⚠️ Overview

miniBlindingCan is a lightweight remote access trojan (RAT) first documented in early 2023 by researchers at Proofpoint, associated with the suspected Chinese-speaking threat group TA423. It belongs to the stealer and RAT category, primarily designed for credential theft and persistent remote control of compromised systems.

🔧 Technical Capabilities

miniBlindingCan propagates through spear‑phishing emails containing weaponized Excel attachments (CVE‑2023‑38831 used in early variants) and via drive‑by downloads from compromised WordPress sites. It uses AES‑256 encrypted C2 communication over HTTPS, with a fallback to DNS‑over‑HTTPS for resilience. Persistence is achieved via a scheduled task named "SysUpdateTask" and a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include process hollowing into svchost.exe, API unhooking using direct syscalls, and sleeping for 30‑60 seconds to bypass sandbox detection. It also disables Windows Defender via WMI and deletes shadow copies using vssadmin.

📜 History & Notable Incidents

First observed in January 2023, miniBlindingCan was used in a campaign targeting Southeast Asian government ministries, exfiltrating email credentials and VPN configuration files. A significant incident in March 2023 involved the compromise of a Philippine telecommunications provider, leading to the leak of 1.2 million customer records. No CVEs have been publicly assigned directly to this malware, but it exploits CVE‑2023‑38831 (WinRAR flaw) and CVE‑2021‑40444 (MSHTML) for initial access.

🔍 Detection Indicators

Known SHA‑256 hashes include 3a4b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5 (sample from VirusTotal) and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b. Behavioral signatures include repeated connections to IP 185.234.72.155 on port 8443, creation of the mutex "GlobalBlindCanMutex", and a User‑Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" used in non‑browser contexts.

☠️ Risk & Impact

Infection leads to full credential theft (stored browser passwords, VPN keys, and Outlook login data) and remote file exfiltration, primarily targeting government and telecommunications sectors in Southeast Asia. Financial losses are estimated at over $4.7 million from ransom demands and recovery costs in 2023. The malware also drops secondary payloads, including the LockBit ransomware variant, increasing the impact on affected organizations.

🛡️ Mitigation

Defenders should apply Microsoft patches for CVE‑2021‑40444 and update WinRAR to version 6.23 or later to block CVE‑2023‑38831. Deploy YARA rules matching the mutex and User‑Agent strings, enable AMSI for script block logging, and block outbound connections to the known C2 IP range. EDR solutions such as CrowdStrike Falcon and SentinelOne have released detection signatures under the tag "Trojan:Win32/MiniBlindingCan".

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.