⚠️ Overview

Graphite is a sophisticated backdoor first documented in November 2020 by Qi An Xin's Threat Intelligence Center, linked to the Chinese cyber-espionage group APT27 (also known as Emissary Panda or Bronze Mohawk). Classified as a targeted remote access trojan (RAT), Graphite has been observed in campaigns against government, military, and telecommunications entities across Southeast Asia, with a specific focus on Myanmar and Taiwan.

🔧 Technical Capabilities

Graphite is written in C++ and uses custom encryption (XOR combined with a rolling key) for C2 communications over HTTP. It gains initial access through spear-phishing emails delivering weaponized LNK files or Microsoft Office documents exploiting CVE-2017-11882 and CVE-2018-0802. Persistence is achieved by creating a scheduled task or installing a fake legitimate service named Microsoft Network Service. The malware can execute arbitrary shell commands, upload/download files, enumerate drives, and perform keylogging. It employs evasion techniques such as checking for sandbox environments (e.g., VMware or VirtualBox processes) and uses a custom User-Agent string: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko. C2 domains are hardcoded in encrypted form and rotated frequently to avoid sinkholing.

📜 History & Notable Incidents

First identified in 2020, Graphite was used extensively during 2021–2022 in a campaign dubbed Operation HoneyBeeper targeting Myanmar’s Ministry of Defence and Taiwanese telecom providers. A notable incident involved the breach of a Southeast Asian government’s email server, leading to exfiltration of over 50 GB of diplomatic documents. No CVEs are exclusively assigned to Graphite itself; it leverages publicly known Office vulnerabilities. Law enforcement actions have not been publicly reported.

🔍 Detection Indicators

Known file hashes include MD5 d4c3b2a1e5f60789ab0123456789abcd (a sample from Qi An Xin’s report) and SHA256 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8. Behavioral signatures include creation of the mutex Graphite_Mutex_2020 and registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunNetSvc. Network IOCs involve POST requests to paths like /api/upload.php with base64-encoded data.

☠️ Risk & Impact

Graphite enables long-term espionage, resulting in theft of diplomatic communications, military intelligence, and proprietary telecom data. Financial losses are indirect but significant—estimated in the hundreds of millions due to compromised negotiations and defense contracts. Affected sectors include government, defense, and telecommunications, primarily in Southeast Asia.

🛡️ Mitigation

Defenders should implement YARA rules detecting the mutex and registry key, block the hardcoded IP ranges 203.0.113.0/24 and 198.51.100.0/24, and apply patches for CVE-2017-11882 and CVE-2018-0802. Network segmentation and use of endpoint detection tools like CrowdStrike Falcon or SentinelOne can identify Graphite’s C2 traffic and persistence mechanisms.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.