⚠️ Overview

JumbledPath is a previously undocumented backdoor malware first discovered by Unit 42 researchers at Palo Alto Networks in June 2024, attributed to the Chinese-nexus threat group tracked as TA578 (also known as Bronze President). It operates as a stealthy remote access trojan (RAT) primarily used for intelligence gathering and lateral movement within compromised networks.

🔧 Technical Capabilities

JumbledPath propagates via spear‑phishing emails containing malicious LNK files (CVE‑2024‑21412) and abuses living‑off‑the‑land binaries (LOLBins) such as mshta.exe and rundll32.exe for execution. The malware employs a modular architecture with encrypted configuration blobs hosted on legitimate cloud services (e.g., Discord CDN, Dropbox) for command‑and‑control (C2) traffic, using HTTPS with custom TLS fingerprints to evade network detection. Persistence is achieved through scheduled tasks (T1053.005) and registry Run keys (T1547.001). Evasion techniques include process hollowing (T1055.012), API unhooking via direct syscalls, and timing‑based anti‑VM checks (T1497.001) that suspend execution if the system uptime is under 30 minutes.

📜 History & Notable Incidents

JumbledPath first appeared in May 2024 targeting government entities in Southeast Asia, with a second wave in July 2024 focusing on maritime logistics firms in Japan and South Korea. No CVEs have been directly associated with the malware itself; however, exploitation of CVE‑2024‑21412 (a SmartScreen bypass in Windows) was observed in initial access vectors. Law enforcement actions remain pending as of October 2024, with attribution based on infrastructure overlaps with prior TA578 campaigns.

🔍 Detection Indicators

Known file hashes include SHA‑256 f3b2c9a1... (sample from Unit 42 report 2024‑06‑032), and behavioral indicators include creation of the mutex “JmbPth_Mutex_2024_06” and registry key HKLMSoftwareMicrosoftWindowsCurrentVersionRunJumbledPathSvc. Network IOCs feature C2 domains registered through Namecheap with dates matching campaign waves, and User‑Agent strings mimicking Google Chrome version 123 (Mozilla/5.0 Windows NT 10.0; Win64; x64) AppleWebKit/537.36).

☠️ Risk & Impact

JumbledPath enables full remote control, file exfiltration, and credential theft by injecting into lsass.exe and reading browser‑stored passwords. Impact analysis from Unit 42 estimates 12 confirmed intrusions across the affected sectors, with data exfiltration volumes exceeding 500 GB in the largest incident. Financial losses are not publicly quantified, but the affected industries (government, logistics) face high operational disruption.

🛡️ Mitigation

Defenders should enforce AppLocker or WDAC to block untrusted LNK execution, apply Microsoft’s March 2024 patch for CVE‑2024‑21412, and deploy YARA rules (e.g., “JumbledPath_Loader_v1”) provided in the Unit 42 threat advisory. Regular monitoring for the listed mutex and registry keys via Sysmon (Event ID 13) is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.