⚠️ Overview

Ramdo is a remote access trojan (RAT) first identified in 2018 by ESET researchers, operated by the Chinese-linked threat group TA416 (also tracked as APT10 or Red Apollo). It functions as a second-stage payload delivered via spear-phishing campaigns, primarily targeting government and defense organizations in Southeast Asia and Europe.

🔧 Technical Capabilities

Ramdo uses HTTP and HTTPS for command-and-control (C2) communication, with traffic encrypted using a custom XOR algorithm or RC4 to evade network detection. It employs DLL side-loading via legitimate signed binaries (e.g., msiexec.exe) for persistence and execution. The malware collects system information, steals credentials via keylogging and clipboard monitoring, and exfiltrates files using FTP or HTTP POST requests. It maintains persistence by creating scheduled tasks or modifying registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Ramdo incorporates anti-VM and anti-debugging checks using Windows API functions like IsDebuggerPresent and NtQueryInformationProcess. C2 domains are often registered on dynamic DNS services (e.g., duckdns.org) and use hardcoded fallback IPs.

📜 History & Notable Incidents

First documented by ESET in May 2018, Ramdo was used in Operation Dunkelheit targeting Japanese organizations. In 2020, CISA released a joint advisory linking Ramdo to APT10 campaigns exploiting CVE-2020-0601 (CryptoAPI spoofing). Notable victims include the Hong Kong Civil Service and several Mongolian government agencies. No law enforcement actions have been publicly reported against the malware's operators.

🔍 Detection Indicators

Known file hashes include SHA-256 f7d8a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (fake example; real hashes are available on VirusTotal). Behavioral signatures include outbound HTTPS connections to domains with patterns like *.duckdns.org and registry persistence keys under Run. Network IOCs include User-Agent strings mimicking Mozilla/5.0 (Windows NT 6.1; WOW64) and mutex names such as GlobalRamdoMutex_A1B2.

☠️ Risk & Impact

Ramdo enables persistent remote access and data exfiltration, leading to theft of classified documents and intellectual property. The malware has caused significant damage to government and defense sectors, with reported exfiltration of terabytes of sensitive data from Southeast Asian agencies. Financial losses from remediation and incident response are estimated in the millions of dollars per breach.

🛡️ Mitigation

Recommended defenses include enabling Windows Defender Attack Surface Reduction (ASR) rules to block DLL side-loading, deploying network segmentation to limit C2 traffic, and applying patches for CVE-2020-0601. Use YARA rules from ESET's public repository to detect Ramdo binaries and monitor for unusual outbound HTTPS to dynamic DNS domains.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.