⚠️ Overview

FoxSocket is a fully-featured remote access trojan (RAT) first publicly documented by Recorded Future’s Insikt Group in September 2020, attributed to the Chinese-speaking advanced persistent threat group tracked as TA416 (also known as APT10, Stone Panda, or MenuPass). It is a custom-built backdoor used primarily for espionage against government, defense, and aerospace organizations.

🔧 Technical Capabilities

FoxSocket communicates over HTTP and HTTPS using a custom TCP-based protocol, with C2 servers typically hosted on compromised WordPress sites or cloud infrastructure. It supports file upload/download, remote shell execution, process management, registry manipulation, and keylogging. Persistence is achieved through a registry Run key or scheduled task. The malware employs SSL pinning to avoid interception, and its installer often masquerades as legitimate software (e.g., Adobe Flash or VPN tools). FoxSocket uses encrypted payloads with a hardcoded XOR key and includes anti-debugging checks by verifying the presence of tools like Process Explorer or Wireshark. It can also detect sandbox environments through CPU count and disk size checks.

📜 History & Notable Incidents

First observed in the wild as early as 2018, FoxSocket became widely known after the Recorded Future report linking it to TA416’s operations against Japanese and South Korean targets. In 2021, the CISA and FBI jointly released a MAR (Malware Analysis Report) detailing FoxSocket’s use in compromises of U.S. defense contractors. No CVEs are directly associated with FoxSocket; it relies on spear-phishing with weaponized documents to achieve initial access.

🔍 Detection Indicators

Known mutex names include “FoxSocketMutex” and “GlobalFoxSocket_Mutex”. User-Agent strings used by the malware often mimic legitimate browsers, such as “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36”. Registry persistence keys appear under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value names like “Windows Update Helper”. Network IOCs include POST requests to /ajax.php or /api/endpoint with Base64-encoded payloads. Behavioural signatures include outbound connections to non‑standard ports (e.g., 8080, 8443) and repeated DNS queries to domains with low TTL.

☠️ Risk & Impact

FoxSocket enables persistent remote access and data exfiltration, primarily targeting intellectual property and classified military information. Affected sectors include defense, aerospace, and government agencies in the U.S., Japan, and South Korea. Financial losses are difficult to quantify but include costs from incident response, system remediation, and reputational damage from high‑profile data breaches.

🛡️ Mitigation

Defenders should implement application whitelisting to block unauthorized executables, enforce multi‑factor authentication for remote access, and deploy endpoint detection and response (EDR) solutions with rules for FoxSocket’s registry keys and mutexes. The CISA MAR (MAR-10298524) provides Snort rules and YARA signatures for network and host‑based detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.