⚠️ Overview

Koadic is a post-exploitation remote access tool (RAT) written primarily in VBScript and JavaScript. First publicly documented by researchers at Akamai in 2019, it is categorized as a script-based implant used primarily for reconnaissance, lateral movement, and command execution on Windows systems. It is commonly associated with state-sponsored threat actors, including those linked to Iran, based on overlapping infrastructure and TTPs.

🔧 Technical Capabilities

Koadic operates through a command-and-control (C2) framework that communicates over HTTP/HTTPS, using JSON-encrypted payloads to evade detection. Its propagation methods include phishing emails with malicious attachments, drive-by downloads, and exploitation of publicly disclosed vulnerabilities. Notably, it leverages Windows Management Instrumentation (WMI) for persistence, creating scheduled tasks or WMI event subscriptions (MITRE ATT&CK T1546.003). Evasion techniques include obfuscation of its VBScript code, use of encoded PowerShell commands to execute payloads, and deployment of scripts that mimic legitimate Windows processes. The tool supports modular plugins for data exfiltration, keylogging, and credential harvesting via Windows Credential Manager (T1003.001). Lateral movement is achieved through SMB connections and leveraging stolen credentials (T1021.002).

📜 History & Notable Incidents

Koadic was first observed in the wild in late 2018 by Akamai's SIRT team, with active campaigns detected against energy, government, and defense sectors. In 2020, the malware was used in a series of targeted attacks by the Iranian-linked group known as APT33 or Refined Kitten, exploiting CVE-2019-0604 in Microsoft SharePoint (CVSS 9.8). No major law enforcement takedowns have been reported; the tool remains freely available on GitHub and has been observed in multiple low‑and‑slow intrusion campaigns.

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (placeholder; exact hashes vary per sample). Behavioral indicators include creation of WMI event filters or scheduled tasks under names like "Koadic" or "GoogleUpdateTask"; network IOCs include User-Agent strings such as "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" or non‑standard HTTP headers. Registry persistence often writes to HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with a key referencing a VBS file.

☠️ Risk & Impact

Koadic can enable full system compromise, including data exfiltration of sensitive documents, credentials, and intellectual property. It has been linked to espionage campaigns against aerospace, energy, and government entities, potentially causing financial losses in the tens of millions through IP theft and operational disruption. The tool's modular nature allows attackers to pivot to other systems and deploy additional payloads like ransomware.

🛡️ Mitigation

Mitigation includes enforcing application whitelisting (Microsoft AppLocker), restricting WMI and PowerShell execution, and deploying endpoint detection rules that flag abnormal WMI event subscriptions (e.g., Sigma rule id: 7f8e4b6a-7e5d-4f2c-9a1b-3c6d8e0f1a2b). Regular patching of CVE-2019-0604 and other exploited vulnerabilities, along with user awareness training against phishing, reduces initial infection vectors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.