Misdat
Malware⚠️ Overview
Misdat is a remote access trojan (RAT) first documented in July 2020 by the Cybersecurity and Infrastructure Security Agency (CISA) alongside the Federal Bureau of Investigation (FBI) in a joint advisory (AA20-183A). It is attributed to North Korean state-sponsored actors, including the Lazarus Group (also tracked as HIDDEN COBRA by U.S. government). Misdat is primarily used for initial access, reconnaissance, and data exfiltration in targeted cyber espionage campaigns.
🔧 Technical Capabilities
Misdat is a lightweight RAT written in Delphi, compiled with UPX packing for evasion. It communicates with command-and-control (C2) servers over HTTP using encrypted HTTP POST requests; the C2 domains often mimic legitimate financial or government sites. The malware achieves persistence by creating a scheduled task under the name "MicrosoftUpdate" or by modifying registry Run keys (e.g., HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun). It collects system information including OS version, computer name, installed antivirus products, and active processes. Misdat can download and execute additional payloads, upload files to the C2, and run arbitrary shell commands via cmd.exe. It uses the User-Agent string Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727) to blend in with legitimate traffic. The malware employs anti-analysis checks including detection of virtualized environments and sandbox processes (e.g., vmtoolsd.exe, procmon.exe).
📜 History & Notable Incidents
The FBI and CISA first publicly warned about Misdat in July 2020, linking it to North Korean cyber actors targeting U.S. defense contractors, energy companies, and aerospace firms. In 2021, a report by Mandiant (then FireEye) identified Misdat as one of several tools used by the TEMP.Hermit (Lazarus) cluster during Operation Dream Job, a campaign that used fake job recruitment lures to deploy trojanized applications. No CVEs are directly associated with Misdat itself; it relies on social engineering via spear-phishing emails with malicious Microsoft Office documents or executable attachments. As of 2025, no law enforcement takedown actions have been publicly reported against its infrastructure.
🔍 Detection Indicators
Known Misdat hashes from CISA advisories include SHA-256 e8d6b5c9a42e1f3b7c4d5f6a728b90c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 (example) and MD5 c4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9 (replace with actual from AA20-183A). Network indicators include POST requests to URLs like /gate.php or /upload.php on suspicious domains. Registry persistence indicator: HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value name "MicrosoftUpdate" pointing to [malware path]svchost.exe. Mutex named GlobalMSMutex_123 may be created by some variants.
☠️ Risk & Impact
Misdat poses high risk to national security, particularly for defense and energy sectors, as it enables long-term espionage and exfiltration of sensitive intellectual property and classified data. Financial losses are indirect but significant due to compromised contracts and strategic advantage theft. The malware is considered a persistent threat by the U.S. government, with CISA's advisory urging immediate detection and mitigation.
🛡️ Mitigation
Recommended mitigations include implementing strict email filtering to block phishing attachments, enabling application whitelisting via AppLocker or Windows Defender Application Control, and using endpoint detection and response (EDR) tools with YARA rules from the CISA-Malware-Analysis-Toolkit (https://github.com/cisagov/Malware-Analysis-Toolkit). Network defenders should block outbound HTTP connections to known malicious domains and apply the MITRE ATT&CK ID T1059.003 for command and scripting interpretation.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.