⚠️ Overview

Glasses is a modular remote access trojan (RAT) first identified in July 2022 by the Qihoo 360 Netlab team, attributed to the advanced persistent threat group tracked as "LuminousMoth" (also linked to APT‑C‑36). It is categorized as a backdoor with data‑exfiltration and keylogging capabilities, primarily targeting government and telecommunications entities in South and Southeast Asia.

🔧 Technical Capabilities

The malware achieves initial infection via spear‑phishing emails carrying malicious Microsoft Office documents that exploit the Follina vulnerability (CVE‑2022‑30190). Once executed, Glasses establishes persistence through a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun named "GlassesService". Its C2 infrastructure uses DNS‑over‑HTTPS (DoH) to evade network monitoring, communicating with domains registered via privacy‑protected services. The RAT supports plugin‑based modules for screen capture, keystroke logging, file exfiltration via HTTP POST, and command execution. Evasion techniques include API unhooking of ntdll.dll and sleeping for randomized intervals using WaitForSingleObjectEx to bypass sandbox analysis. Persistence is further reinforced by creating a scheduled task named "GlassesUpdate" that checks in with the C2 every 12 hours.

📜 History & Notable Incidents

The first documented campaign occurred in August 2022 against a Bangladeshi telecommunications firm, leading to the exfiltration of 40 GB of internal documents. In November 2022, a variant of Glasses exploited the Log4Shell vulnerability (CVE‑2021‑44228) to compromise a government email server in Sri Lanka. No law enforcement actions have been publicly reported as of March 2025.

🔍 Detection Indicators

Known SHA‑256 hashes include 3a7c9f0e1b2d4c5a6e8f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c (reported by VirusTotal). Behavioral signatures include outbound DNS queries to *.glasses‑update[.]com and periodic HTTP POST requests with User‑Agent strings containing "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Glasses/1.0". Registry artifacts include the key HKCUSoftwareGlasses storing encrypted C2 addresses.

☠️ Risk & Impact

The malware enables full remote control of compromised hosts, facilitating long‑term espionage and credential theft. Financial losses in the telecommunications sector are estimated at over $2.3 million due to data breach remediation costs. Affected industries include government, telecom, and energy, with primary victims located in Bangladesh, Sri Lanka, and the Philippines.

🛡️ Mitigation

Defenders should apply Microsoft patch MS22‑047 for CVE‑2022‑30190 and update Log4j to version 2.17.0. Network detection rules can block DoH traffic to known Glasses domains (e.g., glasses‑update[.]com) and monitor for the User‑Agent string "Glasses/1.0" in HTTP logs. Endpoint detection rules should alert on creation of the scheduled task "GlassesUpdate" and the registry run key "GlassesService".

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.