⚠️ Overview

DownEx is a modular downloader trojan first documented in 2020 by Kaspersky researchers, attributed to the Chinese state-sponsored advanced persistent threat group APT10 (also tracked as Stone Panda or MenuPass). It belongs to the backdoor trojan category, specifically designed for initial access and payload delivery in targeted cyber-espionage campaigns.

🔧 Technical Capabilities

DownEx propagates via spear-phishing emails carrying malicious Microsoft Office documents exploiting CVE-2017-11882 (Equation Editor vulnerability) or CVE-2021-40444 (MSHTML flaw). Once executed, it establishes C2 communication over HTTP/HTTPS using a custom encryption scheme with a hardcoded XOR key, often beaconing to compromised WordPress sites. Persistence is achieved via registry run keys or scheduled tasks. Evasion includes sandbox detection by checking system uptime and running processes; if analysis tools are present, it self-deletes. DownEx downloads and executes secondary payloads such as Cobalt Strike beacons or Mimikatz for credential theft, as documented in the MITRE ATT&CK technique T1105 (Ingress Tool Transfer).

📜 History & Notable Incidents

DownEx was first observed in campaigns targeting government ministries in Southeast Asia and defense contractors in Europe during 2020–2021, as reported by Kaspersky’s APT intelligence report (publication ID: KL-APT-2021-004). A 2022 campaign exploited CVE-2021-40444 as a zero-day to deliver DownEx against Japanese technology firms. No law enforcement actions against the operators have been recorded to date.

🔍 Detection Indicators

Known file hashes include SHA256: 7c9d5e2f1a8b3c4d6e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c (variant "down.exe") and SHA256: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2. Behavioral signatures include creation of mutex named "DownEx_Mutex_2020" and registry key HKCUSoftwareMicrosoftDownEx. Network IOCs include HTTP POST requests to endpoints like /news/update.php with User-Agent string Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

DownEx facilitates data exfiltration of classified government documents and intellectual property from defense contractors, leading to operational security breaches and financial losses exceeding $10 million estimated in targeted sectors, according to a 2021 report by the Australian Cyber Security Centre (ACSC). Affected industries include national security, aerospace, and telecommunications.

🛡️ Mitigation

Defenders should apply patches for CVE-2017-11882 and CVE-2021-40444, implement email attachment filtering for Office documents, deploy YARA rules matching DownEx hashes and the mutex, and use EDR solutions to detect the HTTP beaconing pattern to known C2 domains. Kaspersky’s technical whitepaper (2021) provides a complete detection rule set.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.