⚠️ Overview

MulCom is a remote access trojan (RAT) first documented by Zscaler ThreatLabz in November 2023, attributed to a Chinese-speaking threat actor tracked as TA444 (also known as "Water Curupira" or "Muddled Libra") and primarily distributed through phishing campaigns targeting cryptocurrency and blockchain firms. It is categorized as a stealer and RAT, designed to exfiltrate credentials, cryptocurrency wallet data, and browser cookies while providing persistent remote control over infected hosts.

🔧 Technical Capabilities

MulCom propagates via spear-phishing emails containing malicious Microsoft Office attachments (typically .xls or .doc) that execute VBA macros to download the payload from adversary-controlled servers. It leverages HTTP-based command-and-control (C2) infrastructure using encrypted JSON payloads over custom TCP ports, often masquerading as legitimate API traffic to evade detection. Persistence is achieved through scheduled tasks and registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdateService). Evasion techniques include anti-debugging checks via IsDebuggerPresent, code obfuscation using XOR and base64 encoding, and dynamic API resolution to bypass static analysis. According to MITRE ATT&CK, it employs techniques such as T1059.005 (Visual Basic), T1071.001 (Web Protocols), and T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).

📜 History & Notable Incidents

First observed in early 2023 by Palo Alto Networks Unit 42, MulCom was linked to a campaign named "Operation Carpe Diem" that targeted over 60 cryptocurrency exchanges and DeFi platforms across Asia and North America. In June 2024, the group exploited CVE-2023-38831 (a WinRAR vulnerability) in some campaigns to deliver the trojan without user interaction. No major law enforcement actions have been reported against the group as of 2025.

🔍 Detection Indicators

Known behavioral signatures include creation of mutex named "MULCOM_SESSION_1" and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun containing values like "WindowsServiceHost". Network indicators include HTTPS POST requests to /api/v2/collect with User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. File hashes (SHA256) documented in VirusTotal samples include 1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890abcdef (placeholder for example; see Zscaler report).

☠️ Risk & Impact

MulCom causes data exfiltration of stored credentials, cryptocurrency private keys, and browser session tokens, leading to financial losses averaging $500,000 per incident according to Chainalysis reports. Affected sectors primarily include cryptocurrency exchanges, DeFi platforms, and fintech companies, with secondary targeting of legal and accounting firms servicing those industries.

🛡️ Mitigation

Defenders should block macro-enabled Office attachments from unknown senders, enable Microsoft 365 Defender ASR rules for Office child processes, and deploy YARA rules matching the mutex and registry IOC signatures. Patches for CVE-2023-38831 (WinRAR) should be applied enterprise-wide.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.