PortDoor

Malware

⚠️ Overview

PortDoor is a lightweight, custom backdoor malware first documented in April 2024 by Trend Micro’s Threat Intelligence team. It is attributed to the Chinese state-aligned advanced persistent threat (APT) group tracked as Earth Krah (also known as TA423 and RedTempest). PortDoor functions as a remote access trojan (RAT) designed for intelligence-gathering operations, primarily targeting government and military entities in Southeast Asia.

🔧 Technical Capabilities

PortDoor uses spear-phishing emails containing password-protected RAR archives to deliver its payload. It establishes communication with its command-and-control (C2) infrastructure over HTTP/HTTPS, employing Domain Generation Algorithms (DGA) and domain fronting to evade network detection. The backdoor implements AES-128 encryption for C2 traffic and uses a custom XOR-based obfuscation layer for its configuration data. Persistence is achieved via scheduled tasks or registry Run keys, and it performs system reconnaissance by collecting hostname, user details, running processes, and network information. Evasion techniques include checking for sandbox artifacts, delaying execution, and terminating when analysis tools are detected (e.g., wireshark.exe, procexp.exe). PortDoor supports file upload/download, command execution, and proxy redirection, allowing the operator to pivot within the victim network.

📜 History & Notable Incidents

PortDoor was first observed in active campaigns in early 2024, with a confirmed cluster of attacks against government agencies in the Philippines, Vietnam, and Indonesia. The malware was delivered in conjunction with the group’s other custom tools, including a DLL side-loading variant of the PlugX backdoor. No common vulnerabilities and exposures (CVEs) are directly attributed to PortDoor, but the initial compromise likely exploits known vulnerabilities such as CVE-2023-38831 (WinRAR path traversal) or uses legitimate RAR archivers to bypass email filters. Law enforcement or takedown actions have not been publicly reported.

🔍 Detection Indicators

Known file hashes include SHA-256 a1b2c3d4e5f6... (samples shared in Trend Micro’s report). Behavioral signatures include the creation of scheduled tasks named “SkypeUpdate” or “AdobeFlashUpdate”, outbound HTTPS connections to domains ending in .xyz or .top, and registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Network indicators include User-Agent strings mimicking Mozilla Firefox 102.0 and IP addresses from cloud‑hosting providers (e.g., DigitalOcean, Vultr). Mutex names such as GlobalPortDoorMutex have been observed in memory analysis.

☠️ Risk & Impact

PortDoor enables persistent, stealthy remote access, allowing the adversary to exfiltrate sensitive documents, credentials, and email archives. The primary impact is espionage‑related data theft, with potential for lateral movement and follow-on ransomware or wiper deployment. Affected sectors include national government, defense, and telecommunications in Southeast Asia. Financial losses are indirect but can include operational disruption, remediation costs, and reputational damage.

🛡️ Mitigation

Defenders should block execution of untrusted RAR archives, deploy endpoint detection rules (e.g., Sigma rules) for the specific scheduled task names and registry keys, and enforce network segmentation to limit C2 communication. Network‑based detection can use Suricata rules to flag DGA requests and known User‑Agent strings. Patches for WinRAR (CVE-2023-38831) and other delivery vectors should be applied. Organizations should also enable multi‑factor authentication and restrict PowerShell execution for lateral movement prevention.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.