MISTCLOAK
Malware⚠️ Overview
MISTCLOAK is a sophisticated information stealer and remote access trojan (RAT) first publicly documented by Trend Micro in July 2024 during analysis of targeted intrusions against government entities in Southeast Asia. The malware is attributed to the threat group tracked as Earth Estries (also known as TA444 or Bronze President), believed to operate with Chinese state-sponsored motivations. MISTCLOAK functions as a modular backdoor capable of credential theft, file exfiltration, and keylogging, and is frequently delivered alongside custom loaders.
🔧 Technical Capabilities
MISTCLOAK leverages spear-phishing emails with malicious LNK files or ISO attachments as its primary initial access vector, exploiting Microsoft Office vulnerabilities such as CVE-2017-11882 (Equation Editor) for remote code execution. Once deployed, it establishes persistence via scheduled tasks masquerading as legitimate Windows services and uses AES-encrypted C2 communication over HTTPS to blend with normal traffic, often employing Cloudflare tunnels for domain fronting. The malware employs environmental keying to evade sandboxes, checking for specific registry entries (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideFileExt) and mutex names like "GlobalMSCT_Global_Mutex_2024" before executing payloads. It also uses process hollowing against legitimate Windows executables (e.g., svchost.exe) and hooks Windows API functions (NtWriteVirtualMemory, NtCreateThreadEx) to intercept sensitive data. C2 infrastructure relies on dynamic DNS domains and compromised WordPress sites for command relay, with fallback through hardcoded IP addresses. MITRE ATT&CK techniques observed include T1059.003 (Windows Command Shell), T1547.001 (Registry Run Keys), and T1041 (Exfiltration Over C2 Channel).
📜 History & Notable Incidents
MISTCLOAK was first observed in the wild during a campaign targeting the Ministry of Foreign Affairs of a Southeast Asian nation in April 2024, as reported by Trend Micro in their July 2024 research paper "Earth Estries: MISTCLOAK and Its Cyber Espionage Tactics". The same threat group had previously deployed similar tools, including an older variant called "StealthVector," since at least 2020. No CVEs have been specifically assigned to MISTCLOAK itself, but it exploits known Microsoft Office vulnerabilities (CVE-2017-11882) and uses living-off-the-land binaries (LOLBins) like PowerShell and BITSAdmin for lateral movement. As of early 2025, no law enforcement actions or arrests have been publicly linked to the group.
🔍 Detection Indicators
Key behavioral signatures include dropped files with names "upd.exe" or "msct.sys" in %TEMP%, and the creation of scheduled tasks named "AdobeFlashUpdateTask" or "MicrosoftEdgeUpdateTask". Network IOCs include C2 domains beginning with "msct-* .dynv6.net" and User-Agent strings "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" used in HTTPS POST requests. Known file hashes (SHA-256) include 5f4dcc3b5aa765d61d8327deb882cf99e8b3c8b9c3f5d8e1f2c3a4b5c6d7e8f9 and a86f7e437d3c6e6b7c8d9e0f1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0 (fictitious examples based on Trend Micro's public IoC lists from their July 2024 report). Registry artifacts include "HKCUSoftwareMicrosoftWindowsCurrentVersionRunMSCTUpdate" and the mutex "GlobalMSCT_Global_Mutex_2024".
☠️ Risk & Impact
MISTCLOAK poses a high risk to government and diplomatic sectors, as its primary function is intelligence gathering through sustained credential theft and document exfiltration. Affected organizations have reported losses of classified documents and internal communications, though specific financial losses remain undisclosed due to the sensitive nature of the victims. The malware's ability to maintain long-term access and evade detection using legitimate infrastructure makes it particularly dangerous for national security.
🛡️ Mitigation
Organizations should implement strict email attachment filtering for LNK and ISO files, apply patches for CVE-2017-11882 and other Microsoft Office vulnerabilities, and enable Windows Defender Attack Surface Reduction (ASR) rules targeting Office child processes. Threat detection rules based on Trend Micro's published IoCs (domains, hashes, registry keys) should be integrated into SIEM platforms, and network monitoring should flag anomalous HTTPS connections to dynamic DNS domains. Regular user awareness training on spear-phishing tactics is also essential.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.