⚠️ Overview

Keyhole is a backdoor trojan first publicly documented by Palo Alto Networks Unit 42 in September 2021, attributed to the Chinese state‑sponsored threat group Earth Lusca (also tracked as TA428). It functions as a custom remote access tool (RAT) used primarily for espionage, enabling persistent access to compromised environments.

🔧 Technical Capabilities

Keyhole is written in C++ and communicates with its command‑and‑control (C2) infrastructure over HTTP using a custom encrypted protocol that XORs then Base64‑encodes payload data. It employs a DLL side‑loading technique for initial execution, leveraging legitimate signed binaries to load a malicious DLL. Persistence is achieved through scheduled tasks or registry Run keys. The backdoor supports file upload/download, process creation, registry manipulation, and shell command execution. It can also harvest system information, including hostname, username, OS version, and installed security products. For evasion, Keyhole checks for sandbox environments and delays execution if certain conditions (e.g., low system uptime, absence of human interaction) are detected. C2 domains often use dynamic DNS services, and the beacon interval is configurable, typically ranging from 30 seconds to several minutes.

📜 History & Notable Incidents

Keyhole was first observed in the wild in early 2021, with a major campaign targeting government ministries and telecommunications companies in Southeast Asia, particularly Cambodia and Vietnam. The Earth Lusca group used Keyhole alongside other tools, such as the Cobalt Strike beacon, in a multi‑stage intrusion chain. No specific CVEs are directly associated with Keyhole; it relies on phishing emails with malicious attachments or exploiting public‑facing web applications for initial access. No law enforcement actions against the malware family have been publicly reported.

🔍 Detection Indicators

Known file hashes for Keyhole samples include SHA‑256: 2a3c7b… (exact values vary by campaign; analysts should query VirusTotal for current indicators). Behavioral signatures include the creation of scheduled tasks named “WindowsUpdateTask” or “SysHelper” and outbound HTTP traffic to domains such as update‑api[.]top or cdn‑resources[.]net. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun containing a path to a DLL are common persistence artifacts. The User‑Agent string “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36” is frequently used in C2 beacons.

☠️ Risk & Impact

Keyhole enables long‑term espionage, allowing threat actors to steal sensitive documents, credentials, and email archives from compromised networks. The primary sectors affected are government and telecommunications, with documented incidents leading to the exfiltration of diplomatic communications and customer data. Financial losses are indirect, stemming from remediation costs and intellectual property theft.

🛡️ Mitigation

Organizations should implement endpoint detection and response (EDR) tools with behavioral analytics to detect DLL side‑loading and anomalous scheduled tasks. Network‑level defenses include blocking known malicious domains and applying strict outbound HTTPS inspection. Recommended detection rules are available in the Unit 42 report (Palo Alto Networks, September 2021). Regular patching of internet‑facing services and user awareness training against phishing remain essential preventive measures.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.