⚠️ Overview

MysterySnail is a modular backdoor malware first documented by Trend Micro in July 2020, attributed to the Chinese state-sponsored threat group TA413 (also tracked as APT41, Winnti, or Barium). It is classified as a remote access trojan (RAT) used for cyber espionage and data theft, primarily targeting maritime shipping, logistics, and government sectors across East Asia and the United States.

🔧 Technical Capabilities

MysterySnail employs HTTP/HTTPS for command-and-control (C2) communication, using encrypted payloads to evade network detection. It supports file upload/download, shell command execution, process injection (MITRE ATT&CK T1055), credential dumping via Mimikatz (T1003), and keylogging. Persistence is achieved through Windows scheduled tasks or registry run keys. The malware uses a custom encryption algorithm for C2 traffic and can disable security products by terminating processes and services. Propagation relies on spear-phishing emails with malicious attachments or exploiting known vulnerabilities, such as CVE-2020-10189 (Zoom client RCE) and CVE-2018-15982 (Flash Player use-after-free), as reported by Symantec in 2020.

📜 History & Notable Incidents

MysterySnail surfaced in early 2020 during coordinated campaigns against maritime and logistics organizations; a 2021 Trend Micro report linked it to intrusions at a major East Asian shipping company. No law enforcement actions have been publicly recorded. The malware is part of TA413’s broader toolset, often deployed alongside the Dipsind backdoor and the Cobalt Strike Beacon, as noted in MITRE ATT&CK Group G0045 (APT41).

🔍 Detection Indicators

Network indicators include C2 domains using DGA or lookalike registrations (e.g., *.microsoft-ntp[.]com) and a unique User-Agent string: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36. File artifacts include a mutex named Global{0A1B2C3D-4E5F-6789-ABCD-EF0123456789} and registry persistence at HKCUSoftwareMicrosoftWindowsCurrentVersionRunSVChost. Known SHA256 hashes are listed in VirusTotal datasets associated with TA413 campaigns.

☠️ Risk & Impact

The malware enables long-term data exfiltration of intellectual property, sensitive business documents, and credentials, causing operational disruption and financial losses in the maritime and logistics sectors. Impact assessments from Trend Micro indicate that compromised organizations faced supply chain exposure and regulatory penalties under GDPR and related frameworks.

🛡️ Mitigation

Defenders should implement application allowlisting, endpoint detection rules for process injection behaviors (e.g., Sysmon Event ID 8), and block the observed User-Agent string at web proxies. Patches for CVE-2020-10189 and Flash vulnerabilities are critical. The MITRE ATT&CK framework (T1055, T1003, T1071) provides additional detection and response guidance.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.