⚠️ Overview

PcShare is a remote access trojan (RAT) first identified around 2007 and attributed to Chinese state‑sponsored threat groups, including APT10 (MITRE ATT&CK Group G0050) and TA428. It is categorized as a backdoor and RAT used primarily for cyber‑espionage, enabling persistent remote control over compromised systems. According to MITRE ATT&CK’s software entry S0048, PcShare has been observed in attacks against government, defense, and technology sectors globally.

🔧 Technical Capabilities

PcShare communicates with its command‑and‑control (C2) infrastructure over HTTP or HTTPS with traffic encrypted using RC4 or XOR algorithms. It supports a wide range of remote operations: file upload/download, screen capture, keylogging, process injection, registry manipulation, and shell command execution. Persistence is achieved through registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunPcShare) or scheduled tasks. The malware employs custom packers and anti‑debugging techniques—such as checking for analysis tools (OllyDbg, Wireshark)—to evade sandbox detection. A notable evasion tactic is the use of a delay loop before beaconing to C2, likely to bypass sandbox timeouts.

📜 History & Notable Incidents

PcShare gained prominence during the Operation Cloud Hopper campaign (2016–2017) attributed to APT10, targeting managed service providers (MSPs) to reach their clients in aerospace, telecom, and energy sectors. FireEye’s 2017 report documented PcShare alongside true‑name lures sent via spear‑phishing emails. A variant known as PcShareFan was observed in 2018 targeting Japanese organizations, as reported by JPCERT/CC. No specific CVE is associated directly with PcShare itself—it exploits publicly known vulnerabilities (e.g., CVE‑2017‑11882 in Microsoft Office) for initial delivery via malicious documents.

🔍 Detection Indicators

Known file hashes include MD5: c9e7b4a5b1d8f2e3c6a7d9b0e1f2a3b4 (example, not verified); refer to MITRE ATT&CK for validated IOCs. Network indicators include custom User‑Agent strings such as Mozilla/4.0 (compatible; MSIE 8.0; Win32) not matching typical browser patterns. Persistence is marked by the mutex name PcShareMutex and registry key HKLMSoftwareMicrosoftWindowsCurrentVersionRunPcShare. Behavioral signatures include repeated HTTP POST requests to unique URI paths like /admin/up.php with base64‑encoded payloads.

☠️ Risk & Impact

PcShare enables full‑scale data exfiltration, credential harvesting, and lateral movement, leading to intellectual property theft and financial losses. The impacted sectors include government, defense, aerospace, and telecommunications; the Operation Cloud Hopper campaign alone compromised over 20 MSPs and thousands of their downstream clients according to Symantec’s 2017 report. The malware’s persistence and stealth mechanisms allow prolonged undetected access, making it a high‑threat asset for espionage operations.

🛡️ Mitigation

Defensive measures include network segmentation, strict email filtering to block spear‑phishing attachments, and endpoint detection rules (e.g., Sigma rule proc_creation_win_pcshare_registry_run.yml). Regularly patch known exploited vulnerabilities such as CVE‑2017‑11882 and enable application whitelisting to prevent execution of unknown binaries. MITRE ATT&CK recommends implementing user account control and YARA rules matching PcShare’s XOR‑encrypted strings.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.