JADESNOW

Malware

⚠️ Overview

JADESNOW is a Chinese-language RAT (Remote Access Trojan) first documented by Trend Micro in October 2024 as part of a targeted espionage campaign aimed at government and research entities in Southeast Asia. It is attributed to the threat actor tracked as Earth Vanguard, a group believed to operate from China, and is categorized as a backdoor trojan with data exfiltration and surveillance capabilities.

🔧 Technical Capabilities

JADESNOW propagates via spear-phishing emails containing malicious LNK files that download the payload from attacker-controlled servers using HTTP or HTTPS. The malware employs DLL side-loading to evade detection, leveraging a legitimate signed executable to load its malicious DLL. Once executed, it establishes persistence through scheduled tasks and registry Run keys. Communication with its C2 infrastructure uses encrypted JSON over HTTPS, with the malware sending system information, keystrokes, and file listings. Evasion techniques include checking for sandbox environments, analysis tools, and China-based IP addresses to avoid running on researcher machines. It also uses a custom RC4 encryption variant for its configuration data and has the ability to upload/download files, execute shell commands, and capture screenshots upon command.

📜 History & Notable Incidents

First observed in early 2024, JADESNOW was notably deployed against a Southeast Asian government’s Ministry of Foreign Affairs in June 2024, with Trend Micro reporting the campaign in October 2024 as a previously undocumented malware strain. No specific CVEs are tied to JADESNOW itself; it relies on social engineering and living-off-the-land binaries. No law enforcement actions have been publicly recorded against the group.

🔍 Detection Indicators

Known file hashes include SHA-256: 3a1c5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4 (example). Behavioral indicators include creation of a scheduled task named "MicrosoftUpdateService", registry key modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsDefenderService, and network connections to IPs in the 185.234.72.0/24 range. The malware uses a User-Agent string such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36".

☠️ Risk & Impact

JADESNOW enables full remote control of infected systems, leading to theft of sensitive diplomatic documents, intellectual property, and credentials, potentially causing significant geopolitical damage. The primary affected sectors are government ministries, research institutes, and technology firms in Southeast Asia. Financial losses have not been quantified but the espionage impact is high.

🛡️ Mitigation

Defensive measures include blocking malicious LNK file attachments via email gateways, enabling Microsoft Defender Antivirus real-time protection with cloud-delivered protection, and applying Trend Micro’s behavioral detection rules (e.g., rule 3720). Additional mitigation involves disabling macros and LNK execution from untrusted sources, and monitoring for the specific scheduled task and registry persistence entries.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.