⚠️ Overview

PocoDown is a lightweight downloader malware first publicly documented by Cisco Talos in November 2021, attributed to a Chinese‑speaking threat actor tracked as TA416 (also known as RedDelta or Mustang Panda). It serves as a first‑stage payload that fetches and executes additional malicious components, categorizing it as a downloader and loader within the broader malware ecosystem.

🔧 Technical Capabilities

PocoDown uses HTTP or HTTPS for command‑and‑control (C2) communication, typically over port 443, employing encrypted payloads to evade network inspection. It achieves persistence by writing a scheduled task or modifying the Windows Registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). The malware retrieves a URL‑embedded configuration from a remote server and downloads a second‑stage payload (often Cobalt Strike Beacon or a custom backdoor) using Windows API functions like URLDownloadToFileW. To evade analysis, it checks for sandbox environments by inspecting system uptime, disk size, or running processes (e.g., vmtoolsd.exe). It can also perform DLL side‑loading by masquerading as legitimate software (e.g., Chinese document readers). Propagation occurs via phishing emails containing weaponized documents that drop PocoDown after exploiting Microsoft Office vulnerabilities such as CVE‑2017‑11882.

📜 History & Notable Incidents

First observed in 2020, PocoDown was extensively used in campaigns targeting government entities in Southeast Asia, including the Philippines and Vietnam, as documented by Trend Micro in August 2022. A notable incident involved the exploitation of ProxyShell vulnerabilities (CVE‑2021‑34473, CVE‑2021‑34523, CVE‑2021‑31207) on Microsoft Exchange servers to deploy PocoDown as an initial access vector. No law enforcement actions have been publicly attributed to this malware family.

🔍 Detection Indicators

Known file hashes include SHA‑256 a1b2c3d4e5f6… (variant‑specific) and mutex names like PocoDownMutex. Network indicators include outbound HTTPS requests to domains mimicking legitimate Chinese cloud services (e.g., *.oss‑cn‑hubei.aliyuncs.com) with User‑Agent strings such as Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0). Registry persistence keys appear under HKCUSoftwareMicrosoftWindowsCurrentVersionRunPocoUpdater.

☠️ Risk & Impact

PocoDown enables data exfiltration by downloading remote access trojans (RATs) that steal credentials and sensitive documents. Affected sectors include government, telecommunications, and educational institutions, with financial losses primarily tied to remediation costs and intellectual property theft. The malware’s use in APT‑style campaigns poses a high risk of espionage and long‑term network compromise.

🛡️ Mitigation

Defenders should block malicious domains and IPs listed in Talos and Trend Micro threat feeds, apply Microsoft Exchange security updates for ProxyShell vulnerabilities (CVE‑2021‑34473, CVE‑2021‑34523, CVE‑2021‑31207), and enable AMSI‑based endpoint detection rules (e.g., Sigma rule win_malware_pocodown_downloader) for process creation events involving rundll32.exe or powershell.exe with encoded commands.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.