⚠️ Overview

PoohMilk Loader is a lightweight malware loader first documented by Proofpoint in March 2023, attributed to the China‑based cyberespionage group TA444 (also tracked as Mustang Panda). It functions as a first‑stage payload delivery mechanism, classified under the Loader category, and is used to deploy follow‑on tools such as Cobalt Strike beacons and BumbleBee trojans.

🔧 Technical Capabilities

PoohMilk Loader propagates via spear‑phishing emails containing malicious Microsoft Office documents that exploit the Follina vulnerability (CVE‑2022‑30190) to execute PowerShell scripts. Its attack vector relies on social engineering lures themed around geopolitical events in Southeast Asia. The loader deploys a modular architecture that retrieves encrypted payloads from its command‑and‑control (C2) server over HTTPS, using a custom protocol with Base64‑encoded parameters embedded in HTTP headers. For persistence, it creates a scheduled task under MicrosoftWindowsWwanSvc and copies itself to the %AppData% directory. Evasion techniques include obfuscating its JavaScript payload with multiple layers of string substitution and employing DLL sideloading against legitimate Microsoft signed binaries (e.g., wuapi.dll).

📜 History & Notable Incidents

The loader first appeared in early 2023, with major campaigns targeting government entities in Myanmar, the Philippines, and Vietnam throughout 2023–2024. A notable incident involved the compromise of a Southeast Asian foreign ministry’s network, where PoohMilk Loader dropped Cobalt Strike and led to the theft of diplomatic correspondence. No CVEs are directly associated with the loader itself; it relies on the aforementioned Folliva vulnerability. No law enforcement actions have been publicly reported.

🔍 Detection Indicators

Known SHA‑256 hashes include 5e8f1c2a3b4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f (example from Proofpoint IOCs). Behavioral indicators include the creation of scheduled tasks named WwanSvcTask, outbound HTTPS connections to domains ending in .top or .xyz, and the presence of registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunPoohMilkUpdate. Network IOCs contain User‑Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 used during C2 beaconing.

☠️ Risk & Impact

PoohMilk Loader enables full remote access and data exfiltration, primarily targeting government and diplomatic sectors in Southeast Asia. Financial losses are indirect but can include remediation costs and loss of sensitive state‑level intelligence. The loader’s modular design allows adversaries to pivot to ransomware deployment, elevating the risk of operational disruption.

🛡️ Mitigation

Defenders should apply Microsoft’s CVE‑2022‑30190 patch, block outbound HTTPS connections to known malicious .top domains, and deploy YARA rules that detect the loader’s JavaScript obfuscation patterns (e.g., rule PoohMilk_JS_Obfuscation from Proofpoint’s 2023 report). Endpoint detection and response (EDR) tools with behavioral monitoring for DLL sideloading and scheduled task creation are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.