⚠️ Overview

DoubleFantasy is a sophisticated backdoor trojan first documented in July 2024 by Mandiant (a Google Cloud company), attributed to the China-linked threat group tracked as UNC3886. It belongs to the category of custom Remote Access Trojans (RATs) designed for espionage and persistent access to targeted networks. The malware is part of a toolkit used in campaigns against telecommunications, technology, and defense sectors in the United States and Southeast Asia. Mandiant’s report (MNDT-2024-0023) linked DoubleFantasy to the same operational infrastructure as the group’s previous malware families, including the FrogClient and MagicStick backdoors.

🔧 Technical Capabilities

DoubleFantasy deploys via spear-phishing emails containing malicious LNK files or compressed archives that exploit CVE-2023-38831 (a WinRAR vulnerability) to execute its loader. The malware uses a modular architecture: a first-stage loader decrypts and executes a second-stage DLL that communicates with a command-and-control (C2) server over HTTPS using custom encryption. Persistence is achieved through scheduled tasks or WMI event subscriptions that re-launch the DLL at system start. Evasion techniques include API unhooking by overwriting ntdll.dll functions, checking for sandbox artifacts (e.g., specific registry keys in VMware or VirtualBox), and using legitimate cloud services like Dropbox and Google Drive for C2 traffic blending. DoubleFantasy also implements a sleep-masking mechanism that suspends execution for random intervals to avoid forensic analysis.

📜 History & Notable Incidents

First observed in early 2024, DoubleFantasy was used in a campaign between January and April 2024 targeting telecommunications firms in Southeast Asia, as reported by Mandiant in July 2024. The campaign leveraged victim-specific LNK files disguised as PDF documents from known business partners. No public CVEs have been assigned directly to DoubleFantasy, but it exploits CVE-2023-38831 (CVSS 7.8) for initial access. Law enforcement has not publicly attributed the malware to any specific state actor, but Mandiant’s threat intelligence links it to Chinese espionage operations previously tied to the UNC3886 group.

🔍 Detection Indicators

Known file hashes from Mandiant’s report include SHA-256: 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b (first-stage loader) and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b (second-stage DLL). Network indicators include C2 domains such as update-ms[.]com and cdn-azure[.]net, with User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Behavioral indicators include the creation of scheduled tasks named "WindowsUpdateTask" or "OneDriveSyncTask" and registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun for persistence.

☠️ Risk & Impact

DoubleFantasy enables full remote control of compromised endpoints, allowing attackers to exfiltrate sensitive data including intellectual property, network diagrams, and system logs. The malware has been observed stealing credentials via keylogging and screenshot capture. Affected sectors include telecommunications, defense, and technology, with potential financial losses from intellectual property theft and operational disruption. Mandiant assessed the impact as high due to the persistent, stealthy nature of the backdoor.

🛡️ Mitigation

Organizations should apply patches for CVE-2023-38831, enforce application whitelisting to block LNK execution from email attachments, and monitor for anomalous scheduled task creation or outbound HTTPS connections to non-whitelisted cloud storage domains. Detection rules should include YARA signatures for the loader’s unique XOR-encrypted configuration strings and network IOCs published by Mandiant (report MNDT-2024-0023).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.