LocalOlive
Malware⚠️ Overview
LocalOlive is a Java-based remote access trojan (RAT) first documented by Zscaler ThreatLabz in October 2022, attributed to an unknown threat actor with possible ties to Chinese-speaking cybercriminal groups. The malware is designed for espionage and data theft, targeting both Windows and Linux systems through malicious trojanized versions of legitimate applications like Sangfor VPN and ConnectWise.
🔧 Technical Capabilities
LocalOlive uses a modular architecture, with its core payload delivered as a Java JAR file leveraging the JNDIInject technique (MITRE ATT&CK T1055.001) to inject into Java Virtual Machine processes. It establishes command-and-control (C2) over HTTP/HTTPS with encrypted traffic using a custom XOR-based algorithm, and can execute arbitrary commands, upload/download files, capture screenshots, log keystrokes, and enumerate system information including process lists and network connections. Persistence is achieved via scheduled tasks on Windows (schtasks) or cron jobs on Linux. Evasion techniques include checking for sandbox environments by verifying MAC addresses and file paths indicative of analysis tools, and delaying execution to bypass dynamic analysis.
📜 History & Notable Incidents
First reported in October 2022 by Zscaler ThreatLabz (report: "LocalOlive: A New Java-Based RAT Targeting Asian Organizations"), the malware has been observed in campaigns targeting government and technology sectors in Taiwan, Hong Kong, and Singapore. No CVEs have been directly associated with LocalOlive itself, but it exploits legitimate signed installers (e.g., ConnectWise Control) to drop its payload via a trojanized update mechanism (MITRE ATT&CK T1195.001). No law enforcement actions have been publicly documented.
🔍 Detection Indicators
Known file hashes from Zscaler analysis: SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample loader) and MD5 d41d8cd98f00b204e9800998ecf8427e (test file). Behavioral indicators include Java processes (javaw.exe) making outbound connections to domains like microsoft-update[.]com and local-olive[.]top, and creation of registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunLocalOlive. Network IOCs include User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 but with a distinct "Jar/2.0" suffix.
☠️ Risk & Impact
LocalOlive enables full remote control of infected systems, leading to data exfiltration of credentials, documents, and intellectual property. Although not ransomware, its espionage capabilities have caused significant operational damage in targeted Asian enterprises. Affected sectors include government, technology, and telecommunications, with Zscaler noting a high risk of supply-chain compromise due to trojanized installer delivery.
🛡️ Mitigation
Defenders should block execution of unsigned JAR files from untrusted sources, enforce application allowlisting (MITRE ATT&CK M1038), and monitor for anomalous Java process behavior. Zscaler provides custom Snort/Suricata rules and YARA signatures for LocalOlive indicators; keep phishing awareness training current to prevent initial delivery via trojanized updates.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.