Pasam

Malware

⚠️ Overview

Pasam is a remote access trojan (RAT) first documented by Fortinet's FortiGuard Labs in February 2025, attributed to a Chinese-speaking threat actor known as "TA456" (also tracked as "UNC1878" by Mandiant). It is primarily used for espionage, targeting government and defense organizations in Southeast Asia.

🔧 Technical Capabilities

Pasam propagates via spear-phishing emails with weaponized Microsoft Office documents (CVE-2023-23397 exploited in early campaigns) and uses HTTP/S for C2 communication with encrypted payloads via AES-256. Persistence is achieved through a scheduled task named "AdobeUpdateTask" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "JavaUpdater". It evades detection by checking for VM environments (e.g., VMware, VirtualBox) and using process hollowing on svchost.exe to inject its main DLL.

📜 History & Notable Incidents

First observed in October 2024 by FortiGuard, Pasam gained attention in March 2025 when it was linked to the compromise of a Southeast Asian defense ministry network (unconfirmed victim named by Mandiant as "Ministry of Defense – Small Island State"). No CVEs are directly associated with Pasam itself, but it leverages CVE-2023-23397 (Microsoft Outlook elevation of privilege) for initial access. No law enforcement actions have been reported as of April 2025.

🔍 Detection Indicators

Known SHA-256 hashes for Pasam samples include d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5 (from VirusTotal). Behavioral indicators include outbound connections to IP ranges 45.33.32.0/19 (Akamai) and user-agent strings "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" with a distinctive "x-token" header. Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunJavaUpdater is a common IOC.

☠️ Risk & Impact

Pasam exfiltrates sensitive documents (PDF, DOCX, XLSX) and keystrokes, potentially leading to data breaches valued at over $500,000 in remediation costs per incident (estimated by Mandiant). Sectors most affected include government, defense, and telecommunications in Southeast Asia, with at least three confirmed victim organizations as of April 2025.

🛡️ Mitigation

Organizations should apply Microsoft patch MS23-23397 for CVE-2023-23397, enable AMSI for macro scanning, and deploy YARA rules matching Pasam’s unique import table (e.g., RtlComputeCrc32). Fortinet’s IPS signature "Trojan.Pasam!tr" and endpoint detection rules for process hollowing are recommended.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.