JUMPALL
Malware⚠️ Overview
JUMPALL is a backdoor trojan first documented in November 2022 by the SANS Internet Storm Center, attributed to the TA428 threat group (also tracked as APT41 or Winnti). It falls under the category of a remote access trojan (RAT) used primarily for persistent access and data exfiltration in targeted attacks against government, defense, and technology sectors in East Asia.
🔧 Technical Capabilities
JUMPALL propagates via spear-phishing emails containing malicious LNK files or weaponized Microsoft Office documents that download the payload over HTTP. Its C2 infrastructure relies on hardcoded IP addresses or domain names, communicating over TCP port 443 using encrypted HTTP POST requests with a custom RC4 encryption scheme. Persistence is achieved by installing a service named JumpAll or by creating scheduled tasks in the Windows Task Scheduler. Evasion techniques include process hollowing to inject into svchost.exe, disabling Event Tracing for Windows (ETW), and modifying system firewall rules to allow outbound connections. The malware collects system information, keystrokes, and file listings, and can execute arbitrary commands, upload/download files, and capture screenshots.
📜 History & Notable Incidents
First seen in September 2022 in campaigns targeting Taiwanese government agencies, JUMPALL was later used in Operation NightScout against South Korean defense contractors in early 2023. No CVEs are directly exploited by the malware itself; instead operators use known vulnerabilities in Microsoft Exchange (CVE-2021-26855, ProxyLogon) and Internet Information Services (IIS) for initial access. Law enforcement actions include FBI advisories (March 2023) warning of APT41-linked activity involving JUMPALL.
🔍 Detection Indicators
Known SHA-256 hashes include d9a6f8c7b3e2a1f0... (truncated for space); full list available from Unit 42 (Palo Alto Networks) report. Behavioral IOCs: registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun named JumpAllSvc, mutex GlobalJumpAll_Mutex_2022, and network traffic with User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 using a static nonce in POST data.
☠️ Risk & Impact
JUMPALL enables prolonged data exfiltration of sensitive documents, credentials, and intellectual property. Financial losses are indirect but severe, with South Korean defense contractors reporting theft of blueprints and trade secrets. The primary affected sectors are government, defense, technology, and telecommunications in East Asia, with secondary targets in telecommunications and media in the United States.
🛡️ Mitigation
Recommended defenses include blocking suspicious LNK and macro-enabled documents at the email gateway, enabling AMSI and Attack Surface Reduction (ASR) rules in Microsoft Defender for Office 365, and deploying YARA rules from Unit 42 (available at github.com/pan-unit42/yara). Patch Microsoft Exchange and IIS vulnerabilities, monitor outbound HTTPS traffic for anomalous RC4-encoded POST requests, and restrict use of scheduled tasks via Group Policy.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.