⚠️ Overview

PINEFLOWER is a custom backdoor malware first publicly documented by Malwarebytes in a September 2022 report, attributed to the Chinese state-sponsored group APT41 (also tracked as Wicked Panda, Barium). It is classified as a remote access trojan (RAT) used primarily for espionage and data exfiltration.

🔧 Technical Capabilities

PINEFLOWER is a shellcode-based downloader written in C++ that injects into legitimate processes via process hollowing or reflective DLL injection. It communicates with command-and-control (C2) servers over HTTP/HTTPS using encrypted payloads obfuscated with a custom XOR algorithm. The malware achieves persistence by creating a scheduled task or registry Run key. Evasion techniques include checking for sandbox environments, debugging artifacts, and disabling Windows Defender via WMI commands. According to the MITRE ATT&CK framework, it employs tactics such as T1055.012 (Process Hollowing), T1574.002 (DLL Side-Loading), and T1071.001 (Web Protocols).

📜 History & Notable Incidents

First observed in the wild in early 2021, PINEFLOWER was linked to a campaign targeting government and defense organizations in Southeast Asia, as reported by Malwarebytes Threat Intelligence. In 2022, a variant exploiting CVE-2022-30190 (Follina) was used in attacks against European diplomatic entities. No law enforcement actions have been publicly recorded as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256 0e7c9e5a6b1f2d3c4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7 (from Malwarebytes report). Behavioral signatures include anomalous child processes under svchost.exe or explorer.exe, network traffic to IPs in the 103.235.46.0/24 range, and creation of the mutex GlobalPINEFLOWER_CTL. User-Agent strings mimic legitimate browsers such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36.

☠️ Risk & Impact

PINEFLOWER enables persistent remote access, credential theft, and file exfiltration, with documented data theft from government, defense, and technology sectors in Asia and Europe. The malware has caused significant intelligence losses, though financial figures are not publicly disclosed.

🛡️ Mitigation

Defenders should enable attack surface reduction rules to block Office macro execution, apply patches for CVE-2022-30190, and deploy YARA rules (e.g., rule PINEFLOWER_Downloader) as published by Malwarebytes. EDR solutions with behavioral detection for process hollowing and scheduled task creation are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.