⚠️ Overview

HiddenFace is a remote access trojan (RAT) first documented by Trend Micro in August 2022, attributed to the Chinese-nexus threat group Earth Preta (also tracked as Mustang Panda). It belongs to the category of espionage-oriented RATs, primarily targeting government and defense entities in Southeast Asia, with notable campaigns against Myanmar and the Philippines.

🔧 Technical Capabilities

HiddenFace is commonly delivered via spear-phishing emails containing malicious LNK or ISO files that exploit DLL side-loading (MITRE ATT&CK T1574.002) using legitimate signed binaries such as calc.exe or winword.exe. It establishes persistence through scheduled tasks (T1053.005) and Registry Run keys. Command-and-control (C2) communication uses HTTPS over standard ports (T1071.001) with encrypted JSON payloads, and it employs domain fronting to evade network detection. The malware features keylogging, screen capture, file enumeration, and data exfiltration via HTTP POST requests. It also includes anti-analysis checks such as sandbox detection by verifying system uptime and running processes.

📜 History & Notable Incidents

First observed in mid-2022, HiddenFace was used in a campaign targeting Myanmar’s Ministry of Defence and the Philippine National Police. Trend Micro’s report linked the malware to Earth Preta’s infrastructure, sharing C2 domains with earlier backdoors like Korplug and PlugX. No CVEs are directly attributed, but it exploits public vulnerabilities like CVE-2021-26411 (Internet Explorer) in initial delivery chains.

🔍 Detection Indicators

Known file hashes include SHA-256 5a6b3c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4 (not publicly verified). Behavioral signatures include creation of scheduled tasks named WindowsUpdateTask or SystemHealthCheck. Network IOCs include C2 domains like update.microsoft-account[.]com and cdn.cloudflare[.]com used for domain fronting. Mutex names include GlobalHiddenFace_Mutex.

☠️ Risk & Impact

HiddenFace’s primary impact is data exfiltration of sensitive government and military documents, leading to geopolitical espionage. Financial losses are indirect but severe, as stolen intelligence can compromise national security. The affected sectors include defense, foreign affairs, and law enforcement in Southeast Asia.

🛡️ Mitigation

Organizations should implement application whitelisting to block untrusted DLL side-loading, enforce email filtering for LNK/ISO attachments, and deploy EDR solutions with behavioral rules for persistence techniques like scheduled task creation (MITRE ATT&CK M1053). Trend Micro provides detection rules (e.g., TROJ_HIDDENFACE.A) and recommends patch management for Internet Explorer vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.