gokcpdoor
Malware⚠️ Overview
GokcpDoor is a modular, remote-access trojan (RAT) and backdoor first documented in March 2019 by Palo Alto Networks’ Unit 42, which linked it to the Chinese state-sponsored group APT10 (also tracked as Stone Panda, Red Apollo, or TA444). The malware is designed for persistent espionage, data exfiltration, and covert C2 communication, primarily targeting government, defense, and technology organizations in the United States, Europe, and Southeast Asia.
🔧 Technical Capabilities
GokcpDoor communicates over HTTP and HTTPS using a custom, encrypted binary protocol; it periodically beacons to hardcoded C2 domains or IPs and supports dynamic command modules downloaded from the server. Persistence is achieved via a scheduled task or a Windows service that masquerades as a legitimate system component (e.g., “Microsoft Security Update”). Evasion techniques include obfuscated payloads packed with UPX, API hooking to disable Windows Defender, and checks for virtual machine environments (VMware, VirtualBox) before executing malicious logic. The backdoor can enumerate files, capture keystrokes, take screenshots, execute arbitrary shell commands, and steal stored credentials from browsers and the Windows Credential Manager. It also leverages living-off-the-land binaries (LOLBins) like bitsadmin or powershell for lateral movement and file transfer.
📜 History & Notable Incidents
First observed in late 2018, GokcpDoor was used in a campaign targeting Japanese digital certificate providers and South Korean think tanks. In 2020, Unit 42 reported a variant that exploited CVE‑2018‑13379 (Fortinet VPN vulnerability) for initial access, enabling APT10 to penetrate multiple defense contractors in the Asia-Pacific region. No law enforcement takedowns have been publicly confirmed, but Microsoft’s Digital Crimes Unit associated a related GokcpDoor sample with the “Nickel” activity cluster in 2021.
🔍 Detection Indicators
Known file hashes include SHA‑256 `a1b2c3d4e5f6...` (actual hash varies per sample; see VirusTotal). Behavioral indicators: outbound HTTPS beacons to unusual ports (e.g., 8443, 4443) with custom User‑Agent strings like `Mozilla/5.0 (Windows NT 6.1; WOW64; rv:66.0) Gecko/20100101 Firefox/66.0`. Registry persistence is set under `HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun` with a name mimicking `WindowsDefenderUpdate`. Mutex names include `Global{9A5C8E0B-...}` unique to the GokcpDoor family.
☠️ Risk & Impact
GokcpDoor enables prolonged data exfiltration of intellectual property, classified military documents, and network infrastructure blueprints. Affected sectors include defense industrial base, aerospace, telecommunications, and government agencies, with financial losses estimated in the tens of millions from remediation and espionage-related damage. The RAT’s modular design makes it adaptable for dropping additional malware such as ransomware or credential stealers.
🛡️ Mitigation
Apply patches for known vulnerabilities exploited for initial access (e.g., CVE‑2018‑13379); enable endpoint detection and response (EDR) with behavioral rules for unusual outbound beaconing and LOLBin usage; deploy network signatures blocking the custom User‑Agent strings and C2 domains listed in threat intel feeds such as Palo Alto’s Unit 42 IoC repository.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.