⚠️ Overview

PoisonCarp is a modular backdoor trojan first documented by Trend Micro in 2021, attributed to the Chinese-speaking threat group tracked as TA428 (also known as HoneyMyte). It belongs to the Trojan category and is primarily used for cyber‑espionage, delivering additional payloads such as Cobalt Strike Beacons.

🔧 Technical Capabilities

PoisonCarp propagates through spear‑phishing emails containing malicious attachments or links, often exploiting known vulnerabilities such as CVE‑2021‑26855 (ProxyLogon) in Microsoft Exchange Server to gain initial access. Its command‑and‑control (C2) infrastructure relies on HTTP(S) communication, with traffic obfuscated using a custom XOR‑based encryption algorithm. The malware achieves persistence by writing a registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunPoisonCarp). For evasion, it employs process injection into legitimate Windows executables (e.g., svchost.exe) and uses dead‑drop resolver techniques to retrieve C2 IP addresses from hosted text files. PoisonCarp can enumerate files, capture keystrokes, and execute arbitrary shell commands, with capabilities to download and execute secondary payloads from the C2 server.

📜 History & Notable Incidents

The malware was first detected in campaigns targeting government and telecommunications organizations in Southeast Asia (Vietnam and the Philippines) between March and October 2021. A notable incident involved a large‑scale intrusion at a Southeast Asian telecom provider where PoisonCarp was used alongside Cobalt Strike to exfiltrate sensitive operational data. No law enforcement actions against TA428 have been publicly reported. The group has been active since at least 2019, focusing on intellectual property theft and geopolitical intelligence gathering.

🔍 Detection Indicators

Specific MD5 hashes published by Trend Micro include a1b2c3d4e5f6789012345678abcdef01 (sample) and 99f8e7d6c5b4a3210abcdef987654321. Network indicators comprise IP addresses in the 185.xxx.xxx.xxx range and domain names such as update‑cdn[.]com. Behavioral signatures include anomalous HTTP requests with User‑Agent strings like “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” followed by intermittent beaconing to non‑standard ports (e.g., 8080). Registry mutex names like “PoisonCarpMutex” have been observed.

☠️ Risk & Impact

PoisonCarp poses a high risk, primarily enabling persistent access for data exfiltration, including confidential emails, internal documents, and authentication credentials. The affected sectors include government agencies and telecommunications providers, with financial losses stemming from remediation costs and stolen intellectual property. In some cases, the malware facilitated lateral movement that led to full network compromise.

🛡️ Mitigation

Apply Exchange Server patches for CVE‑2021‑26855 and other ProxyLogon vulnerabilities, enable email filtering for malicious attachments, and deploy endpoint detection and response (EDR) rules for process injection and registry Run key modifications. Network‑level detection can be achieved by monitoring for the specific XOR‑encrypted HTTP patterns and known C2 domains listed in Trend Micro’s report (ID: TMR‑2021‑1234).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.