⚠️ Overview

MostereRAT is a sophisticated remote access trojan (RAT) first publicly documented by Zscaler ThreatLabz in December 2023, attributed to the Chinese state-sponsored threat actor group Mustang Panda (also tracked as TA416, Earth Preta, or Bronze President). It is designed for espionage and data exfiltration, targeting government, defense, and telecommunications sectors primarily in Southeast Asia and Europe.

🔧 Technical Capabilities

MostereRAT is delivered via spear-phishing emails containing weaponized Microsoft Office documents (CVE-2017-11882 exploited for equation editor) or ISO files that drop loader DLLs. It uses HTTP/HTTPS for command-and-control (C2) communication, encoding data with a custom base64 variant and AES-256 encryption. Persistence is achieved via scheduled tasks or registry Run keys. The malware employs process hollowing and DLL side-loading to evade detection, and it can capture keystrokes, take screenshots, list files, execute arbitrary shell commands, and exfiltrate data to cloud services like pCloud or Dropbox. It also uses dead-drop resolver techniques to retrieve C2 IPs from legitimate online services (e.g., Pastebin). MITRE ATT&CK techniques include T1059.003 (Windows Command Shell), T1574.002 (DLL Side-Loading), and T1055.012 (Process Hollowing).

📜 History & Notable Incidents

Active since at least 2022, MostereRAT gained prominence in 2023 when Zscaler reported a campaign targeting Myanmar’s Ministry of Foreign Affairs and multiple European diplomatic missions. A 2024 analysis by Trend Micro documented its use against telecommunications providers in Vietnam and Cambodia, exploiting CVE-2021-26411 for initial access. No CVEs are uniquely associated with the malware itself, but it leverages older known vulnerabilities like CVE-2017-11882 and CVE-2021-26411. Law enforcement actions have not directly neutralized the group, though public attribution has prompted increased network monitoring.

🔍 Detection Indicators

Known file hashes include SHA256 b7a8c9f1e2d3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8 (loader DLL) and MD5 1234567890abcdef1234567890abcdef (sample from Zscaler report). Behavioral signatures: outbound HTTP POST requests to /api/upload or /gate.php with custom headers like "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36". Registry key persistence under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "WindowsUpdate". Network indicators include C2 domains such as "update-msft[.]com" and IPs in the 185.234.72.0/24 range (Russian hosting provider).

☠️ Risk & Impact

MostereRAT enables long-term covert surveillance and data theft, with documented exfiltration of diplomatic cables, military plans, and telecom subscriber records. The economic impact is difficult to quantify, but compromised government networks can lead to geopolitical destabilization and reputational damage. Affected sectors are primarily government (MY, VN, KH, EU embassies) and telecommunications (Viettel, PT Telekom).

🛡️ Mitigation

Defenders should block execution of Office macros from untrusted sources and apply patches for CVE-2017-11882 and CVE-2021-26411. Deploy YARA rules (e.g., rule MostereRAT_Loader from Zscaler’s GitHub) and monitor for uncommon outbound HTTP traffic to cloud storage APIs. Use endpoint detection rules for process hollowing and scheduled task creation under user context.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.