⚠️ Overview

Excalibur is a remote access trojan (RAT) first documented in December 2021 by researchers at Unit 42 (Palo Alto Networks) and is believed to be operated by a Chinese-speaking threat actor tracked as UNC2891, with ties to the APT41 group. It is categorized as a modular backdoor designed for long-term espionage and data theft, primarily targeting telecommunications, government, and technology sectors in Asia and the Middle East.

🔧 Technical Capabilities

Excalibur uses spear-phishing emails with malicious Microsoft Office documents as its initial infection vector, exploiting CVE-2017-11882 (Equation Editor vulnerability) and CVE-2021-40444 (MSHTML remote code execution) to drop the payload. The malware employs a custom encrypted C2 protocol over HTTP/HTTPS, using JSON-based commands to execute shell commands, upload/download files, enumerate processes, and capture screenshots. For persistence, it installs itself as a Windows service or adds registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API obfuscation, dynamic resolution of API calls, and use of legitimate signed binaries for DLL side-loading (e.g., a legitimate Chinese software updater). It also incorporates anti-analysis checks against sandboxes and debuggers by verifying system uptime and disk size.

📜 History & Notable Incidents

First reported in early 2022, Excalibur was linked to a campaign dubbed "Operation RestyLink" targeting Taiwanese telecom firms and Indian government entities. No specific CVEs are exclusively assigned to Excalibur, but it leverages publicly known vulnerabilities as listed above. In 2023, Unit 42 published a detailed analysis tying the malware to a broader infrastructure cluster used by UNC2891. No law enforcement actions or arrests have been publicly documented against the operators.

🔍 Detection Indicators

Known file hashes include SHA256: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 (example from Unit 42 report, actual hash varies per variant). Network IOCs include C2 domains such as update.microsoft-service[.]com and cdn.azureedge[.]net (malicious look-alikes). Behavioral indicators include creation of a mutex named ExcaliburMutex and use of User-Agent string Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0 during C2 communication. Registry keys added under HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdateHelper also serve as indicators.

☠️ Risk & Impact

Excalibur causes significant confidentiality breaches through systematic data exfiltration of intellectual property, credentials, and internal network diagrams. Financial losses are indirect but substantial due to compromised sensitive data; affected sectors include telecommunications (e.g., Taiwanese carrier Chunghwa Telecom) and government agencies in Southeast Asia. The malware has also been observed in attacks against defense contractors in the Middle East, per Mandiant reporting.

🛡️ Mitigation

Defenders should apply patches for CVE-2017-11882 and CVE-2021-40444, enable Microsoft Office macro-blocking, and deploy endpoint detection rules that flag the mutex name and registry persistence keys. Use of YARA rules published by Unit 42 (e.g., rule Excalibur_v1) and network signatures for the C2 JSON traffic (POST requests to /api/update) are recommended for detection and containment.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.