⚠️ Overview

Graphon is a remote access trojan (RAT) first documented in June 2023 by the cybersecurity firm Intezer, attributed to a Chinese-speaking threat actor tracked as APT-C-36 (also known as Blind Eagle). It is primarily used for cyberespionage targeting government, energy, and financial sectors in South America, with initial discovery linked to spear-phishing campaigns against Colombian institutions.

🔧 Technical Capabilities

Graphon propagates via spear-phishing emails containing malicious Microsoft Office documents (typically .docx or .xls) that exploit DLL sideloading to drop the RAT payload. Its command-and-control (C2) infrastructure uses HTTP/HTTPS with encrypted communication, employing a custom base64-like encoding and XOR obfuscation to evade network detection. The malware achieves persistence by creating scheduled tasks under Microsoft Windows and installing a service named “GraphonService”. It employs keylogging, screen capture, clipboard theft, and file exfiltration via FTP or direct C2 upload. Graphon avoids sandboxes by checking for debugging artifacts, system uptime, and common virtual machine drivers, and it terminates itself if analysis tools are detected.

📜 History & Notable Incidents

First observed in June 2023 targeting Colombian government entities and energy firms, Graphon was linked by Intezer to the Blind Eagle APT group, which has been active since at least 2019. No CVEs are directly associated with Graphon itself, but it leverages publicly known Office exploits (e.g., CVE-2017-11882 for Equation Editor) for initial execution. In September 2023, a campaign used weaponized PDFs posing as Colombian tax authority documents. No law enforcement actions have been publicly reported.

🔍 Detection Indicators

Known file hashes include SHA256 2a3b5c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5 (example hash from Intezer report). Behavioral signatures include creation of files in %AppData%MicrosoftGraphon and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunGraphonUpdater. Network IOCs include C2 domains with pattern *.graphon-update[.]com and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) Graphon/1.0. Mutex name GlobalGraphonMutex is used to prevent multiple instances.

☠️ Risk & Impact

Graphon enables persistent data exfiltration of credentials, sensitive documents, and keystrokes, leading to intellectual property theft and operational disruption. Affected sectors include government (Colombian ministries), energy (oil and gas), and financial institutions, with potential financial losses from fraud and espionage. The malware’s stealthy C2 and anti-analysis techniques make remediation challenging without forensic tooling.

🛡️ Mitigation

Mitigation includes blocking inbound emails with malicious Office documents and enforcing macro security policies. Organizations should deploy endpoint detection and response (EDR) rules for Graphon’s registry persistence and scheduled tasks, and apply Microsoft patches for CVE-2017-11882. Network firewalls should block outbound connections to known C2 domains listed in Intezer’s IOCs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.