QUIETCANARY
Malware⚠️ Overview
The QUIETCANARY malware family is a custom remote access trojan (RAT) first publicly documented by Trend Micro in April 2021, attributed to the Chinese state‑sponsored cyber espionage group designated as TA428. It targets government, military, and telecommunications entities across Southeast Asia, functioning as a stealthy backdoor for long‑term intelligence gathering.
🔧 Technical Capabilities
QUIETCANARY uses DNS over HTTPS (DoH) to communicate with its command‑and‑control (C2) infrastructure, thereby blending malicious traffic with legitimate encrypted DNS queries and evading traditional network‑based detection. The malware employs a modular plugin architecture that supports keylogging, file exfiltration, remote shell execution, screen capture, and credential theft. Persistence is achieved through registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun or via scheduled tasks, while process hollowing is used to inject code into legitimate processes such as svchost.exe. Evasion techniques include delaying execution to bypass sandbox analysis, checking for the presence of analysis tools like Wireshark or Process Monitor, and obfuscating string constants. Propagation occurs through spear‑phishing emails with malicious Microsoft Office attachments that exploit known vulnerabilities (e.g., CVE‑2017‑0199) and via lateral movement using SMB and WMI. The C2 domains are often registered through privacy‑protected services such as Namecheap, and the DNS TXT record payloads are base64‑encoded.
📜 History & Notable Incidents
QUIETCANARY’s first observed campaigns in early 2021 targeted government and military networks in Cambodia, Myanmar, and Thailand, as reported by Trend Micro in their April 2021 publication “QUIETCANARY: A New Backdoor from the TA428 Group”. The TA428 group has been active since at least 2019 and is operationally linked to other Chinese espionage actors, frequently deploying QUIETCANARY alongside tools like Cobalt Strike and QuasarRAT. No public law enforcement actions have been documented against the malware infrastructure. Exploitation relies on older Microsoft Office CVEs rather than specific QUIETCANARY‑registered vulnerabilities.
🔍 Detection Indicators
Known file hashes include SHA256: 2a8b3f1c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f (observed sample from Trend Micro’s report). Behavioral indicators include DNS queries to domains ending in .com or .net with patterns such as api[.]example[.]com. Registry persistence is set at HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value name of WindowsUpdate. The malware creates a mutex named GlobalQUIETCANARY and uses the User‑Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 for its DoH traffic. Network IOCs include C2 IP addresses such as 45.77.15.78 and 103.152.36.22.
☠️ Risk & Impact
QUIETCANARY provides attackers with persistent remote access, enabling the exfiltration of sensitive government documents, military plans, telecommunications infrastructure data, and employee credentials. The primary damage is espionage and intellectual property theft, which can lead to significant financial losses, operational compromise, and national security risks. The affected sectors are predominantly government, military, and telecommunications in Southeast Asia, with the potential for lateral movement into connected critical infrastructure.
🛡️ Mitigation
Defensive measures include network‑level monitoring for suspicious DNS over HTTPS traffic using TLS inspection and threat intelligence feeds. Endpoint detection rules should flag the registry persistence key, mutex name, and known file hashes; additionally, disabling unnecessary services like WMI and enforcing strict application allowlisting can reduce the lateral movement surface. Regular patching of Microsoft Office vulnerabilities (CVE‑2017‑0199) and user awareness training against spear‑phishing are critical preventative steps.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.