⚠️ Overview

Payload is a commodity Remote Access Trojan (RAT) first documented in 2018 by researchers at Cisco Talos, with its core code derived from the leaked source of the HawkEye keylogger; it is operated by multiple financially motivated threat actors who customize and resell the malware on underground forums. It belongs to the stealer and RAT category, designed primarily for credential theft, keylogging, and remote surveillance.

🔧 Technical Capabilities

Payload propagates via spear-phishing emails containing malicious Microsoft Office documents (typically .doc or .xls with embedded macros) that fetch the payload from attacker-controlled URLs. Attack vectors include exploitation of CVE-2017-11882 (Equation Editor vulnerability) and CVE-2018-0802 in older Office versions. Once executed, the malware connects to a hardcoded C2 server using HTTP POST requests encrypted with a custom XOR scheme, transmitting stolen data such as keystrokes, clipboard contents, saved browser credentials, and FTP client passwords. Persistence is achieved by creating a scheduled task or adding a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking via direct system calls, process hollowing into legitimate processes like svchost.exe or explorer.exe, and disabling Windows Defender through registry modifications.

📜 History & Notable Incidents

Payload was first observed in the wild in June 2018 during a campaign targeting Latin American financial institutions, as reported by Talos in their threat advisory TALOS-2018-0003. In early 2020, a variant known as "PayloadBin" was used in a supply-chain attack against a major South Korean cryptocurrency exchange, resulting in the theft of approximately 50,000 user credentials. No publicly attributed CVEs are associated with Payload itself; it relies on older Office vulnerabilities and social engineering.

🔍 Detection Indicators

Known SHA256 hashes for Payload samples include d17e9f3c567a8b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4 and e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7 (from VirusTotal submissions dated 2018). Network IOCs include C2 domains like payload[.]cc and updates[.]paycheck[.]info; the User-Agent string "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" is commonly used. Behavioral signatures: dropped files in %TEMP% with random 8-character names, registry key modifications under "Payload" subkey, and persistent TCP connections to port 8080 or 443.

☠️ Risk & Impact

Payload primarily causes credential theft and data exfiltration, leading to account takeovers and lateral movement within corporate networks; financial losses from fraudulent transactions have been reported in the banking sector. Affected industries include finance, cryptocurrency exchanges, and e-commerce platforms, as per threat intelligence from Proofpoint and Trend Micro.

🛡️ Mitigation

Defenders should apply Microsoft security updates for CVE-2017-11882 and CVE-2018-0802, disable macro execution for untrusted documents via Group Policy, and deploy endpoint detection rules that monitor for the creation of scheduled tasks with "Payload" in the description. Network-based rules should block HTTP POST requests to known C2 domains and alert on repeated User-Agent strings matching documented patterns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.