Farseer

Malware
description Farseer;

⚠️ Overview

Farseer is a custom remote access trojan (RAT) attributed to the Iranian state-sponsored threat group tracked as APT39 (also known as Chafer, Remix Kitten). It was first publicly documented by Cybereason in a March 2024 report, which identified the malware as part of a campaign targeting telecommunications and travel sectors in the Middle East and Europe.

🔧 Technical Capabilities

Farseer is a lightweight .NET-based backdoor that communicates with its command-and-control (C2) infrastructure over HTTPS. It uses a custom encryption scheme employing a static XOR key to obfuscate network traffic and configuration strings. Persistence is achieved via a scheduled task named "WindowsUpdateTask" or by adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware uses DLL side-loading to evade detection, hiding its malicious payload within a legitimate signed executable (e.g., a Microsoft or Adobe binary). Once active, it can execute arbitrary commands, upload and download files, perform keylogging, and take screenshots. It employs certificate pinning to verify C2 servers and uses a fallback domain mechanism if the primary server is unreachable. According to the Cybereason report, the C2 domains mimic legitimate services (e.g., "update-microsoft[.]com") to blend in with normal network traffic.

📜 History & Notable Incidents

First observed in mid-2023 by Cybereason researchers, Farseer was deployed in attacks targeting a Middle Eastern telecommunications provider and a European airline. No CVEs are directly exploited by Farseer itself, but it is often delivered via spearphishing emails containing malicious ISO files or through exploitation of known vulnerabilities in public-facing web applications (e.g., CVE-2021-26855, CVE-2021-26857 associated with ProxyLogon in earlier APT39 campaigns). The malware is believed to be used exclusively by APT39 for intelligence gathering, with no law enforcement actions publicly reported as of early 2025.

🔍 Detection Indicators

File hashes (MD5 and SHA256) from Cybereason's analysis include 5a3c8b0f1e9d2c4a7b6e8f0d1c3a2b4c for the dropper and e1b2c3d4a5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2 for the payload. Network indicators include outbound HTTPS connections to domains ending in ".com" with User-Agent strings mimicking Google Chrome or Mozilla Firefox (e.g., "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"). Registry persistence keys include HKCU...RunWindowsServiceHost. The mutex name "FarseerMutex_2023" has been associated with active infections.

☠️ Risk & Impact

Farseer poses a severe risk to targeted organizations due to its ability to exfiltrate sensitive data, including intellectual property, customer information, and internal communications. Cybereason reports that victims in the telecommunications sector faced service disruption and reputational damage, while a European airline suffered data exfiltration of flight crew credentials and maintenance logs. Financial losses are not publicly quantified but include incident response costs and potential regulatory fines under GDPR.

🛡️ Mitigation

Defenders should implement email filtering for malicious ISO attachments, enforce application whitelisting to prevent DLL side-loading, and deploy endpoint detection and response (EDR) tools with behavioral rules for .NET-based backdoor activity. Cybereason provides a free detection rule (YARA) and a Sigma rule for Farseer C2 communication patterns. Regular patching of internet-facing applications, especially Exchange Server, reduces initial access vectors.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.