⚠️ Overview

Jackal is a backdoor trojan first documented in March 2022 by cybersecurity firm Trend Micro, attributed to the Chinese-state-sponsored threat group Earth Berberoka, also known as WIRTE or TA401. It falls under the category of remote access trojan (RAT) and is used primarily for espionage operations targeting government and military entities in the Middle East and Southeast Asia.

🔧 Technical Capabilities

Jackal employs DLL side-loading using signed legitimate executables (e.g., RuiHuang.exe) to evade detection, with its payload dropped as a malicious DLL file. It communicates with its command-and-control (C2) infrastructure over HTTPS using custom encryption (XOR with a static key) and can exfiltrate files, execute arbitrary commands, take screenshots, and log keystrokes. Persistence is achieved via scheduled tasks or registry Run keys, and it includes anti-analysis checks for virtual machines and debuggers. The malware uses dynamic DNS domains for C2 resilience and has been observed leveraging the plugX framework for modular plugin loading as reported by Trend Micro in their April 2022 analysis.

📜 History & Notable Incidents

Jackal was first observed in the wild in early 2022 targeting Palestinian Authority and other Middle Eastern government networks. In April 2022, Trend Micro published a detailed technical report linking Jackal to the Earth Berberoka group, noting overlaps with the earlier WIRTE campaign that exploited Microsoft Office vulnerabilities (CVE-2017-11882, CVE-2018-0798) for initial access. No public law enforcement actions have been taken against the operators as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2 (example from Trend Micro IOCs), though real hashes are available in Trend Micro's report. Behavioral signatures include creation of scheduled tasks named "UpdateCheck" or "SystemHealth", outbound HTTPS connections to domains like *.duckdns.org or *.no-ip.info, and dropped files named "msimg32.dll" or "dbghelp.dll" in the %APPDATA% folder. Registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "JackalUpdater" are also indicative.

☠️ Risk & Impact

Jackal enables sustained reconnaissance and data theft from compromised networks, leading to potential exfiltration of sensitive government documents, military plans, and diplomatic communications. Affected sectors primarily include government, defense, and telecommunications in the Middle East (Palestine, Israel, Saudi Arabia) and Southeast Asia (Vietnam, Philippines). The financial impact is measured in the loss of classified information rather than direct monetary theft, but secondary costs from incident response and system remediation are significant.

🛡️ Mitigation

Organizations should block execution of unsigned DLLs from %APPDATA% and %TEMP% directories, deploy endpoint detection rules for DLL side-loading (e.g., via Sysmon Event ID 7), and apply patches for Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0798. Network defenders can implement TLS inspection for outbound HTTPS to known dynamic DNS domains and use the MITRE ATT&CK technique T1574.002 (DLL Side-Loading) as a reference for detection engineering.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.