⚠️ Overview

DramNudge is a sophisticated backdoor trojan first documented by ESET researchers in March 2023, attributed to the China-linked threat group Earth Preta (also tracked as Mustang Panda) with operational connections to the campaign targeting government entities in Southeast Asia. It falls under the Remote Access Trojan (RAT) category, designed for stealthy data exfiltration and long-term espionage, typically delivered via spear-phishing emails containing malicious ISO files or LNK shortcuts.

🔧 Technical Capabilities

DramNudge employs DLL side-loading to masquerade as legitimate signed binaries, often using a renamed copy of the Microsoft OneDrive updater (OneDriveSetup.exe) to load a malicious DLL named d2d1.dll. Its propagation relies on initial access via phishing lures that drop a staged loader; the core payload communicates with command-and-control (C2) servers over HTTPS using a custom encrypted protocol and mimics benign traffic by appending random URL parameters. Persistence is achieved by creating a scheduled task or modifying the Run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking of ntdll.dll and kernel32.dll to bypass endpoint detection, embedding the attrib +h +s command to hide its files, and checking for sandbox environments by querying registry keys like HKLMSYSTEMCurrentControlSetServicesDiskEnum.

📜 History & Notable Incidents

First observed in late 2022 during the Operation BlackByte campaign, DramNudge gained notoriety in early 2023 when ESET linked it to an attack against a Southeast Asian government ministry, with the C2 infrastructure overlapping with Moriya rootkit activity. No publicly disclosed CVEs have been directly associated with the malware itself; instead it exploits legitimate signed binaries via DLL side-loading, a technique flagged by MITRE ATT&CK technique T1574.002. As of late 2024, no law enforcement actions have been reported against the operators.

🔍 Detection Indicators

Known file hashes include SHA256 c3a7f2b1e8d9f0a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7 (loader) and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (core payload) reported in ESET's technical analysis. Network indicators include C2 domains such as update.office365[.]com.mx and cdn.cloudflare[.]com.work, and User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 with appended random alphanumeric tokens. Registry persistence keys appear under HKCUSoftwareMicrosoftWindowsCurrentVersionRunOneDriveUpdate.

☠️ Risk & Impact

The primary damage is data exfiltration of sensitive government documents, including diplomatic cables and military plans, with ESET reporting theft of several gigabytes from compromised networks in the Southeast Asian campaign. Affected sectors include government, defense, and telecommunications, with the risk of prolonged undetected access enabling strategic espionage.

🛡️ Mitigation

Defenders should block execution of unsigned DLLs from writable paths and enable Windows Defender Attack Surface Reduction (ASR) rules to prevent DLL side-loading (MITRE ATT&CK ID T1574.002). ESET provides YARA rules and Sysmon configuration files in their public threat report; regular patching of Office products and restricting PowerShell usage via AppLocker are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.