⚠️ Overview

Mikoponi is a sophisticated remote access trojan (RAT) first identified in June 2022 by the QiAnXin Threat Intelligence Center, attributed to the Chinese-language advanced persistent threat group tracked as TA428. It primarily targets government and telecommunications entities in Southeast Asia and Eastern Europe, operating as a second-stage payload deployed after initial compromise via spear-phishing or exploit kits.

🔧 Technical Capabilities

Mikoponi leverages modular plugin architecture for dynamic capability loading, including keylogging, file exfiltration, and credential harvesting. Propagation occurs through network share scanning using SMB protocol and lateral movement via WMI and PsExec. C2 communication uses encrypted HTTPS to mimic legitimate traffic, with fallback DNS-over-HTTPS for resilience. Persistence is achieved via scheduled tasks and Windows Service installation under disguised names mimicking system processes. Evasion techniques include API unhooking, process injection into svchost.exe, and timestamp manipulation to avoid heuristic detection. The malware also employs anti-debugging checks using NtQueryInformationProcess and delays execution in sandbox environments.

📜 History & Notable Incidents

First documented by QiAnXin in June 2022, Mikoponi was linked to campaign Operation Crimson Tempest targeting Vietnamese telecom providers in late 2022. In March 2023, the group exploited CVE-2021-40444 (MSHTML remote code execution) in attacks on Ukrainian defense contractors. No law enforcement actions have been publicly reported, though the group’s infrastructure was disrupted through takedowns by China’s cybersecurity authorities in October 2023.

🔍 Detection Indicators

Known file hashes include SHA256 4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5 (from VirusTotal). Behavioral indicators include creation of mutex GlobalMikoponi_svc and registry run keys under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun named WindowsUpdateHelper. Network IOCs include HTTPS requests to domains mimicking microsoft-update[.]com and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36.

☠️ Risk & Impact

Mikoponi enables full remote control and data exfiltration, with reported theft of classified diplomatic communications and telecom subscriber databases. Financial losses are unquantified, but affected sectors include government, telecommunications, and defense in Vietnam, Ukraine, and Indonesia. The malware’s modular nature allows operators to deploy ransomware or wiper modules as secondary payloads, escalating impact.

🛡️ Mitigation

Defenders should deploy signatures for Mikoponi’s mutex and registry keys (e.g., Sigma rule win_mikoponi_persistence from SOC Prime). Apply patches for CVE-2021-40444 and enable network traffic filtering for anomalous HTTPS to untrusted domains. Use EDR solutions with process hollowing detection and restrict WMI/SMB lateral movement via group policies.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.