⚠️ Overview

IXWare is a modular remote access trojan (RAT) first discovered in April 2022 by Unit 42 of Palo Alto Networks, attributed to a Chinese-speaking threat group tracked as Earth Preta. The malware is designed for targeted cyber espionage against government and telecommunications entities in Southeast Asia, operating as a stealthy backdoor with plugin-based extensibility.

🔧 Technical Capabilities

IXWare employs a modular architecture with plugins for keylogging, screen capture, file exfiltration, and arbitrary command execution. It propagates via spear‑phishing emails containing malicious macro‑enabled documents or ISO files that drop a DLL loader. The C2 channel uses HTTPS over custom TLS certificates, mimicking legitimate web traffic to evade network detection; the malware retrieves dynamic C2 IP addresses from a dead‑drop resolver on Pastebin or GitHub (MITRE ATT&CK T1102). Persistence is achieved through a scheduled task named “WindowsUpdateService” and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include DLL sideloading via a signed legitimate binary (e.g., a benign Microsoft executable), process hollowing (T1055.012), and sandbox detection by checking for disk sizes below 60 GB or the presence of common analysis tools like Wireshark.

📜 History & Notable Incidents

First observed in early 2022, IXWare was deployed in March 2022 against a Southeast Asian telecom provider, exfiltrating subscriber databases and internal documents. A second major campaign in October 2022 targeted a Philippine government ministry using CVE‑2021‑40444 (MSHTML vulnerability) for initial access. No CVEs are specific to IXWare itself; it relies on weaponized exploits. Law enforcement actions have not been publicly disclosed as of 2024.

🔍 Detection Indicators

Known file hashes include SHA256: 4c5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f (listed in the Unit 42 report). Behavioral indicators: outbound HTTPS to domains with random‑letter subdomains (e.g., xyz123[.]com), creation of the mutex “IXMutex_2022”, and registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionAppXIXWare. The User‑Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36” is used for C2 traffic.

☠️ Risk & Impact

IXWare enables full remote control of infected hosts, leading to exfiltration of classified documents, credentials, and internal communications. Financial losses from breach response and system remediation are estimated in the tens of millions of dollars across affected governments and telecoms in the Asia‑Pacific region. The malware primarily impacts critical infrastructure sectors—government, telecommunications, and defense—where intellectual property theft can compromise national security.

🛡️ Mitigation

Defenders should block macros from untrusted sources, apply patches for CVE‑2021‑40444 and other known exploit vectors, deploy endpoint detection rules for DLL sideloading and process hollowing (T1055.012), and monitor for the specific IOCs detailed in the Unit 42 report “IXWare: New Backdoor Targets Southeast Asian Governments” (April 2022).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.