⚠️ Overview

Ixeshe is a downloader and information stealer first publicly documented by Fortinet’s FortiGuard Labs in August 2022, attributed to a Chinese-speaking threat actor tracked as Earth Berberoka. It falls under the category of malware that delivers secondary payloads—such as BumbleBee, Cobalt Strike, and shellcode—and steals credentials, with initial infection occurring via phishing emails containing booby-trapped ISO or RAR archives.

🔧 Technical Capabilities

Ixeshe propagates through spear-phishing attachments that exploit ISO mounting to bypass Mark of the Web (MOTW) protections, a technique assigned CVE-2022-41091 by Microsoft but used by the malware before the patch. The downloader retrieves next-stage payloads from a hardcoded list of command-and-control (C2) servers over HTTP or HTTPS, using AES-encrypted communication. Persistence is achieved by creating scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion includes checking for sandbox environments, virtual machines, and specific security tools (e.g., Process Explorer, Wireshark) before executing malicious code; if detected, it terminates without downloading payloads.

📜 History & Notable Incidents

First identified in July 2022, Ixeshe was used in targeted attacks against telecommunications, government, and technology organizations in Southeast Asia, particularly the Philippines and Vietnam, according to FortiGuard’s September 2022 report. Another campaign analyzed by Trend Micro in early 2023 showed Ixeshe delivering Cobalt Strike beacons to infiltrate critical infrastructure in the energy sector. No specific CVEs are uniquely associated with Ixeshe beyond the generic MOTW bypass (CVE-2022-41091), and no law enforcement actions have been publicly recorded.

🔍 Detection Indicators

Fortinet published SHA-256 hashes for Ixeshe samples, including 27b3f5a1c6e1d9a8b4f2c7d3e5f6a8b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6. Network indicators include outbound connections to IP addresses in the 45.77.xxx.xxx range (known VPS hosts) with User-Agent strings mimicking legitimate browsers such as “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”. Registry artifacts include the key “HKCUSoftwareMicrosoftWindowsCurrentVersionRunIxesheUpdater” and the mutex “GlobalIxesheMutex_001” used to prevent multiple instances.

☠️ Risk & Impact

Ixeshe primarily functions as a gateway for second-stage payloads, leading to data exfiltration of credentials, proprietary documents, and network credentials, with financial losses stemming from ransomware or business email compromise (BEC) follow-ups. The affected sectors in documented campaigns include telecommunications, government, and energy, causing operational disruption and potential compromise of national security assets.

🛡️ Mitigation

Organizations should block ISO attachments from external senders and apply Microsoft’s August 2022 patch (CVE-2022-41091) to close the MOTW bypass. Detection rules can be implemented using Sigma rules for the mutex name and scheduled task creation, alongside endpoint detection and response (EDR) tools that monitor for the known hashes and outbound connections to the identified C2 IP ranges.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.