⚠️ Overview

RCSession is a sophisticated remote access trojan (RAT) first documented by Cisco Talos in November 2022 as part of an advanced persistent threat (APT) campaign attributed to the Chinese-speaking threat group tracked as UNC2891 or Ridgeback. It belongs to the category of custom backdoors used for targeted cyber espionage, primarily observed against telecommunications, government, and technology sectors in Southeast Asia.

🔧 Technical Capabilities

RCSession leverages the DLL side-loading technique via a legitimate signed binary (e.g., vcruntime140.dll or mfc140u.dll) to load its malicious payload, achieving persistence through scheduled tasks or registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). It communicates over HTTPS to hardcoded command-and-control (C2) domains, using encrypted JSON POST requests to blend with normal web traffic, and employs a custom RC4-based encryption scheme for payload delivery. The malware supports modules for keylogging, screen capture, file exfiltration, and shell command execution, with the ability to proxy connections through compromised hosts to obfuscate C2 infrastructure. Evasion techniques include process hollowing using svchost.exe and API hooking to bypass security monitoring tools.

📜 History & Notable Incidents

First identified by Cisco Talos in 2022, RCSession was deployed in a campaign targeting telecom providers in Myanmar and Laos, with ties to the same infrastructure used in DLL-side-loading attacks by UNC2891 (MITRE ATT&CK group G0056). In 2023, Mandiant reported that RCSession variants were used against a Southeast Asian government ministry, employing CVE-2021-26427 (Windows HTTP.sys elevation of privilege) to escalate privileges. No major law enforcement actions have been publicly documented as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 9e2c6b3a7f8d4e1c5a0b9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8 (from Talos report, 2022). Network indicators involve HTTPS POSTs to domains such as update-security.ml (since defanged) and User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Registry artifacts include mutex names like GlobalRCSESSION_MUTEX_{UUID} and persistence keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRunRCSessionUpdater.

☠️ Risk & Impact

RCSession enables full remote control of infected systems, leading to intellectual property theft, credentials harvesting, and network reconnaissance. Financial losses are secondary to intelligence gain, but incident response costs are substantial; sectors most impacted include telecommunications, government, and technology providers in Southeast Asia, as noted in Cisco Talos and Mandiant reports.

🛡️ Mitigation

Defenders should enable application control to block unsigned DLLs and monitor for anomalous svchost.exe child processes. Recommended detection rules include Sigma rule for DLL-side-loading via legitimate binaries (e.g., mfc140u.dll) and YARA signatures for the RC4-encrypted payload. Regular patching of commonly exploited vulnerabilities such as CVE-2021-26427 is essential.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.