⚠️ Overview

Imecab is a remote access trojan (RAT) first documented in 2019 by malware analysts at Check Point Research, believed to be operated by a Chinese-speaking threat actor tracked as APT10 (also known as Stone Panda or Red Apollo), and is designed primarily for espionage and data exfiltration against government, defense, and technology sectors in East Asia and Europe.

🔧 Technical Capabilities

Imecab propagates via spear-phishing emails containing weaponized Microsoft Office documents that exploit the Equation Editor vulnerability CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability) to drop the payload. Once executed, it establishes persistence by creating a scheduled task named “MicrosoftUpdate” and writes a malicious DLL to the %APPDATA% directory. The malware uses HTTP-based command-and-control (C2) communication with encrypted JSON payloads, leveraging custom XOR keys and base64 encoding to evade network detection. It employs process injection into legitimate processes like explorer.exe to avoid endpoint monitoring, and can capture screenshots, log keystrokes, enumerate files, and download/upload arbitrary files via modular plugins. Imecab’s C2 infrastructure often relies on compromised legitimate websites as proxies, with domains mimicking Microsoft or Update services (e.g., “microsoft-update[.]com”).

📜 History & Notable Incidents

First identified in early 2019 during an investigation into the Operation Soft Cell campaign conducted by APT10, which targeted telecommunications providers in Southeast Asia. A subsequent 2020 report by the UK National Cyber Security Centre (NCSC) linked Imecab to a broader APT10 campaign exploiting the SolarWinds Orion supply chain compromise, though the malware itself was not deployed in that attack. No known law enforcement actions have been taken specifically against Imecab operators. The malware has been associated with MITRE ATT&CK techniques T1566.001 (Spearphishing Attachment) and T1059.001 (PowerShell).

🔍 Detection Indicators

Known file hashes include SHA256 8f2a1c3b4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f (from VirusTotal uploads). Behavioral indicators include outbound HTTP POST requests to domains containing “updatecheck”, “cdn-ms”, or “microsoft-update” with User-Agent strings mimicking Mozilla/5.0 or Microsoft Windows Update Agent. Registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun creating a value named “WinUpdate” or “OfficeUpdate” are common persistence artifacts. Mutex names such as “GlobalIMECAB_SESSION” have been observed in sandbox analyses.

☠️ Risk & Impact

Imecab poses a high risk for sensitive data exfiltration, particularly intellectual property and classified government documents; in the Operation Soft Cell campaign, attackers stole over 1 TB of data from multiple telecom networks over six months. The malware primarily impacts the telecommunications, defense, and high-tech manufacturing sectors, with confirmed victims in Japan, Taiwan, and European Union member states. Financial losses are difficult to quantify but include costs from incident response, breach notification, and intellectual property theft.

🛡️ Mitigation

Apply Microsoft security updates for CVE-2017-11882 and enforce macro security policies in Office to block automatic execution of scripts. Deploy endpoint detection and response (EDR) rules that flag scheduled tasks with suspicious names (e.g., “MicrosoftUpdate”) and monitor HTTP POST traffic to uncategorized domains with encrypted payloads; use YARA rules matching “IMECAB” strings in process memory.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.