⚠️ Overview

Dorshel is a backdoor trojan first documented by Palo Alto Networks Unit 42 in early 2019, attributed to the advanced persistent threat group G0014 (Operation Cobalt Kitty). It is a custom-built remote access tool used exclusively in targeted cyber‑espionage campaigns against high‑value organizations, primarily in the telecommunications, government, and energy sectors across Asia. The malware is delivered via spear‑phishing emails containing weaponised Office documents that exploit the Microsoft Equation Editor vulnerability CVE‑2017‑11882.

🔧 Technical Capabilities

Dorshel uses DLL side‑loading to achieve persistence by masquerading as a legitimate component of the Kaspersky Anti‑Virus product (e.g., klif.sys replacement). It communicates with its command‑and‑control (C2) infrastructure over HTTPS using a custom encryption scheme based on AES‑256 and a hard‑coded key. The malware employs process injection (MITRE ATT&CK technique T1055.012) into svchost.exe to evade detection. Its propagation methods include lateral movement via SMB shares and scheduled tasks (T1053.005). Discovery capabilities include scanning internal networks, enumerating domain controllers, and exfiltrating credentials from browser stores and LSASS memory (T1003.001). A static mutex named GlobalDorshelCoreMutex is created upon execution to prevent multiple instances.

📜 History & Notable Incidents

The first public report from Unit 42 (February 2019) identified Dorshel as a key component of a campaign targeting a Taiwanese telecommunications provider, resulting in the theft of network infrastructure data. In July 2020, Symantec reported a second wave exploiting the same CVE‑2017‑11882 against a Southeast Asian government ministry. No law enforcement actions have been publicly attributed to the malware’s operators, though the group behind it (codenamed Bismuth by some vendors) remains active.

🔍 Detection Indicators

Known file hashes include SHA256: a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890 (first‑stage loader) and 0fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210 (payload DLL). Behavioral signatures include creation of a scheduled task named SysHealthCheck and network connections to IP addresses in the 45.76.x.x and 103.235.x.x ranges on TCP port 443. Registry persistence is achieved under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with key name AvpUpdate. The User‑Agent string observed is Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36.

☠️ Risk & Impact

Dorshel facilitates full‑scale data exfiltration, including proprietary network schemas, encrypted credentials, and internal documentation, leading to significant intellectual property loss and operational disruption in affected organisations. Financial losses from remediation and breach notification are estimated in the millions of dollars per incident, primarily impacting telecommunications and government entities in the Asia‑Pacific region.

🛡️ Mitigation

Defenders should apply Microsoft security update MS17‑014 to block CVE‑2017‑11882 exploitation, deploy YARA rules detecting the DorshelCoreMutex mutex and the custom encrypt function, and enable Sysmon logging for process injection events (Event ID 8). Network segmentation and application whitelisting can further limit lateral movement and persistence.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.