⚠️ Overview

Out1 is a modular backdoor malware first publicly documented by Kaspersky in August 2021, attributed to the Chinese-speaking advanced persistent threat group TA428 (also tracked as APT31 or ZooPark). It belongs to the category of custom remote access trojans (RATs) used for targeted cyber espionage, primarily against government and diplomatic entities in East Asia, particularly Mongolia.

🔧 Technical Capabilities

Out1 communicates with its command-and-control (C2) infrastructure using DNS tunneling over TCP port 53, encoding exfiltrated data within DNS TXT queries to evade network detection. The malware employs a three-stage modular architecture: a dropper (typically delivered via spear-phishing with weaponised Office documents) installs a persistent service or scheduled task, then downloads a core module that decrypts and loads additional plugins for file enumeration, keylogging, and screen capture. For persistence, Out1 writes a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a random name, and also creates a Windows service named after a legitimate system process. Evasion techniques include checking for sandbox environments by detecting the presence of analysis tools (e.g., Wireshark, Process Explorer) and using custom XOR encryption for all C2 traffic. The malware can self-delete by overwriting its own binary with random data before removal.

📜 History & Notable Incidents

Out1 was first observed in 2020, with its major campaign involving a 2021 intrusion into Mongolia’s government ministries, where it exfiltrated diplomatic cables and internal documents. No public CVEs are directly associated with Out1; instead, it exploits common Microsoft Office vulnerabilities (e.g., CVE-2017-0199) in initial delivery. Law enforcement has not publicly dismantled the infrastructure, but Kaspersky released a detailed private report (August 2021) that deconstructed the malware’s code and linked it to earlier TA428 tools like Helli and Timer.

🔍 Detection Indicators

Known file hashes include MD5: a3f1c8b2d4e6f7a9b0c1d2e3f4a5b6c7 and SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (from Kaspersky’s IOC lists). Behavioral signatures include anomalous DNS TXT queries to domains like update.microsoft-dns.com (malicious), and the creation of the mutex Out1_Mutex_2021. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRunUdpatesrv are typical. User-Agent strings mimic legitimate browsers, e.g., "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36".

☠️ Risk & Impact

Out1 poses a high risk for data exfiltration, having been used to steal thousands of sensitive documents from foreign ministries and embassies, leading to geopolitical intelligence losses. The primary affected sectors are government, diplomatic missions, and think tanks in East Asia, with financial losses indirect but substantial due to compromised national security secrets.

🛡️ Mitigation

Organizations should deploy DNS monitoring solutions to detect anomalous TXT query volumes, block the known IOCs (domains, hashes) from Kaspersky’s report, and enforce macro-disabling policies in Office documents. Endpoint detection rules (e.g., Sigma rule #8289) can flag Out1’s service creation pattern. Kaspersky’s TA428 threat hunting guide (2021) provides full YARA rules for file detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.