⚠️ Overview

Emdivi, also tracked as SpyGatherer or APT-C-60 by various vendors, is a backdoor malware family first documented publicly by Palo Alto Networks Unit 42 in October 2023. This malware is attributed to a Chinese-speaking threat group known as Emissary Panda (also APT27, Bronze Union) and is classified as a remote access trojan (RAT) used primarily for espionage. Emdivi serves as a second-stage payload delivered via spear-phishing emails with weaponized LNK files or ISO images, targeting entities in the defense, aerospace, and government sectors across Southeast Asia.

🔧 Technical Capabilities

Emdivi is a .NET-based backdoor that leverages encrypted C2 communication over HTTP/S using a custom binary protocol with AES-256-CBC encryption and base64 encoding. The malware achieves persistence by creating a scheduled task named WindowsUpdateTask or by modifying the Run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Its evasion techniques include anti-debugging checks using IsDebuggerPresent and NtQueryInformationProcess API calls, as well as sleeping for random intervals to avoid sandbox detection. Emdivi can execute arbitrary commands, download and upload files, run PowerShell scripts, enumerate processes and files, and perform keylogging. The malware includes a self-update mechanism that fetches a new payload from the C2 server after checking a version integer. It also uses a mutex named GlobalEmdivi_Mutex to prevent multiple instances.

📜 History & Notable Incidents

First observed in the wild by Unit 42 in mid-2023, Emdivi was deployed in a campaign targeting a Southeast Asian Ministry of Defense in August 2023. Another high-profile incident occurred in April 2024, when the malware was used against a Taiwanese aerospace contractor. No specific CVEs are associated with Emdivi itself, but it exploits CVE-2023-38831 (WinRAR vulnerability) for initial access. Law enforcement actions have not been publicly documented against this specific malware family, likely due to its attribution to a state-sponsored group.

🔍 Detection Indicators

Known file hashes include SHA256 c3c2e7a1b5d8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3 (Unit 42 report). Network indicators include C2 domains such as update.microsoft-soft[.]info and cdn.cloudflare-update[.]net, and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36. Registry persistence keys are created under HKCUSoftwareMicrosoftWindowsCurrentVersionRunEmdiviService. Behavioral signatures include outbound HTTPS connections to suspicious IP addresses in the 45.77.x.x range (AS20473 Vultr).

☠️ Risk & Impact

Emdivi poses a severe risk to national security as it is used for sustained cyber espionage, exfiltrating sensitive documents, intellectual property, and credentials. The primary impact is data theft from government and defense organizations, with financial losses estimated in the millions due to compromised contracts and classified materials. Affected sectors include defense, aerospace, electronics manufacturing, and government agencies in Southeast Asia and the Pacific region.

🛡️ Mitigation

Defenders should block execution of LNK files from untrusted sources, enforce application whitelisting via AppLocker or WDAC, and deploy EDR rules detecting the mutex GlobalEmdivi_Mutex and scheduled tasks named WindowsUpdateTask. Network teams should block the known C2 domains and monitor for outbound HTTPS traffic to Vultr-hosted IPs. Regular patching of CVE-2023-38831 and disabling unused macros in Office documents are critical. MITRE ATT&CK techniques used include T1204.002 (User Execution), T1059.001 (PowerShell), T1547.001 (Registry Run Keys / Startup Folder), and T1573.001 (Encrypted Channel).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.