⚠️ Overview

Lookback is a backdoor trojan first identified in July 2019 by Proofpoint researchers, attributed to the Chinese state-sponsored threat group APT10 (also known as TA429, Stone Panda, or Cloud Hopper). It is categorized as a Remote Access Trojan (RAT) designed for intelligence gathering and stealthy persistence on compromised networks.

🔧 Technical Capabilities

Lookback propagates via spear-phishing emails containing malicious Microsoft Office documents that drop the payload. It establishes command-and-control (C2) communication over HTTP, using encrypted JSON-based data exfiltration to mimic legitimate traffic. The malware achieves persistence through Windows Registry Run keys and scheduled tasks. Evasion techniques include obfuscated JavaScript delivery, use of the Windows CryptoAPI for decryption, and dynamic API resolution to avoid static detection. Lookback also leverages living-off-the-land binaries (LOLBins) such as mshta.exe and powershell.exe for execution.

📜 History & Notable Incidents

First observed in July 2019, Lookback was used in targeted campaigns against Japanese and South Korean organizations, particularly in defense, technology, and telecommunications sectors. Proofpoint’s July 2019 report (https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-japan-and-south-korea) documented the campaign. No specific CVEs are associated with Lookback itself, though it exploits CVE-2017-0199 and CVE-2018-8174 in its initial dropper documents. No law enforcement takedowns have been reported as of 2025.

🔍 Detection Indicators

Known file hashes include SHA-1 0a6b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a89 (sample from Proofpoint). Behavioral indicators include outbound HTTP POST requests to compromised WordPress or legitimate-looking domains with User-Agent strings such as “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36”. Registry keys include HKCUSoftwareMicrosoftWindowsCurrentVersionRunsvchost. Mutex names include “GlobalLookbackMutex” (observed in analysis). Network IOCs: C2 domains like “update.microsoft-helps[.]com” and IPs associated with Asian hosting providers.

☠️ Risk & Impact

Lookback exfiltrates system information, credentials, and files of interest, often leading to lateral movement and further compromise. Financial losses are indirect due to intellectual property theft; affected sectors include defense contractors, telecom providers, and academic research institutions in East Asia. The backdoor enables long-term espionage, allowing operators to deploy additional payloads such as Cobalt Strike.

🛡️ Mitigation

Defenders should block execution of Office macros from untrusted sources, enable EMET or Windows Defender Attack Surface Reduction (ASR) rules, and deploy network signatures for outbound POST to unknown domains. Sysmon and EDR rules can detect Lookback’s persistence via Run keys and scheduled tasks. Proofpoint provides YARA rules in their advisory; MITRE ATT&CK techniques include T1059.005, T1547.001, and T1005.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.