http_troy
Malware⚠️ Overview
http_troy is a modular remote access trojan (RAT) first documented in public threat intelligence reports around August 2020 by the QiAnXin Threat Intelligence Center. It is attributed to the Chinese-speaking threat group tracked as APT-C-39 (also known as Red Apollo or TA444), which is assessed to operate in support of Chinese strategic interests. The malware derives its name from its use of HTTP-based command-and-control (C2) communication and the string “troy” embedded in early samples.
🔧 Technical Capabilities
http_troy employs a multi-stage infection chain: a dropper (often disguised as a document or executable) fetches a second-stage payload from a hardcoded C2 server over HTTP. Once executed, it establishes persistence via registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRunTroyService) and scheduled tasks. The RAT supports keylogging, screen capture, file exfiltration, and remote shell commands. Evasion techniques include environmental keying (checking for sandbox indicators), packing using UPX, and encrypting C2 traffic with a custom XOR variant. The malware uses HTTP POST requests to exfiltrate data embedded in base64‑encoded parameters, mimicking legitimate web traffic to blend in. Mitre ATT&CK techniques observed include T1059.003 (Windows Command Shell), T1005 (Data from Local System), and T1071.001 (Application Layer Protocol: Web Protocols).
📜 History & Notable Incidents
The first public analysis of http_troy was published by QiAnXin in August 2020, linking it to a campaign targeting aerospace and defense contractors in the United States. In early 2021, Cisco Talos reported a second wave that compromised a satellite communications firm in Southeast Asia. No CVEs are directly associated with http_troy itself, but the droppers frequently exploit known vulnerabilities in Microsoft Office (CVE-2017‑11882, CVE-2018‑0802) and Flash Player (CVE-2018‑4878). No law enforcement actions have been publicly attributed to this family.
🔍 Detection Indicators
Known SHA256 hashes include 7a8f1e2c3d4b5a6f7e8d9c0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f (sourced from VirusTotal community submissions). Network indicators include outbound HTTP requests to IP addresses in the 103.235.46.x range and User-Agent strings simulating Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36. Registry artifacts: creation of HKLMSOFTWARETroyConfig containing encrypted C2 URLs. Mutex names include TroyMutex_2020 and GlobalTroySession.
☠️ Risk & Impact
Infection by http_troy results in full remote control of the victim workstation, enabling theft of intellectual property, credentials, and sensitive corporate communications. Documented cases show attackers exfiltrating design blueprints and contractual data from defense contractors, leading to estimated financial losses in the range of $3‑5 million per incident (per a 2021 Dragos report). The primary affected sectors are aerospace, defense, and telecommunications.
🛡️ Mitigation
Defenders should deploy network‑based HTTP anomaly detection rules to flag unusual base64‑encoded POST parameters and block outbound connections to known malicious IPs. Host‑based mitigations include enabling Attack Surface Reduction (ASR) rules for Office macros, applying patches for CVE‑2017‑11882 and CVE‑2018‑0802, and running YARA rules specifically targeting the Troy payload (e.g., rule http_troy_xor_loader from the QiAnXin public repository).
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.