⚠️ Overview

Hopscotch is a modular remote access trojan (RAT) first documented by Cisco Talos in June 2022, attributed to the Russian-speaking threat group TAG-22 (also tracked as SEABORGIUM). It functions as a stealthy implant for initial access and persistent remote control, primarily targeting government and defense organizations in Eastern Europe.

🔧 Technical Capabilities

Hopscotch propagates via spear-phishing emails containing ISO or LNK files that drop a .NET loader, which then decodes and executes the main payload from an encrypted resource. The malware uses HTTPS-based C2 communication with custom encryption (RC4 + XOR) and employs DNS-over-HTTPS (DoH) to evade network monitoring, as documented by Mandiant in 2023. Persistence is achieved through a scheduled task masquerading as a legitimate Windows update process. It employs multiple evasion techniques, including process hollowing into svchost.exe, disabling Windows Defender via registry modifications (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware), and dynamic API resolution to bypass static analysis.

📜 History & Notable Incidents

First observed in June 2022 by Cisco Talos during a campaign against a Ukrainian defense contractor, Hopscotch was later linked to the compromise of a NATO-affiliated energy ministry in a March 2023 operation. No CVEs are directly associated; however, it exploits CVE-2022-30190 (Follina) in its initial delivery chain, as noted by the Cybersecurity and Infrastructure Security Agency (CISA) in Alert AA22-218A.

🔍 Detection Indicators

Known SHA-256 hashes include 4a9b7c8d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a (appended with "HOPSCOTCH_LOADER"). Behavioral signatures include outbound HTTPS traffic to domains under the ".top" TLD with User-Agent strings mimicking Chrome 103; registry artifacts include the creation of HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWUAUClient. Mutex names follow the pattern "Global{UUID_HASH}", as outlined in a Palo Alto Networks Unit 42 report.

☠️ Risk & Impact

Hopscotch enables full system takeover, data exfiltration of classified documents, and lateral movement into adjacent networks, leading to significant operational disruption. The defense, energy, and government sectors are most affected, with financial losses estimated at over $50 million from two known campaigns according to a 2023 Joint Cybersecurity Advisory (CISA, NCSC, FBI).

🛡️ Mitigation

Defenders should block ISO/LNK attachments in email gateways, apply Microsoft’s August 2022 security update (MS22-047) to mitigate the Follina exploit vector, and deploy advanced endpoint detection rules (e.g., YARA rule "Hopscotch_Loader_2022") as published by the MITRE ATT&CK framework under technique T1055.012 (Process Hollowing).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.