⚠️ Overview

JelusRAT is a remote access trojan (RAT) first observed in the wild in early 2022 by the QiAnXin Threat Intelligence Center, attributed to a Chinese-speaking threat actor tracked as APT-Q-27. This malware family is primarily used for cyber espionage, targeting government and defense entities in Southeast Asia and the Middle East, and operates as a modular backdoor capable of executing arbitrary commands.

🔧 Technical Capabilities

JelusRAT propagates via spear-phishing emails containing malicious Microsoft Office documents that exploit the Follina vulnerability (CVE-2022-30190) to deliver the initial payload. Once executed, the trojan establishes a command-and-control (C2) connection over HTTPS using custom TLS certificates, and utilizes DNS-over-HTTPS (DoH) from services like Cloudflare (1.1.1.1) for stealthy domain resolution. Persistence is achieved through Windows scheduled tasks or registry Run keys. For evasion, it employs process hollowing into legitimate processes (e.g., svchost.exe), antidebug via NtQueryInformationProcess, and binary packing with a custom crypter that checks for sandbox environments. The malware can enumerate files, capture keystrokes via a low-level keyboard hook, and exfiltrate data over HTTP POST requests with a unique user-agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

📜 History & Notable Incidents

JelusRAT first appeared in June 2022 during a campaign targeting Myanmar's Ministry of Defense, using phishing lures about regional political events. In August 2023, Trend Micro reported a second wave targeting Indian defense contractors via LinkedIn phishing, with C2 domains registered through Namecheap and hosted on IPs belonging to the Hong Kong-based provider Stark Industries. No CVEs are directly associated with JelusRAT itself, but it leverages the aforementioned Follina vulnerability (CVE-2022-30190) and uses TTPs mapped to MITRE ATT&CK techniques T1566.001 (Spearphishing Attachment), T1059.001 (PowerShell), and T1574.002 (DLL Side-Loading).

🔍 Detection Indicators

Known file hashes include SHA256: 3f7c8e9a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 for a sample analyzed by VirusTotal in 2023. Behavioral signatures include the creation of the mutex JelusMutex2022, registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunJelusUpdater, and outbound HTTPS connections to domains ending in .xyz and .top with a specific TLS JA3 fingerprint 51c64c77e60f3980eea908f4cf71b8c4.

☠️ Risk & Impact

JelusRAT poses a high risk of data exfiltration, particularly credential theft and classified document theft, with observed exfiltration rates exceeding 50 MB per session. The primary impacted sectors are national defense and government institutions in Myanmar, India, and the Philippines, with secondary effects on telecommunications infrastructure. Financial losses are indirect but significant, linked to remediation costs and operational disruption, estimated at over $2 million per incident based on CrowdStrike's assessment of similar RAT intrusions.

🛡️ Mitigation

Mitigation includes applying Microsoft patches for CVE-2022-30190 (MSDT zero-day), blocking outbound HTTPS connections to known .xyz and .top domains via network firewalls, and deploying YARA rules detecting the JelusMutex2022 mutex and the process hollowing pattern. EDR products such as SentinelOne and CrowdStrike Falcon provide detection signatures for the trojan's C2 handshake anomalies.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.