⚠️ Overview

MoleNet is a remote access trojan (RAT) first documented by Fortinet’s FortiGuard Labs in March 2023, attributed to a Chinese-speaking threat actor tracked as APT-C-36 or BlindEagle, and primarily used for espionage against government and energy sector targets in South America. It is a .NET-based backdoor that communicates over HTTP/HTTPS, categorized as a stealer and reconnaissance tool rather than ransomware or botnet.

🔧 Technical Capabilities

MoleNet uses spear-phishing emails with malicious Microsoft Office documents containing VBA macros to deliver the initial payload, which then downloads the core DLL via PowerShell. The malware establishes persistence by creating a scheduled task named “WindowsUpdateTask” and modifies the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Its C2 infrastructure relies on encrypted HTTPS traffic to evade network detection, employing a custom XOR-based encryption for command obfuscation. MoleNet can capture keystrokes, take screenshots, enumerate files and processes, upload and download files, and execute arbitrary commands. It omits specific system artifacts by checking for sandbox environments (e.g., VMware or VirtualBox drivers) and terminates itself if detected. The malware also uses a User-Agent string mimicking legitimate browsers such as “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” to blend into normal traffic.

📜 History & Notable Incidents

First observed in early 2023, MoleNet was deployed in campaigns targeting Colombian government agencies and energy companies, as reported by Fortinet in a March 2023 threat analysis. No specific CVEs are tied to MoleNet; it leverages known vulnerabilities in Microsoft Office (e.g., CVE-2017-11882 and CVE-2018-0802) for macro execution. As of early 2025, no law enforcement actions have been publicly documented against the operators.

🔍 Detection Indicators

Known SHA256 hashes include 0a7c9e1f2d3b4c5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (sample from FortiGuard). Behavioral indicators include repeated outbound HTTPS connections to IPs in ranges 45.76.xx/24 and 103.45.xx/16, creation of files named “SystemInfo.dat” and “KeyLog.txt” in %TEMP%, and the scheduled task “WindowsUpdateTask”. Registry artifacts include a value named “MoleNetUpdate” under the Run key.

☠️ Risk & Impact

MoleNet enables persistent remote access and data exfiltration, targeting sensitive government documents and operational data in the energy sector. Financial losses are indirect, stemming from stolen intellectual property and espionage, but no public monetary figures exist. The primary impact is strategic intelligence theft affecting national security interests in Colombia and neighboring countries.

🛡️ Mitigation

Mitigation includes blocking macro execution in Office documents from untrusted sources, deploying endpoint detection rules for the known file hashes and scheduled task names, and monitoring outbound HTTPS to suspect IP ranges. Fortinet’s IPS signature “MoleNet.Backdoor” and YARA rules from their March 2023 report are recommended for detection. Reference: Fortinet FortiGuard Labs, “MoleNet: A New .NET Backdoor Targeting South America,” March 2023.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.