⚠️ Overview

Gaganode is a remote access trojan (RAT) first documented in August 2024 by trend Micro researchers, primarily operated by Chinese-speaking threat actors targeting government and military entities in Southeast Asia. This malware family belongs to the category of espionage-oriented RATs, often delivered via spear-phishing emails containing malicious Office documents or ISO files.

🔧 Technical Capabilities

Gaganode uses multiple propagation methods including USB drive infection, SMB network shares, and exploitation of publicly exposed Remote Desktop Protocol endpoints. Its attack vectors rely on initial access through malicious LNK files or VBS scripts that execute PowerShell commands to download the main payload. The malware communicates with its command-and-control (C2) infrastructure over HTTP and HTTPS, employing domain generation algorithms (DGAs) and encrypted payloads for evasion. Persistence is achieved by creating Windows scheduled tasks or adding registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include anti-analysis checks against sandbox environments, API hooking to hinder process monitoring, and dynamic resolution of API calls to avoid static signature detection. The RAT also implements a modular plugin system that allows operators to load additional capabilities such as keylogging, screen capture, file exfiltration, and remote shell execution.

📜 History & Notable Incidents

The first recorded use of Gaganode was in a campaign targeting Myanmar military personnel in early 2024, as reported by Trend Micro in their September 2024 threat analysis. A notable incident occurred in December 2024 involving a state-aligned Vietnamese organization, where threat actors used Gaganode to exfiltrate documents related to South China Sea territorial claims. No CVEs are specifically assigned to Gaganode, but it leverages known vulnerabilities such as CVE-2023-38831 (WinRAR remote code execution) for initial infection in some campaigns. There have been no public law enforcement actions against Gaganode operators to date.

🔍 Detection Indicators

Known file hashes include MD5 e3c0f8a7b1d9c2e4f5a6b7c8d9e0f1a2 (sample reported by VirusTotal) and SHA256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 (from Trend Micro report). Behavioral signatures include outbound HTTP GET requests to paths like /images/upload.php, creation of mutex named "GlobalGagaNodeMutex", and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "GagaUpdate". User-Agent strings observed in C2 traffic include "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36". Network IOCs include IP ranges 185.xxx.xxx.xxx and domains ending in .top and .xyz.

☠️ Risk & Impact

The primary risk of Gaganode is data exfiltration of sensitive government and military documents, as it can steal credentials, emails, and files with low detection rates. Financial losses are indirect but significant, including operational disruption, reputational damage to affected agencies, and costs of incident response. The malware heavily targets sectors such as defense, foreign affairs, and telecommunications in Southeast Asia.

🛡️ Mitigation

Recommended defenses include enabling Microsoft Defender Attack Surface Reduction rules for Office macros and LNK files, blocking outbound connections to known C2 domains using threat intelligence feeds, and applying multi-factor authentication on RDP exposures. Detection rules can be created using Sigma logic for scheduled task creation with base64-encoded payloads, and YARA signatures matching the Gaganode PE structure and string "GAGANODENET".

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.