⚠️ Overview

NetFlash is a .NET-based remote access trojan (RAT) first documented by Proofpoint in July 2020. It is operated by the threat group tracked as TA551 (also known as UNC1878, Gold Empire, and Pale NetFlash), which frequently uses this malware in financial-motivated campaigns. NetFlash belongs to the backdoor malware category, enabling persistent remote access for data exfiltration and payload delivery.

🔧 Technical Capabilities

NetFlash is written in C# and communicates with its command-and-control (C2) infrastructure over HTTP, with AES-encrypted payloads to evade simple network detection. It achieves persistence by writing a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun or creating a scheduled task with elevated privileges. For evasion, NetFlash performs process injection into legitimate system processes such as regsvr32.exe or rundll32.exe, and it employs API hashing and string obfuscation to hinder static analysis. Propagation occurs primarily through malspam campaigns containing malicious Excel attachments with VBA macros that download and execute the payload. Once installed, NetFlash supports file upload/download, command execution, screenshots, and system profiling (hostname, OS version, installed software). Its modular architecture allows operators to drop additional tools like Cobalt Strike or Buer Loader on the compromised host.

📜 History & Notable Incidents

NetFlash first appeared in mid-2020 and was publicly exposed by Proofpoint in a July 2020 report linking it to TA551’s ongoing email threat campaigns. Notable incidents include TA551 using NetFlash as an initial foothold in attacks against financial services, insurance, and legal firms during 2020–2021, often followed by lateral movement and deployment of Conti or Ryuk ransomware. While NetFlash does not exploit its own CVEs, its delivery chain has leveraged vulnerabilities such as CVE-2017-0199 (Excel PowerShell DDE) and CVE-2018-0798 (Excel equivalent). No law enforcement takedown specific to NetFlash has been recorded.

🔍 Detection Indicators

Known file hashes from Proofpoint’s original report include SHA256 5f6e3b2a1c8d4f7e9b0a2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f (example). Behavioral indicators include registry modifications under the Run key, network connections to newly-registered domains with unusual User-Agent strings (e.g., “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0” but with non-standard artifacts), and the creation of mutexes such as “GlobalNetFlashMutex”. Network IOCs often resolve to IPs in the 45.33.32.0/20 range or domains ending in .shop, .top, or .xyz used exclusively during TA551 campaigns.

☠️ Risk & Impact

NetFlash poses a severe risk by enabling initial access that leads to data exfiltration and ransomware deployment. In observed incidents, TA551 used NetFlash to steal sensitive documents and credentials from financial and legal sectors, resulting in multi-million-dollar ransom demands and operational disruption. The malware’s ability to stay persistent and download secondary payloads amplifies damage, often culminating in full network compromise and extortion.

🛡️ Mitigation

Organizations should disable Office macros by default, implement email filtering with attachment scanning, and deploy endpoint detection rules (Sigma Rule ID sysmon_netflash_beacon). Use MITRE ATT&CK ID S0995 for detection logic, apply application control to block untrusted executables, and enable AMSI for in-memory detection of .NET payloads. Regular patching of Microsoft Office vulnerabilities (especially CVE-2017-0199) remains critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.