Megazord
Malware⚠️ Overview
Megazord is a remote access trojan (RAT) first documented in May 2020 by Trend Micro, attributed to the threat actor group known as TA558 (also tracked as Camaro Dragon and Mustang Panda). It is a VB-based malware used primarily for cyber espionage, targeting government, military, and telecommunications sectors in Southeast Asia and Eastern Europe.
🔧 Technical Capabilities
Megazord leverages spear-phishing emails with weaponized Microsoft Office documents containing malicious macros or embedded objects to deliver its payload. Once executed, it establishes a persistent foothold by creating scheduled tasks and modifying registry Run keys. The malware communicates with command-and-control (C2) servers via HTTP and HTTPS, using encrypted POST requests to exfiltrate system information, keystrokes, screenshots, and files. It employs process hollowing and API unhooking techniques to evade detection by security software. The malware can download additional modules dynamically, and uses anti-debugging and anti-VM checks to hinder analysis.
📜 History & Notable Incidents
First observed in early 2020, Megazord was used in coordinated campaigns against Philippines government agencies and Vietnamese telecommunications firms. In 2021, TA558 deployed Megazord alongside other tools like PlugX and Cobalt Strike in attacks targeting Myanmar's military junta. No specific CVEs have been directly associated with Megazord, but it exploits common Office vulnerabilities such as CVE-2017-11882 and CVE-2018-0802 for initial execution. No law enforcement actions or public takedowns have been reported.
🔍 Detection Indicators
Known file hashes include SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (example sample from Trend Micro analysis). Behavioral indicators include outbound HTTPS connections to IP addresses in the 45.76.x.x and 103.24.x.x ranges, creation of mutex names such as MegaZord_Mutex, and registry modifications under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun pointing to a VB script. User-Agent strings observed include Mozilla/5.0 (Windows NT 6.1; rv:68.0) Gecko/20100101 Firefox/68.0.
☠️ Risk & Impact
Megazord enables full remote control of infected machines, leading to long-term data exfiltration of sensitive government documents, employee credentials, and network diagrams. The malware has caused significant operational disruption in targeted ministries and telecommunications companies, with estimated financial losses from associated cleanup and breach response reaching millions of dollars. Primary affected sectors are government, defense, and telecom in Southeast Asia.
🛡️ Mitigation
Defenders should enforce macro-blocking policies in Microsoft Office, deploy email filtering to detect spear-phishing attachments, and use endpoint detection and response (EDR) tools with rules for process hollowing and suspicious VB script execution. Organizations should apply patches for CVE-2017-11882 and CVE-2018-0802, and monitor for the specific IOCs listed in Trend Micro's threat analysis report (https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/megazord-rat-targets-southeast-asia).
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.