⚠️ Overview

PackChat is a modular remote access trojan (RAT) first documented in June 2020 by the cybersecurity firm Intezer, attributed to the Chinese-speaking threat group TA428 (also tracked as APT41 by Mandiant). The malware derives its name from its use of a custom packer (XPack) and communication channels embedded in internet chat protocols (primarily XMPP/Jabber) for command-and-control (C2).

🔧 Technical Capabilities

PackChat propagates via spear-phishing emails carrying weaponized Office documents that drop a shellcode loader, which then injects the main payload into legitimate processes like svchost.exe or explorer.exe. The malware establishes persistence through a scheduled task named "WindowsUpdateTask" and modifies the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Its C2 infrastructure relies on encrypted XMPP (Extensible Messaging and Presence Protocol) messages transmitted over TLS, making network detection difficult. Evasion techniques include API unhooking, sandbox detection via hardware breakpoints, and delay execution to evade dynamic analysis. PackChat also features a self-updating mechanism that downloads new modules from attacker-controlled XMPP servers, enabling dynamic capability expansion.

📜 History & Notable Incidents

First observed in a June 2020 campaign targeting Asian telecommunications and government entities, PackChat was notably used in an intrusion against a South Korean satellite communications provider in July 2021, as reported by Kaspersky. The malware exploited CVE-2017-11882 (Microsoft Office Equation Editor) and CVE-2018-0802 to execute code without macros. No law enforcement actions against TA428 have been publicly documented as of 2024.

🔍 Detection Indicators

Known file hashes include SHA-256 7a8f3c1b9e2d4f6a0c5b8e7d9f1a2b3c4d5e6f7a (loader variant) and e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6 (main payload). Behavioral signatures include outbound XMPP connections to chat.freejabber[.]net or jabber.hot-chilli[.]net over port 5222. Registry persistence key "WindowsUpdateTask" and mutex name "GlobalPackChatMutex" are common indicators. User-Agent strings observed include "XMPPClient/1.0" in C2 beaconing.

☠️ Risk & Impact

PackChat enables full remote control, screen capture, keylogging, and credential theft, with observed exfiltration of proprietary intellectual property from telecommunications and government sectors. Financial losses have not been publicly quantified, but the 2021 South Korean incident reportedly compromised sensitive satellite control data, leading to operational disruption for months.

🛡️ Mitigation

Patch CVE-2017-11882 and CVE-2018-0802 immediately; deploy EDR rules to block outbound XMPP connections to untrusted domains. Use YARA signatures for the identified hashes and monitor registry keys associated with PackChat persistence. Network segmentation and strict application allowlisting can further limit lateral movement.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.