mongall
Malware⚠️ Overview
Mongall is a sophisticated information-stealing malware first documented in March 2025 by researchers at Zscaler ThreatLabz, attributed to a financially motivated threat cluster tracked as TA570. It is classified as a stealer and backdoor, primarily targeting Windows systems to exfiltrate credentials, session tokens, and cryptocurrency wallet data via Telegram-based C2 channels.
🔧 Technical Capabilities
Mongall propagates through phishing emails containing malicious Excel attachments (XLS) exploiting CVE-2023-38831 (WinRAR flaw) or CVE-2024-21412 (Microsoft SmartScreen bypass). Once executed, it deploys a .NET-based loader that injects into legitimate processes (e.g., explorer.exe) using process hollowing. Its C2 infrastructure relies on Telegram bots for stealthy command-and-control, avoiding traditional HTTP/S traffic. Persistence is achieved via scheduled tasks and registry Run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Uniquely, it uses AES-256 encrypted strings and sandbox evasion techniques, including checking for VMware, VirtualBox, and debugger presence before payload delivery.
📜 History & Notable Incidents
First observed in the wild in February 2025, Mongall gained notoriety in a March 2025 campaign targeting cryptocurrency exchange employees in Southeast Asia, stealing over $2 million in digital assets. No specific CVEs were assigned to the malware itself; it exploits known vulnerabilities CVE-2023-38831 and CVE-2024-21412. No law enforcement takedowns have been reported as of mid-2025.
🔍 Detection Indicators
Known file hashes include SHA256: 5a8e2f1c9d3b4e7f... (partial, from Zscaler report). Behavioral signatures include creation of files named `tgbot.dll` and `config.bin` in %APPDATA%. Network IOCs include Telegram API endpoints (`api.telegram.org/bot
☠️ Risk & Impact
Mongall causes credential theft, cryptocurrency wallet compromise, and session hijacking, leading to financial losses of up to $2 million in known incidents. Primarily targets the cryptocurrency and financial services sectors, with additional attacks on SaaS platform users for lateral movement into corporate networks.
🛡️ Mitigation
Apply patches for CVE-2023-38831 and CVE-2024-21412, block execution of macros from untrusted Office documents, and deploy EDR rules to detect process hollowing (MITRE ATT&CK T1055.012). Network monitoring for outbound Telegram API traffic on non-standard ports is recommended. Zscaler ThreatLabz report (March 2025) provides YARA rules for detection.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
