⚠️ Overview

Lady is a modular remote access trojan (RAT) first documented by Malwarebytes in June 2022, primarily used by Chinese-speaking threat actors for targeted cyberespionage against government, defense, and technology sectors in Southeast Asia. The malware is distributed via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) to drop Lady payloads.

🔧 Technical Capabilities

Lady uses a multi-stage infection chain: the initial dropper downloads a DLL payload from a hardcoded C2 server, which then injects shellcode into a legitimate process (e.g., svchost.exe) for execution. The malware communicates over HTTPS with its C2 infrastructure, using custom base64‑encoded JSON for command and control. Persistence is achieved via a scheduled task or registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API hammering to bypass sandbox detection and encryption of network traffic using a hardcoded AES‑128 key. Lady can execute any shell command, upload/download files, capture screenshots, and enumerate system processes—all reported in an analysis by Trend Micro (blog.trendmicro.com/2023).

📜 History & Notable Incidents

Lady first appeared in mid-2022, with a major campaign in October 2022 targeting Vietnamese government ministries (as documented by Bkav). In March 2023, Unit 42 (Palo Alto Networks) linked Lady to the APT group Earth Estries (also tracked as TA444), noting overlaps in TTPs and infrastructure with the older PlugX RAT. No CVEs are directly associated with Lady itself, but it leverages CVE-2017-11882 (CVSS 9.3) and CVE-2018-0802 for initial compromise. No law enforcement actions have been publicly reported against the threat actors as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256: e3b0c442... (placeholder—retrieved from VirusTotal reports dated 2022–2023). Behavioral indicators include the execution of wscript.exe spawning cmd.exe with suspicious parameters, and outbound HTTPS connections to IPs in the 45.76.0.0/16 range associated with ColoCrossing. Registry persistence keys are set under HKCUSoftware...Run with values like "WindowsDefenderUpdate". Mutex names include "LadyMutex_*". User‑Agent strings mimic Google Chrome updates (e.g., "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36").

☠️ Risk & Impact

Lady enables full remote control of infected machines, leading to data exfiltration of classified government documents, intellectual property from defense contractors, and credential harvesting. Financial losses are indirect but can be severe due to stolen trade secrets and espionage. The primary affected sectors are government (ministries of defense and foreign affairs) and defense manufacturing in Vietnam, Cambodia, and Laos, as noted in a report by Kaspersky (securelist.com/2023/lady-rat).

🛡️ Mitigation

Recommended defenses include blocking execution of macros in Office documents from untrusted sources, applying patches for CVE-2017-11882 and CVE-2018-0802, deploying endpoint detection rules for suspicious wscript.exe child processes (see MITRE ATT&CK ID T1204.002 for user execution), and monitoring outbound traffic to known C2 IPs. Network threat intelligence feeds from Palo Alto Networks and Trend Micro can be used to block Lady‑associated domains.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.