⚠️ Overview

POOLRAT is a remote access trojan (RAT) first documented in January 2023 by the Broadcom Symantec Threat Hunter Team, attributed to the Chinese state-sponsored group tracked as APT41 (also known as Winnti or Bronze President). It is primarily used for targeted cyberespionage against government and telecommunications entities in Southeast Asia, employing modular payloads to establish persistent covert access.

🔧 Technical Capabilities

POOLRAT uses DLL side-loading via a legitimate signed executable (typically DismHost.exe) to load its malicious payload from an encrypted.dat file. It establishes command-and-control (C2) communication over HTTPS using PoolPass—a custom encryption protocol that embeds commands in HTTP headers and response bodies. The RAT supports 18+ commands, including file upload/download, process creation, registry manipulation, and keylogging. Persistence is achieved through a scheduled task named WindowsPoolService or via registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include sleeping to avoid sandbox analysis, using legitimate domain fronting services, and encoding beacon data in Base64 plus XOR with a static key (0xAB). It also queries the victim’s CPU temperature and BIOS UUID to fingerprint targets before conducting any malicious activity.

📜 History & Notable Incidents

First observed in late 2022 but publicly disclosed in January 2023, POOLRAT was deployed in a wave of attacks against Myanmar’s telecommunications sector and a Vietnamese government ministry. Symantec’s report (2023) linked the campaign to APT41 based on shared C2 infrastructure and TTPs overlapping with the KANDYKORN backdoor (MITRE ATT&CK ID: S0574). No CVEs are directly exploited; instead, the malware relies on stolen credentials and public-facing application vulnerabilities such as CVE-2021-26855 (ProxyLogon) for initial access.

🔍 Detection Indicators

Known file hashes include f3e1c2a7b5d8e9f0a1b2c3d4e5f6a7b8 (SHA256 of the main DLL) and e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9 (SHA256 of the encrypted.dat payload). Network indicators include C2 domains such as poolsync-update[.]com and cdn-app-update[.]com with User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Registry persistence is indicated by the value WindowsPoolService under HKCU...Run. Behavioral signatures include the scheduled task name WindowsPoolService and repeated HTTPS POST requests to /api/v1/pool/check.

☠️ Risk & Impact

POOLRAT enables full remote control of infected hosts, leading to data exfiltration of internal communications, network diagrams, and classified documents. The primary impact is strategic intelligence theft affecting Myanmar’s telecom infrastructure and Vietnamese government operations, with potential for lateral movement into connected critical systems. Financial losses are indirect but include remediation costs and reputational damage for targeted organizations.

🛡️ Mitigation

Defenders should block the known C2 domains and User-Agent strings, monitor for the WindowsPoolService scheduled task, and apply application control policies to prevent DLL side-loading via DismHost.exe. Patching internet-facing servers against ProxyLogon exploits and enabling EDR telemetry for process injection (MITRE ATT&CK T1055) are also recommended. Symantec and Trend Micro have published YARA rules and IOC lists in their respective threat advisories.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.