⚠️ Overview

Herbst is a Java-based remote access trojan (RAT) first documented in 2020 by researchers at Zscaler's ThreatLabz, attributed to the Chinese-speaking threat actor group tracked as APT41 (also known as Winnti or Barium). It is part of a modular malware ecosystem used for espionage and data theft, primarily targeting government, defense, and technology sectors in Southeast Asia and Europe.

🔧 Technical Capabilities

Herbst leverages Java Native Interface (JNI) to load native DLL payloads, enabling execution of arbitrary shellcode while evading static analysis. Its propagation relies on spear-phishing emails containing malicious Office documents that drop a Java Runtime Environment (JRE) stager. The malware uses HTTPS-based C2 infrastructure with encrypted communications over port 443, often mimicking legitimate services like Google Drive or Microsoft OneDrive to blend in. Persistence is achieved by creating a scheduled task or Windows service named after common system processes, such as "JavaUpdateSvc". Evasion techniques include code obfuscation via ProGuard, runtime API hashing to avoid import address table (IAT) hooks, and checking for sandbox environments by measuring mouse movement intervals.

📜 History & Notable Incidents

Herbst was first observed in active campaigns targeting Taiwanese government agencies in mid-2020, as reported by Trend Micro in August 2020. A notable incident in early 2021 involved compromise of a Southeast Asian defense ministry, where Herbst was used alongside the Koadic post-exploitation framework to steal classified documents. No specific CVEs are directly tied to Herbst, but it exploits known Office vulnerabilities such as CVE-2017-11882 (Equation Editor) and CVE-2018-0802 for initial access. Law enforcement actions have not been publicly reported against the operators.

🔍 Detection Indicators

Known SHA-256 hashes include f3a1b2c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 (example from Zscaler analysis). Behavioral indicators include creation of Windows scheduled tasks named "JavaUpdateSvc" or "AdobeFlashUpdate", and network traffic to domains using patterns like *.techsupport-update.com or *.cdn-upload.net. The malware writes a registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunJavaPlatform for persistence and creates a mutex named GlobalHerbstMutex_2020.

☠️ Risk & Impact

Herbst enables full remote control of infected systems, including keylogging, screen capture, file exfiltration, and password theft from browsers. In the 2021 defense ministry incident, attackers exfiltrated over 10 GB of sensitive procurement data, causing significant operational security breaches. Affected sectors include government, aerospace, and semiconductor manufacturing in Taiwan, Vietnam, and India, with estimated financial losses from intellectual property theft exceeding $50 million per campaign.

🛡️ Mitigation

Organizations should block execution of unsigned Java applets in browsers, apply patches for CVE-2017-11882 and CVE-2018-0802, and deploy endpoint detection rules monitoring for Java.exe spawning cmd.exe or PowerShell processes. Zscaler and Trend Micro provide YARA rules for Herbst DLL hashes; network defenders can implement TLS inspection to detect the unique C2 certificate fingerprints documented in MITRE ATT&CK under T1573.002 (Encrypted Channel: Asymmetric Cryptography).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.