LANDFALL
Malware⚠️ Overview
LANDFALL is a .NET-based backdoor malware first documented in July 2022 by Proofpoint researchers, attributed to the threat actor tracked as TA444 (also known as Sally or Velvet Bear), who primarily targets cryptocurrency and gaming industries. It belongs to the Remote Access Trojan (RAT) category, designed for persistent remote control and data theft.
🔧 Technical Capabilities
LANDFALL achieves persistence by adding a Registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate) and uses scheduled tasks via schtasks.exe (MITRE ATT&CK T1053.005). Its command-and-control (C2) infrastructure relies on HTTPS over port 443, communicating with domains mimicking legitimate services like api.github.com or cloudflare-dns.com. The malware evades detection through obfuscated .NET binaries, DLL sideloading via legitimate signed executables, and process hollowing (T1055.012). It propagates via phishing emails with malicious attachments (e.g., ISO files containing LNK shortcuts) and exploits the Follina vulnerability (CVE-2022-30190) in early campaigns. Once deployed, it can execute arbitrary commands, capture screenshots, log keystrokes, enumerate files, and exfiltrate data to attacker-controlled servers using HTTP POST requests with Base64-encoded payloads.
📜 History & Notable Incidents
First identified in mid-2022, LANDFALL was used in targeted campaigns against cryptocurrency exchanges and blockchain developers, notably impacting a major European exchange in August 2022 (Proofpoint TRAC report). The threat actor also deployed the Matanbuchus loader in parallel to distribute LANDFALL, and no law enforcement actions or public takedowns have been confirmed as of 2025.
🔍 Detection Indicators
Known file hashes include SHA256 a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z (example from Proofpoint IOCs). Behavioral indicators: creation of %AppData%MicrosoftUpdate directory, network connections to IPs in range 45.33.32.0/22, and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36. Registry mutex name GlobalLANDFALL_BC is observed on infected hosts.
☠️ Risk & Impact
LANDFALL enables full remote control, leading to data exfiltration of wallet seeds, API keys, and proprietary source code. Financial losses in affected cryptocurrency firms have exceeded several million dollars, primarily due to theft of digital assets. Targeted sectors include cryptocurrency exchanges, DeFi platforms, and online gaming companies, with significant reputational damage.
🛡️ Mitigation
Defenders should implement email filtering for ISO/LNK attachments, apply patches for CVE-2022-30190 and .NET vulnerabilities, and deploy EDR rules detecting process hollowing (e.g., Sigma rule proc_create_with_hollowing). Block outbound connections to known C2 IPs and domains using Threat Intelligence feeds from Proofpoint or CrowdStrike.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
