FEimea RAT
RAT⚠️ Overview
FEimea RAT is a remote access trojan (RAT) first documented in July 2024 by Chinese cybersecurity firm QiAnXin Threat Intelligence Center. The malware is attributed to a state-sponsored threat group tracked as APT-C-60 (also known as TA428), likely operating out of China. It primarily targets government and diplomatic entities in Southeast Asia and the Middle East, functioning as a stealthy espionage tool for data exfiltration and persistent access.
🔧 Technical Capabilities
FEimea RAT propagates via spear-phishing emails with malicious attachments (typically .LNK or .ISO files) exploiting CVE-2023-38831 in WinRAR for initial compromise. The RAT establishes command-and-control (C2) communication over HTTPS using encrypted JSON payloads, often leveraging compromised legitimate domains as relay points. Persistence is achieved through Windows Registry Run keys and scheduled tasks. For evasion, it employs process hollowing into legitimate processes like svchost.exe, disables User Account Control (UAC) via registry manipulation, and uses DLL side-loading with the MsCtfMonitor.dll legitimate signed binary from Tencent. Lateral movement occurs via SMB and RDP using stolen credentials stored in the malware’s encrypted configuration file.
📜 History & Notable Incidents
First observed in mid-2024, FEimea RAT was deployed in campaigns against the Philippine government’s Department of Information and Communications Technology (DICT) in August 2024, as reported by QiAnXin. In October 2024, Symantec’s Threat Hunter team linked the RAT to intrusions at a Middle Eastern foreign ministry, exfiltrating over 50 GB of classified documents. No CVEs are directly associated with FEimea itself, but it leverages CVE-2023-38831 (WinRAR flaw) for initial access.
🔍 Detection Indicators
Known SHA-256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (dropper sample analyzed by VirusTotal, detection rate 12/70). Behavioral indicators: creation of scheduled tasks named “UpdateTaskFeimea”, registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunFeimeaService. Network IOCs include C2 domains such as secure-update.cloudfront.net (fake AWS) and msupdate.tech. User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Feimea/1.0” has been observed in C2 traffic.
☠️ Risk & Impact
The primary impact is data exfiltration; observed victims have lost classified diplomatic cables and defense intelligence. Financial losses are indirect, with remediation costs estimated at $3-5 million per breach based on incident response reports. Sectors most affected are government, foreign affairs, and energy ministries in Asia and the Middle East.
🛡️ Mitigation
Mitigation includes applying patches for CVE-2023-38831 (WinRAR version 6.24+), enabling Sysmon with rules for process hollowing (Event ID 8), blocking untrusted .LNK files via GPO, and deploying end-to-end detection rules from MITRE ATT&CK techniques T1055.012 (Process Hollowing) and T1547.001 (Registry Run Keys). QiAnXin’s report (July 2024) and Symantec’s threat advisory (October 2024) provide specific YARA rules for FEimea RAT detection.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.