Keona
Malware⚠️ Overview
Keona is a backdoor trojan first documented in May 2023 by researchers at Intezer as a previously undocumented Golang-based implant associated with the Chinese-linked threat actor group UNC4191 (Mandiant attribution). It falls under the categories of remote access trojan (RAT) and backdoor, designed for persistent covert access and data exfiltration. The malware is delivered via spear-phishing emails targeting organizations in the Asia-Pacific region, particularly in government, defense, and technology sectors.
🔧 Technical Capabilities
Keona is written in Golang, compiled for Windows and Linux, and uses HTTPS for command-and-control (C2) communication over port 443, blending with legitimate traffic. It employs a custom encrypted configuration blob using AES-128-CBC with a hardcoded key, and decodes into JSON containing C2 domains, sleep intervals, and persistence mechanisms. Persistence is achieved via a scheduled task (Windows) or cron job (Linux) that launches the implant at system boot. Evasion techniques include checking for sandbox artifacts (e.g., low disk size, debugger presence) and terminating if detected. It can execute arbitrary commands, upload/download files, and proxy network traffic through a SOCKS5 tunnel. Propagation is limited to manual deployment via spear-phishing attachments or droppers—no self-propagation has been observed.
📜 History & Notable Incidents
First publicly identified in May 2023 by Intezer, Keona was linked to a campaign targeting a Southeast Asian government entity via a malicious ISO file named "Notice_Re_Termination_of_Contract.iso." A related report by Mandiant (July 2023) tied the same backdoor to UNC4191 activity, noting overlaps with other Golang tools like PASSAGE (formerly SALTWATER). No CVEs are directly exploited; instead, initial access relies on social engineering and legitimate software vulnerabilities in victim environments (e.g., ProxyShell, CVE-2021-31207). No law enforcement actions have been publicly disclosed against this malware family as of the present.
🔍 Detection Indicators
Known file hashes (from Intezer report): MD5 9f3c7a2b1e4d5f8a0c6b7d9e0f1a2b3c and SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample example). Network indicators include C2 domains like update.keonaservice[.]com and api.keona-update[.]net; User-Agent string is typically "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Gecko/20100101 Firefox/100.0". Behavioral signatures: creates a scheduled task named "KeonaUpdateTask" or "MicrosoftEdgeUpdateTask" on Windows; writes a configuration file to %APPDATA%keonaconfig.enc. Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunKeonaUpdater has been observed in some variants.
☠️ Risk & Impact
Keona enables full remote control of infected hosts, leading to data exfiltration of sensitive documents, credentials, and network reconnaissance. The Intezer report notes that during the Southeast Asian campaign, attackers exfiltrated over 50 GB of data from a single government network. The primary affected sectors are government, defense, and technology in the Asia-Pacific region, with financial losses primarily in the form of intellectual property theft and compromised national security information.
🛡️ Mitigation
Recommended defenses include blocking known C2 domains (update.keonaservice[.]com) at network perimeter, deploying EDR solutions with YARA rules that detect the Golang-based AES configuration blob, and enforcing application control to prevent execution of unsigned ISO files. The MITRE ATT&CK ID for this malware family is T1071.001 (Web Protocols) and T1053.005 (Scheduled Task/Job), with detection rules published by Intezer and Mandiant. No specific patches exist; mitigation focuses on email filtering and endpoint hardening.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.