patch exists for the malware itself.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.