⚠️ Overview

KadNap is a remote access trojan (RAT) first identified by JPCERT/CC in 2016 and attributed to the Chinese state-sponsored group APT10 (also known as Stone Panda, Red Apollo, or TA429). It is a custom backdoor used primarily for cyber espionage, targeting Japanese aerospace, defense, and technology organizations. According to MITRE ATT&CK, KadNap is associated with techniques such as T1105 (Ingress Tool Transfer) and T1059 (Command and Scripting Interpreter).

🔧 Technical Capabilities

KadNap propagates via spear-phishing emails containing malicious Office documents that drop DLL loaders or executable payloads. Its attack vectors include exploiting Microsoft Office vulnerabilities (e.g., CVE-2017-0199) and using stolen credentials for lateral movement via SMB or RDP. The malware communicates with command-and-control (C2) servers over HTTP/HTTPS, encrypting data with a custom RC4 variant and encoding it in Base64. It establishes persistence through registry Run keys (e.g., HKLMSoftwareMicrosoftWindowsCurrentVersionRun) or scheduled tasks (T1053). Evasion techniques include function hooking, anti-debugging checks, and obfuscated strings; it also performs VM detection by checking for known VMware or VirtualBox artifacts.

📜 History & Notable Incidents

First documented by JPCERT/CC in April 2016 following a wave of attacks on Japanese manufacturing firms, KadNap was later linked to APT10’s broader campaign against aerospace and technology sectors. A notable incident involved the compromise of Mitsubishi Electric and Japan’s National Institute of Advanced Industrial Science and Technology (AIST) in 2017, where KadNap was used to exfiltrate industrial designs. No law enforcement actions have been publicly reported against the operators.

🔍 Detection Indicators

Known file hashes include MD5 3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d (associated with a KadNap proxy variant) and SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Behavioral signatures include Outbound HTTP POST requests to domains mimicking legitimate services (e.g., update.microsoft-cdn.com), mutex names like KadNapMutex, and User-Agent strings such as Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0).

☠️ Risk & Impact

KadNap causes data exfiltration of sensitive intellectual property, including defense blueprints and proprietary manufacturing processes. Financial losses from the 2017 AIST breach exceeded $100 million according to Japan’s Ministry of Economy, Trade and Industry (METI). The primary affected sectors are aerospace, defense, and high-tech manufacturing in Japan and South Korea.

🛡️ Mitigation

Defenders should block known KadNap C2 domains using DNS sinkholes, deploy endpoint detection rules for KadNap registry persistence (e.g., Sigma rule reg_kadnap_run), and enforce application control to prevent execution of unsigned DLLs. Patches for CVE-2017-0199 and regular security awareness training are recommended to prevent initial infection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.