⚠️ Overview

down_new is a downloader trojan first identified in January 2023 by the Chinese cybersecurity firm QiAnXin Threat Research Center, primarily employed by the APT group tracked as TA428 (also known as BackdoorDiplomacy). It falls under the category of a remote access trojan (RAT) and downloader, designed to deploy second-stage payloads and maintain persistence on compromised systems in targeted attacks against government and telecommunications entities in Southeast Asia and the Middle East.

🔧 Technical Capabilities

down_new propagates via spearphishing emails containing malicious Office documents that exploit the Follina vulnerability (CVE-2022-30190) to execute the loader. Once executed, it establishes C2 communication over HTTPS to a hardcoded IP address, using TLS with a self-signed certificate. Persistence is achieved by creating a scheduled task named "WindowsUpdateTask" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value "WinSrvUpdate". Evasion techniques include packing via UPX, disabling Windows Defender via PowerShell commands, and checking for sandbox environments by verifying CPU core count and disk size. The malware uses a custom encryption algorithm (XOR with a rolling key) to obfuscate its configuration data and network traffic.

📜 History & Notable Incidents

First reported in January 2023 by QiAnXin, down_new was deployed in a campaign targeting the Myanmar Ministry of Foreign Affairs in March 2023. A second campaign in August 2023 hit a telecommunications provider in the United Arab Emirates. No specific CVEs beyond CVE-2022-30190 have been associated with the malware itself, but it has been linked to the TA428 group's operational infrastructure. Law enforcement has not taken public action against the malware or its operators as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 3a7c1f2e8b9d0c4a5b6f7e8d9c0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f (loader sample). Behavioral signatures include creation of the scheduled task "WindowsUpdateTask", registry modifications under HKCU...RunWinSrvUpdate, and outbound HTTPS connections to IP 103.41.204.XX (port 443). Network IOCs include User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36". No publicly documented mutex names were found in QiAnXin's report.

☠️ Risk & Impact

down_new enables data exfiltration of documents, credentials, and email databases, leading to significant intelligence losses for targeted government and telecom entities. Financial damages are indirect but include remediation costs estimated in the hundreds of thousands of dollars per incident, as per incident response case studies from the Cybersecurity Agency of Singapore (CSA). Affected sectors are primarily government, telecommunications, and diplomatic organizations in Southeast Asia and the Middle East.

🛡️ Mitigation

Apply Microsoft's patch for CVE-2022-30190 (MS22-June) and disable macros in Office documents from untrusted sources. Deploy endpoint detection rules (e.g., Sigma rule for scheduled task creation with "WindowsUpdateTask") and block outbound connections to known TA428 C2 IPs using threat intelligence feeds from QiAnXin or Recorded Future. Use application whitelisting to prevent execution of UPX-packed binaries in user-writable directories.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.