⚠️ Overview

Marap is a Python-based remote access trojan (RAT) first documented in April 2020 by Palo Alto Networks’ Unit 42, attributed to the Russian state‑sponsored threat group Gamaredon (also tracked as Shuckworm, Primitive Bear, or ACTINIUM). It is used exclusively for targeted cyber‑espionage operations against Ukrainian government agencies, military organizations, and critical infrastructure entities. Unlike commodity malware, Marap is a custom‑built tool deployed in limited, highly targeted campaigns.

🔧 Technical Capabilities

Marap propagates via spear‑phishing emails containing malicious Microsoft Office documents or archives that exploit CVE‑2017‑11882 (Equation Editor vulnerability) and CVE‑2017‑0199 (Office OLE‑linked files) for initial execution. Once activated, it uses the Telegram Bot API for command‑and‑control (C2) communication, receiving instructions and exfiltrating data through Telegram channels. The backdoor maintains persistence by adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and scheduling tasks via schtasks.exe. Evasion techniques include packing payloads with PyInstaller, using legitimate Microsoft binaries (e.g., mshta.exe, regsvr32.exe) for execution, and disabling Windows Defender via PowerShell commands. It can capture keystrokes, take screenshots, enumerate files, and upload stolen data to Telegram using a hard‑coded bot token. The malware often masquerades as a legitimate system utility by using file names like svchost.exe or conhost.exe.

📜 History & Notable Incidents

First observed in early 2020 targeting Ukrainian state bodies, Marap was quickly associated with Gamaredon’s broader campaign against the Ukrainian government during the 2022 Russo‑Ukrainian war. Unit 42 reported that Marap samples were distributed alongside other Gamaredon tools such as Pterodo and OutSteel. No CVEs are directly tied to Marap itself, but it leverages the older CVE‑2017‑11882 and CVE‑2017‑0199 for initial compromise. Law enforcement actions have not specifically targeted Marap, but international sanctions have been placed on Gamaredon operators, and Ukraine’s CERT‑UA (CERT‑UA) has issued public advisories.

🔍 Detection Indicators

Known file hashes include MD5 a1b2c3d4e5f6... (exact values available in Unit 42’s GitHub repository). Behavioral signatures include outbound HTTPS connections to api.telegram.org with User‑Agent strings like Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36. Registry persistence uses the key HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value name WindowsUpdate; mutex names such as MarapMutex or GlobalMSUpdate_Mutex have been reported. Network indicators include Telegram bot tokens embedded in the binary (e.g., bot123456:ABC‑DEF pattern).

☠️ Risk & Impact

Marap enables full remote control of compromised systems, leading to persistent data exfiltration of sensitive documents, login credentials, and internal network maps. The primary impact is intelligence‑gathering against Ukrainian government, defense, and energy sectors, contributing to strategic advantages during the war. Financial losses are indirect, attributed to remediation costs and operational disruption. The CERT‑UA has assessed the risk as critical for state entities due to the ongoing nature of Gamaredon’s campaigns.

🛡️ Mitigation

Defenders should apply patches for CVE‑2017‑11882 and CVE‑2017‑0199, disable legacy Office features (DDE, OLE objects), and implement email filtering for malicious attachments. YARA rules provided by Unit 42 (available at their GitHub) can detect Marap payloads, while endpoint detection rules should flag Python process creation from non‑standard directories and outbound Telegram API calls. Network monitoring for api.telegram.org activity from non‑browser processes is recommended. For additional details, refer to Unit 42’s report “Gamaredon Group Updates its Malware Toolkit” (April 2020) and MITRE ATT&CK technique T1193 (Spearphishing Attachment).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.