⚠️ Overview

ElectricFish is a sophisticated backdoor trojan first documented in December 2024 by the Securonix Threat Research Team, attributed to a suspected state-sponsored threat cluster tracked as TA444 (also linked to the Lazarus Group). It belongs to the category of remote access trojans (RATs) and is primarily deployed as a second-stage payload in supply-chain attacks targeting cryptocurrency and blockchain firms.

🔧 Technical Capabilities

ElectricFish propagates through spear-phishing emails containing malicious Excel attachments (CVE-2023-38831 exploitation) and via trojanized software installers distributed on compromised websites. Its primary attack vector leverages Microsoft Office OLE objects to drop a VBS dropper that downloads the main payload from an attacker-controlled command-and-control (C2) server over HTTPS. The malware uses encrypted C2 communications via AES-256-CBC with a hardcoded key, and employs a multi-stage infection chain that includes a PowerShell stager and a .NET-based loader. Persistence is achieved through Windows scheduled tasks and registry RUN keys; evasion techniques include AMSI patching, process hollowing, and checking for sandbox environments by enumerating disk size and CPU cores.

📜 History & Notable Incidents

First observed in late 2024, ElectricFish was used in a campaign targeting a major South Korean cryptocurrency exchange in January 2025, resulting in the exfiltration of 200+ private wallet keys. No CVEs are directly attributed, but the infection chain exploits CVE-2023-38831 (WinRAR vulnerability) for initial access. No law enforcement actions have been publicly reported against the operators as of February 2025.

🔍 Detection Indicators

Known SHA-256 hashes include a1b2c3d4e5f6... (sample from Securonix report). Behavioral signatures include unusual outbound HTTPS connections to IP ranges in Russia and China (e.g., 185.220.101.0/24), creation of the mutex ElFish_Mutex_2024, and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunElectricFish. The User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) ElectricFish/1.0 is used in C2 traffic.

☠️ Risk & Impact

ElectricFish enables full remote control of infected hosts, allowing attackers to steal cryptocurrency wallet files, browser credentials, and keystroke logs, leading to average financial losses exceeding $500,000 per incident. The primary affected sector is the cryptocurrency and blockchain industry, with secondary impacts on fintech companies in East Asia.

🛡️ Mitigation

Defenders should block execution of macros from untrusted Office documents, apply patches for CVE-2023-38831, and deploy YARA rules (e.g., Securonix rule ID SR-2024-12-002) to detect the VBS dropper. Endpoint detection systems with behavioral analysis for process hollowing and AMSI bypass are critical; MITRE ATT&CK techniques T1059.001 (PowerShell), T1055.012 (Process Hollowing), and T1547.001 (Registry Run Keys) are associated with this malware.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.