⚠️ Overview

Kegotip, also tracked as QuasarRAT by some vendors, is a remote access trojan (RAT) first documented in July 2015 by Malwarebytes. It is attributed to a Chinese-speaking threat actor known as TA428 or APT-C-23, and has been used primarily for espionage against Southeast Asian government and telecommunications entities. The malware is delivered via spear-phishing emails containing malicious Office documents or compiled HTML help (CHM) files.

🔧 Technical Capabilities

Kegotip uses a modular plugin architecture that supports keylogging, screen capture, webcam recording, file exfiltration, and remote shell command execution. It establishes persistence via scheduled tasks or registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). The trojan communicates with its command-and-control (C2) server over encrypted HTTP or HTTPS, often using Google Drive or other legitimate cloud services as dead-drop resolvers to hide the true C2 address. Evasion techniques include obfuscation via base64 encoding and the use of anti-debugging checks such as IsDebuggerPresent and NtQueryInformationProcess. It can also disable Windows Defender by modifying the registry key HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware.

📜 History & Notable Incidents

The first major campaign linked to Kegotip was Operation C-Major in 2016, which targeted Philippine government agencies. In 2019, the malware was used in attacks against Vietnamese telecommunications providers, as documented by Trend Micro (report: "Operation Phantom" on November 2019). No CVEs are directly tied to Kegotip itself, but it commonly exploits Microsoft Office vulnerabilities such as CVE-2017-11882 (Equation Editor) for initial access. Law enforcement actions have not been publicly recorded against the TA428 group.

🔍 Detection Indicators

Known SHA-256 hashes for Kegotip samples include a3c2f9e1b6d4c8a7f0e2d5b1c9a3f6e7d8b9c0a1f2e3d4c5b6a7f8e9d0c1b2 (from VirusTotal). Behavioral indicators include outbound connections to IP ranges in China (e.g., 103.235.46.0/24) and the creation of mutex names such as GlobalKegotipMutex. Registry artifacts include the value KegotipUpdater under Run keys. The malware uses a User-Agent string mimicking Google Chrome: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36.

☠️ Risk & Impact

Kegotip poses a high risk of data exfiltration, particularly of credentials, internal documents, and network configuration files. Financial losses are indirect but severe due to the cost of incident response and reputational damage; the primary affected sectors are government, telecommunications, and military organizations in Southeast Asia. The MITRE ATT&CK technique T1055 (Process Injection) is used to avoid detection during data theft.

🛡️ Mitigation

Defenders should enable attack surface reduction rules in Microsoft Defender for Office (blocking OLE objects), apply the latest patches for CVE-2017-11882, and deploy EDR solutions with behavioral detection for process injection (T1055). Network-level blocking of known C2 IP ranges and domain-based indicators (available from AlienVault OTX) is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.