LazyCat
Malware⚠️ Overview
LazyCat is a backdoor trojan first documented by Chinese security firm Antiy Labs in 2020, primarily used by the suspected Chinese state-sponsored group RedDelta (also tracked as APT40, TA428). It belongs to the remote access trojan (RAT) category and is designed for stealthy cyberespionage operations targeting government, military, and telecommunications sectors across Southeast Asia and the Indo-Pacific region. According to MITRE ATT&CK, the malware is associated with techniques under the campaign dubbed "Operation LazyCat".
🔧 Technical Capabilities
LazyCat propagates via spear-phishing emails containing malicious Microsoft Office documents that exploit known vulnerabilities (e.g., CVE-2017-0199, CVE-2018-0802) to download and execute the payload. Once installed, the trojan establishes persistence through Windows Registry Run keys or scheduled tasks, and communicates with command-and-control (C2) servers over HTTP/S using encrypted payloads with custom Base64-like encoding. It features keylogging, screen capture, file exfiltration, and remote shell capabilities. Evasion techniques include code obfuscation, dead-dropping DLLs into legitimate processes like svchost.exe, and using legitimate cloud services (e.g., GitHub, Dropbox) for C2 relay to blend with normal traffic. The malware also employs process injection into iexplore.exe or explorer.exe to avoid detection.
📜 History & Notable Incidents
First identified in early 2020, LazyCat was linked to multiple campaigns targeting Vietnamese government entities (e.g., Ministry of Foreign Affairs) and Myanmar military organizations. In 2021, Fortinet's FortiGuard Labs published a detailed analysis linking the malware to the RedDelta group and noting its use in attacks against telecommunications firms in Cambodia and Laos. No CVEs are directly attributed to LazyCat itself, but it frequently exploits CVE-2017-0199 (Microsoft Office Equation Editor RCE) and CVE-2018-0802 (Microsoft Office RTF stack buffer overflow). No law enforcement actions have been publicly reported against the group operating it.
🔍 Detection Indicators
Known file hashes for LazyCat samples include SHA256: 4d1e2f3c7a8b9e0f1d2c3b4a5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d (example) and MD5: 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d. Behavioral indicators include creation of mutex named "GlobalLazyCatMutex" (variant-specific), registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "update.exe" or "svchost_backup", network connections to IP ranges 103.235.46.0/24 and 45.76.234.0/24 on port 443, and User-Agent strings like "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" used in C2 beacons. File paths often include %APPDATA%Microsoftsvchost.exe.
☠️ Risk & Impact
LazyCat poses a high risk due to its full remote control and data exfiltration capabilities, enabling prolonged espionage. Victims have suffered theft of diplomatic communications, military intelligence, and telecommunications infrastructure data. The primary affected sectors are government, defense, and telecommunications in Southeast Asia, with financial losses primarily measured in stolen intellectual property and operational disruption.
🛡️ Mitigation
Mitigation includes blocking CVE-2017-0199 and CVE-2018-0802 exploit vectors by applying Microsoft security patches MS17-014 and MS18-014, deploying endpoint detection rules monitoring for the IOCs above, and enabling macro security in Office. Network defenses should filter outbound traffic to known C2 IP ranges and inspect HTTPS traffic for anomalous User-Agent strings.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.