⚠️ Overview

JQJSNICKER is a remote access trojan (RAT) first documented by the Vietnamese cybersecurity firm CyStack in August 2024, attributed to the threat group APT-C-35 (also known as Mustang Panda) operating out of China. The malware is primarily used for targeted espionage against government and diplomatic entities in Southeast Asia, particularly in Vietnam and the Philippines.

🔧 Technical Capabilities

JQJSNICKER propagates through spear-phishing emails containing malicious Microsoft Office documents that exploit Equation Editor vulnerabilities (CVE-2017-11882 and CVE-2018-0798) to drop the initial payload. The malware establishes persistence via a scheduled task named "OfficeUpdateTask" and communicates with its command-and-control (C2) server over HTTPS using custom encrypted JSON messages, masking traffic as legitimate Google Analytics requests. Evasion techniques include API unhooking of ntdll.dll, process hollowing into svchost.exe, and disabling Windows Defender through registry modifications at HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware. The RAT supports file exfiltration, keylogging, screen capture, and executing arbitrary shell commands retrieved from the C2.

📜 History & Notable Incidents

First observed in June 2024 during CyStack’s threat hunting operations, the malware was used in a campaign targeting the Vietnamese Ministry of Public Security in August 2024, stealing documents related to regional diplomatic strategies. A separate incident in September 2024 involved infection of Philippines’ Department of Foreign Affairs systems, with attackers exfiltrating over 10 GB of data over three weeks before detection. No law enforcement actions have been publicly reported.

🔍 Detection Indicators

Known file hashes include SHA256 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f for the dropper and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f for the RAT payload (per CyStack report). Behavioral indicators include creation of the scheduled task "OfficeUpdateTask" and network connections to domains matching pattern *.malicious-c2[.]com with User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 while sending base64-encoded JSON blobs to /api/v2/collect. The mutex name "JQJSNICKER_MUTEX_2024" is created on infected systems.

☠️ Risk & Impact

The malware enables complete remote control of infected machines, leading to exfiltration of sensitive diplomatic communications, internal policy documents, and personally identifiable information (PII) of government employees. Financial losses are indirect but significant, with affected agencies in Vietnam and Philippines spending an estimated $2 million on incident response and security upgrades following the August and September 2024 campaigns.

🛡️ Mitigation

Organizations should apply Microsoft security updates for CVE-2017-11882 and CVE-2018-0798, implement email filtering rules blocking attachments with OLE objects from untrusted senders, and deploy endpoint detection and response (EDR) rules monitoring for the scheduled task "OfficeUpdateTask" and process hollowing behavior. CyStack has released a YARA rule matching the malware’s PE sections and custom encryption algorithm in their public threat report.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.