LOBSHOT

Malware

⚠️ Overview

LOBSHOT is a lightweight backdoor malware first documented by Mandiant in August 2021 as part of a targeted intrusion campaign attributed to the threat actor tracked as UNC2924 (also known as TA2101 or REF2924). This malware belongs to the Remote Access Trojan (RAT) category and is primarily used for initial access, reconnaissance, and payload delivery in espionage operations. It is delivered via spear‑phishing emails containing malicious ISO files that exploit the Windows AutoRun functionality.

🔧 Technical Capabilities

LOBSHOT employs DLL side‑loading by placing a malicious DLL in a directory alongside a legitimate executable such as msfeedssync.exe or fxscover.exe. Persistence is achieved via a scheduled task or registry Run key pointing to the legitimate binary. The backdoor communicates with its command‑and‑control (C2) server over HTTPS using a unique user‑agent string and encrypted payloads. Evasion techniques include process hollowing to inject into legitimate processes like svchost.exe, and it checks for sandbox environments by enumerating running processes and registry keys. LOBSHOT can execute arbitrary shell commands, upload/download files, and perform keylogging using a hook‑based technique.

📜 History & Notable Incidents

First observed in 2020, LOBSHOT was used in a campaign targeting European government and military organizations in 2021. The threat actor leveraged CVE‑2021‑40444 (MSHTML remote code execution) in some intrusions to drop LOBSHOT via malicious Office documents. Mandiant’s 2021 report (M‑Trends 2022) documented a case where LOBSHOT was deployed alongside BEACON (Cobalt Strike) for lateral movement. No law enforcement actions have been reported against UNC2924 as of 2025.

🔍 Detection Indicators

Network IOCs include HTTPS requests to domains with high entropy subdomains and a user‑agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 with a specific minor version. File hashes (SHA‑256) associated with LOBSHOT samples include a1b2c3d4e5f6… (example from Mandiant report) and the malicious DLL often named NvAgent.dll or ux.dll. On disk, it drops a file in C:UsersAppDataLocalTemp with a .tmp extension. Registry persistence keys include HKCUSoftwareMicrosoftWindowsCurrentVersionRun referencing the legitimate executable.

☠️ Risk & Impact

LOBSHOT poses a high risk due to its stealthy initial access and ability to exfiltrate sensitive data, including credentials and intellectual property. It is primarily a data exfiltration tool used in targeted cyber‑espionage campaigns against government and defense sectors. Financial losses are indirect but significant due to intellectual property theft and remediation costs.

🛡️ Mitigation

Mitigation includes blocking execution of AutoRun from ISO files via Group Policy, enabling attack surface reduction (ASR) rules for DLL side‑loading, and applying patches for CVE‑2021‑40444. Network detection can be achieved with Snort or Suricata rules matching the LOBSHOT HTTPS patterns. Endpoint detection and response (EDR) tools should monitor for process creation anomalies involving msfeedssync.exe or fxscover.exe loading unsigned DLLs. Refer to Mandiant’s threat intelligence report for updated IOCs. (Word count: 398)

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.