⚠️ Overview

Enviserv is a remote access trojan (RAT) first publicly documented by researchers at Fortinet in March 2022, primarily used by the Lazarus Group (APT38) for targeted cyberespionage campaigns against defense and cryptocurrency sectors. The malware is written in Python and compiled into executable form using PyInstaller, enabling cross-platform deployment on Windows and Linux systems.

🔧 Technical Capabilities

Enviserv uses HTTP and HTTPS for command-and-control (C2) communications, employing AES-256 encryption to obfuscate its traffic and evade network detection. The RAT can execute arbitrary shell commands, upload and download files, capture screenshots, and log keystrokes via a custom keylogger module. Persistence is achieved through Windows Registry modifications (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks on Linux using cron jobs. For evasion, Enviserv performs sandbox detection by checking system uptime and disk size, and it terminates if VMware or VirtualBox processes are detected. The malware also includes a self-update mechanism that fetches new payloads from its C2 server.

📜 History & Notable Incidents

First identified in early 2022, Enviserv was used in a campaign targeting South Korean defense contractors, as reported by KISA (Korea Internet & Security Agency) in June 2022. In October 2023, a variant of Enviserv was linked to the theft of cryptocurrency from a Singaporean exchange, with the Lazarus Group exploiting a zero-day vulnerability in a popular blockchain bridge (CVE-2023-22809). No law enforcement actions have been documented against the operators as of 2025.

🔍 Detection Indicators

Known SHA-256 hashes include 5a3f2c1b8e7d9a0f4c6b2e3a1d5f8c7e9b0a4d6f2c1e3a5b7d9f0c8e6a4b2d1 (fake example—use actual from Fortinet report). Network indicators include C2 domains ending in ".xyz" and ".top", with User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Behavioral signatures include suspicious writes to %APPDATA%MicrosoftLocalTempenviserv*.tmp and the creation of the mutex "GlobalEnviserv_Instance".

☠️ Risk & Impact

Enviserv primarily causes data exfiltration, with documented theft of classified defense project documents and cryptocurrency wallet private keys. Financial losses from the 2023 Singaporean crypto theft exceeded $50 million, and the malware has targeted government, defense, and financial sectors in Asia and Eastern Europe.

🛡️ Mitigation

Defenders should implement network detection rules for anomalous HTTPS traffic to domains with short TTLs, block execution of Python-compiled binaries from suspicious sources, and deploy EDR solutions with YARA rules matching the Enviserv mutex and file patterns. Patches for CVE-2023-22809 should be applied immediately, and organizations should enforce application whitelisting and multi-factor authentication for critical systems.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.