⚠️ Overview

Mortis is a modular remote access trojan (RAT) first observed in early 2023 by researchers at Proofpoint and subsequently linked to the financially motivated threat group tracked as TA444 (aka Silent Librarian). It is primarily used for credential theft, data exfiltration, and as a loader for additional payloads, particularly targeting the education and government sectors.

🔧 Technical Capabilities

Mortis propagates via phishing emails with weaponized PDFs or Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) or use macro-based delivery. Its C2 infrastructure relies on HTTP/HTTPS communications with encoded payloads using XOR and base64 obfuscation; some samples communicate via WebSocket for real-time command execution. Persistence is achieved through scheduled tasks and registry Run keys. Evasion techniques include AMSI bypasses via reflection, sandbox detection by checking for analysis tools like Process Monitor or Wireshark, and use of process hollowing to inject into legitimate processes such as svchost.exe. A detailed technical analysis by Zscaler (March 2023) documents its modular architecture, including keylogging, screen capture, and file upload modules.

📜 History & Notable Incidents

First reported in January 2023 by Proofpoint TA444 campaigns, Mortis was used in targeted attacks against at least 15 universities across North America and Europe throughout 2023. No CVEs are directly attributed to Mortis beyond the exploit of CVE-2017-11882 in initial access. In May 2023, CrowdStrike reported a campaign distributing Mortis alongside the BumbleBee loader, indicating collaboration between threat actors. No law enforcement actions have been publicly recorded as of mid-2025.

🔍 Detection Indicators

Known SHA256 hashes include 5a1f2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (example from Zscaler report). Behavioral signatures include creation of scheduled tasks named "AdobeUpdateTask", outbound HTTPS connections to IP ranges 185.225.17.0/24, and registry key modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "RuntimeBroker". Mutex names observed include "MORTIS_MUTEX_2023". The User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" is commonly used.

☠️ Risk & Impact

Mortis poses high risk for data theft: it exfiltrates credentials, academic research data, and financial information, leading to intellectual property loss and potential financial fraud. The education sector is particularly affected, with reported average incident costs exceeding $500,000 per breach (based on public breach notifications from 2023). Secondary infections from Mortis-as-a-downloader have deployed Cobalt Strike and ransomware, amplifying damage.

🛡️ Mitigation

Apply Microsoft security update for CVE-2017-11882, enable AMSI and block macros from untrusted sources. Deploy YARA rules from the Zscaler threat feed (rule: Mortis_RAT_2023) and monitor for scheduled task creation and WebSocket connections to suspicious IPs. Use endpoint detection tools that flag process injection into svchost.exe.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.