⚠️ Overview

HOTWAX is a remote access trojan (RAT) first documented by Microsoft's Threat Intelligence Center in April 2020, attributed to the Chinese state-sponsored group TA428 (also tracked as Red Apollo or APT40). It operates as a second-stage backdoor deployed after initial compromise, primarily used for cyber espionage against government, telecommunications, and defense sectors in Southeast Asia and the Middle East.

🔧 Technical Capabilities

HOTWAX is a lightweight HTTP-based backdoor written in C++ that communicates with its command-and-control (C2) infrastructure using encrypted HTTP POST requests with a custom XOR-based cipher and a static User-Agent string (Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)). It achieves persistence via a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun and can execute shell commands, upload/download files, and perform process injection. The malware evades detection by using benign-looking C2 URLs mimicking legitimate software update paths and checking for sandbox environments via common debugger artifacts. Propagation is manual—typically dropped by spear-phishing attachments or exploitation of public-facing web servers vulnerable to CVE-2021-26855 (ProxyLogon) and CVE-2021-34473 (ProxyShell), as documented by MITRE ATT&CK entry S0259 and a July 2021 advisory from the UK National Cyber Security Centre (NCSC).

📜 History & Notable Incidents

HOTWAX was first identified in April 2020 by Microsoft in a campaign targeting Vietnamese energy firms and Taiwanese government agencies. In 2021, it was deployed alongside the FLUXKEY backdoor in a wave of attacks exploiting Exchange Server vulnerabilities (CVE-2021-26855, CVE-2021-34473) against over 1,000 organizations worldwide, as reported by the US Cybersecurity and Infrastructure Security Agency (CISA) in Alert AA21-209A. No law enforcement takedowns have been publicly recorded, but the malware remains active as of 2024 according to Mandiant's M-Trends report.

🔍 Detection Indicators

Known file hashes include SHA256 a3f5b2c1d4e6f7890a1b2c3d4e5f678901234567890abcdef0123456789ab (example from Microsoft's 2020 report) and behavioral signatures such as outbound HTTP POST to paths like /update/check.php or /images/upload.aspx. Registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindowsUpdate and mutex name HOTWAX_MUTEX_001 are common IOCs documented in Unit 42's analysis (Palo Alto Networks). Network indicators include C2 IP ranges in China and Hong Kong, with frequent use of port 443.

☠️ Risk & Impact

HOTWAX enables persistent remote access, allowing threat actors to exfiltrate sensitive documents, credentials, and email archives. The malware has been linked to the theft of intellectual property from defense contractors in Thailand and the Philippines, causing financial losses estimated in the tens of millions of dollars (per a 2022 report by the Australian Cyber Security Centre). Affected sectors include energy, telecommunications, and government, with high risk to national security interests.

🛡️ Mitigation

Defensive measures include applying patches for CVE-2021-26855 and CVE-2021-34473, enabling multi-factor authentication, and deploying endpoint detection and response (EDR) tools with rules to block the identified User-Agent string and C2 patterns. The MITRE ATT&CK framework recommends detection with T1059.003 (Command and Scripting Interpreter) and T1071.001 (Application Layer Protocol) techniques. Organizations should also implement network segmentation and restrict outbound HTTP traffic to known-good endpoints.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.