HiatusRAT
Malware⚠️ Overview
HiatusRAT is a remote access trojan (RAT) first documented by Lumen's Black Lotus Labs in May 2023, attributed to a Chinese state-sponsored threat actor tracked as Volt Typhoon (also known as BRONZE SILHOUETTE or UNC3236). It targets small office/home office (SOHO) routers and internet-of-things (IoT) devices, primarily to establish persistent access for espionage and potential pre-positioning in critical infrastructure networks.
🔧 Technical Capabilities
HiatusRAT propagates by exploiting known vulnerabilities in SOHO routers, such as CVE-2017-17215 (Huawei HG532) and CVE-2023-28771 (Zyxel firewalls). It uses a modular architecture with a main loader that downloads and executes payloads from command-and-control (C2) servers over HTTPS. Persistence is achieved through modified firmware images or cron jobs, and it employs evasion techniques including encrypted configuration files, process hollowing, and mimicking legitimate system processes. The malware collects device information, credentials, and network topology, and supports file upload/download, command execution, and proxy functionality for lateral movement.
📜 History & Notable Incidents
HiatusRAT was first observed in active campaigns targeting routers in Asia and the Americas in early 2023, as reported by Black Lotus Labs. It has been linked to the Volt Typhoon campaign, which the U.S. FBI and CISA publicly attributed in May 2023 to the Chinese Ministry of State Security. The malware has been used to compromise devices in critical infrastructure sectors including energy, telecommunications, and transportation, though no public CVE exploitation beyond those disclosed in CISA advisories has been directly attributed.
🔍 Detection Indicators
Network indicators include C2 domains hosted on cloud providers such as Amazon Web Services (e.g., update.icloud-dns[.]net), and User-Agent strings mimicking mobile browsers like Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36. File-based indicators: sample SHA256 hashes (e.g., a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890) were shared in Black Lotus Labs reports. Behavioral signatures include persistent outbound HTTPS connections to unusual destinations, modified router configuration files, and unexpected cron jobs. Registry keys and mutex names are typically device-dependent and observed on compromised embedded Linux systems.
☠️ Risk & Impact
HiatusRAT enables long-term espionage and potential disruption of critical infrastructure by providing attackers a foothold in network devices that often have limited security monitoring. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) assessed in May 2023 that Volt Typhoon actors using HiatusRAT could pre-position for future destructive attacks on American energy grids, water systems, and communication networks. Theft of credentials and network reconnaissance increases the risk of lateral movement into operational technology (OT) environments.
🛡️ Mitigation
Organizations should apply vendor patches for CVE-2017-17215, CVE-2023-28771, and other router firmware vulnerabilities, disable remote management interfaces on SOHO devices, and monitor for outbound HTTPS traffic to uncommon IP ranges or domains. CISA recommends using the CHIRP tool and network detection rules from the joint advisory AA23-136A to identify HiatusRAT infections, and implementing network segmentation between IT and OT systems.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.