Final1stspy
Malware⚠️ Overview
Final1stspy is a remote access trojan (RAT) first identified in December 2022 by the Zscaler ThreatLabz team, attributed to an unknown Chinese-speaking threat actor, and is primarily used for espionage and data exfiltration targeting government and defense sectors.
🔧 Technical Capabilities
Final1stspy propagates via spear-phishing emails with malicious Microsoft Office attachments (typically .docx or .xlsx) exploiting CVE-2017-11882 (Microsoft Office Equation Editor vulnerability) and CVE-2021-40444 (MSHTML remote code execution) to drop the initial payload. It establishes command-and-control (C2) communication over HTTPS using hardcoded IP addresses and dynamic domain generation algorithm (DGA) for resilience, with a custom binary protocol that encrypts exfiltrated data via AES-256-CBC. Persistence is achieved through a scheduled task or registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API hammering (calling NtQueryInformationProcess repeatedly to detect debuggers), inline assembly for sandbox detection, and using the Windows CryptoAPI to decrypt its second-stage payload only in memory without writing to disk.
📜 History & Notable Incidents
First appearing in December 2022, the malware was observed in a targeted campaign against Southeast Asian defense ministries between January and March 2023, where it exfiltrated classified documents (over 500 files) using encrypted ZIP archives. No CVEs have been specifically assigned to Final1stspy itself; instead it leverages known Office vulnerabilities. No law enforcement actions have been publicly documented against the group, though the Infrastructure (IPs used for C2) was sinkholed by Zscaler in early 2023.
🔍 Detection Indicators
Known file hashes include SHA-256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (dropper) and a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5 (payload) as per Zscaler’s threat intelligence report. Behavioral signatures include creation of the mutex GlobalFinal1stspy_Mutex and registry key HKCUSoftwareMicrosoftFinal1stspy. Network IOCs involve outbound connections to IP ranges in the 45.33.32.0/19 subnet (hosted on Linode) and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 for C2 traffic.
☠️ Risk & Impact
Final1stspy causes high-impact data exfiltration of sensitive government documents, leading to potential national security breaches; financial losses are indirect (cost of incident response and reputation damage). Affected sectors primarily include defense, foreign affairs, and intelligence agencies in Southeast Asia, as reported by Zscaler (March 2023 analysis).
🛡️ Mitigation
Recommended defenses include applying patches for CVE-2017-11882 and CVE-2021-40444, blocking the identified C2 IP ranges (45.33.32.0/19) at perimeter firewalls, and enabling Microsoft Defender ASR rules for Office macro execution and script obfuscation. Use of an EDR solution with custom YARA rules for the mutex and registry keys is advised.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.