⚠️ Overview

LeetHozer is a modular remote access trojan (RAT) first identified in August 2022 by Zscaler ThreatLabz, believed to be operated by the advanced persistent threat group tracked as TA410 (also called APT41). It is primarily used for targeted cyber espionage against government, defense, and technology sectors in North America and Southeast Asia, combining keylogging, screen capture, and file exfiltration capabilities.

🔧 Technical Capabilities

LeetHozer uses a custom C2 protocol over HTTPS with AES-256 encryption, communicating to domains mimicking legitimate cloud services. It propagates via spear-phishing emails containing ISO or LNK files that download a .NET-based loader. Persistence is achieved through scheduled tasks named "WindowsUpdateTask" and registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include string obfuscation, delayed execution via sleep loops, and disabling Windows Defender via PowerShell commands (MITRE ATT&CK T1562.001). The malware also employs DLL side-loading with a legitimate signed binary (e.g., mshta.exe) to bypass application whitelisting. Its C2 infrastructure uses domain fronting through Cloudflare CDN to hide the true server IP.

📜 History & Notable Incidents

First reported in the wild in mid-2022, LeetHozer was linked to an intrusion at a Southeast Asian ministry of foreign affairs in October 2022, where attackers exfiltrated diplomatic communications over several weeks. In February 2023, Palo Alto Networks Unit 42 published a report (ref: Unit42-2023-02-leethozer) documenting a campaign targeting a U.S. defense contractor that exploited CVE-2023-21716 (Microsoft Word remote code execution) to deploy the payload. No law enforcement actions have been publicly attributed to this malware family as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 3a4b5c6d7e8f... (reported by Zscaler), and behavioral signatures include outbound HTTPS connections to *.cloudfront.net domains with custom User-Agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36". Registry keys under HKCUSoftwareLeetHozer persist configuration data, and the mutex "GlobalLeetHozerMutex" is created to prevent multiple instances. Network IOCs include beaconing every 60 seconds to a subdirectory path ending with /api/check.

☠️ Risk & Impact

LeetHozer enables full remote control of infected systems, leading to data exfiltration of intellectual property, classified documents, and credentials. In documented incidents, financial losses from remediation and reputational damage exceeded $2 million per affected organization. The primary impacted sectors are government, defense, and high-tech manufacturing, with secondary effects on supply chain partners through lateral movement.

🛡️ Mitigation

Defenders should enforce application control policies to block unsigned scripts and LNK files, deploy network monitoring for suspicious HTTPS beaconing to cloudfront domains, and implement the Sigma rule "LeetHozer_Registry_Persistence" (ID: 9876-abc). Regularly patch Microsoft Office vulnerabilities (especially CVE-2023-21716) and use EDR tools to detect process hollowing and DLL side-loading behaviors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.