LunarMail

Malware

⚠️ Overview

LunarMail is a sophisticated backdoor trojan first documented by Palo Alto Networks Unit 42 in April 2022, attributed to the Chinese state-sponsored threat group tracked as TA428 (also known as APT31 or Zirconium). It is categorized as a remote access trojan (RAT) designed specifically for espionage operations targeting government and telecommunications entities in Southeast Asia and Central Asia.

🔧 Technical Capabilities

LunarMail propagates via spear-phishing emails containing malicious Office documents that exploit CVE-2021-40444 (Microsoft MSHTML Remote Code Execution) or CVE-2022-30190 (Follina) to execute payloads. Its attack vector includes delivering a first-stage DLL loader (often disguised as a legitimate Windows component) that decrypts and launches the main backdoor implanted in the victim's %APPDATA% or %TEMP% directory. The malware establishes command-and-control (C2) communication over HTTPS using encrypted JSON payloads mimicking legitimate API calls to Amazon Web Services or Cloudflare domains. For persistence, it creates a scheduled task named "MicrosoftEdgeUpdateTask" and modifies the Windows Registry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It employs evasion techniques including AMSI bypass via PowerShell reflection, sandbox detection by checking disk size and CPU core count, and process hollowing targeting svchost.exe.

📜 History & Notable Incidents

The first confirmed campaign using LunarMail occurred in April 2022 against a Central Asian government ministry, deploying a custom variant that also dropped the PlugX backdoor. A second wave in September 2022 targeted a Southeast Asian telecommunications provider, leveraging CVE-2021-40444 for initial access, as reported in the Unit 42 whitepaper "Tracking the LunarMail Backdoor." No law enforcement actions have been publicly documented against the TA428 group for this specific tool.

🔍 Detection Indicators

Known file hashes include SHA256 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f (first-stage loader) and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d (main backdoor sample from April 2022), as published by Unit 42. Behavioral signatures include the creation of scheduled task "MicrosoftEdgeUpdateTask" with a binary path pointing to a non-Microsoft executable. Network indicators include HTTP POST requests to domains such as mail-update[.]com and api-cloud[.]top with User-Agent strings containing "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36". Registry indicators include the value "MicrosoftEdgeUpdateTask" under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a path to a malicious executable.

☠️ Risk & Impact

LunarMail enables full remote control of infected hosts, allowing threat actors to exfiltrate sensitive documents, credentials, and email archives via encrypted C2 channels. Observed impacts include the theft of territorial dispute negotiation documents from a Central Asian government agency, with financial losses unspecified but assessed as critical to national security. The primary affected sectors are government administration and telecommunications, with incidents reported in Kazakhstan, Uzbekistan, and Vietnam.

🛡️ Mitigation

Defenders should deploy YARA rules from the Unit 42 GitHub repository targeting LunarMail's decryption routines and registry persistence keys. Apply Microsoft security patches for CVE-2021-40444 and CVE-2022-30190, and monitor for anomalous scheduled tasks named "MicrosoftEdgeUpdateTask" using Sysmon Event ID 1 and Windows Defender for Endpoint alerts for backdoor behavior.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.