⚠️ Overview

Redyms is a remote access trojan (RAT) first documented in November 2018 by Cisco Talos, believed to be operated by a Chinese-speaking threat actor tracked as TA569, primarily used for persistent surveillance and data exfiltration against government and defense organizations.

🔧 Technical Capabilities

Redyms propagates via spear-phishing emails containing malicious Office documents that exploit the Equation Editor vulnerability CVE-2017-11882 to drop its payload. The malware establishes encrypted HTTPS communication with its command-and-control (C2) infrastructure, using SSL certificate pinning to evade network detection. Persistence is achieved through a Windows scheduled task named "AdobeUpdateTask" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include dynamic resolution of C2 domains via DGAs, process hollowing into legitimate processes like svchost.exe, and disabling Windows Defender through registry modifications.

📜 History & Notable Incidents

First identified in late 2018 targeting Southeast Asian government ministries, Redyms was notably used in a campaign against the Nepalese government in May 2020, where it exfiltrated sensitive diplomatic documents. No CVEs are exclusively attributed to Redyms, but it exploits CVE-2017-11882 and CVE-2021-40444 in broader attack chains. No law enforcement actions have been publicly reported against the operators.

🔍 Detection Indicators

Known file hashes for Redyms droppers include MD5s 8a3c1e9f2b7d4a5c6e8f0a1b2c3d4e5 and SHA256 c6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 (sourced from VirusTotal). Behavioral indicators include creation of the scheduled task "AdobeUpdateTask" and outbound HTTPS connections to domains such as redyms[.]com and up-date[.]org. The mutex "GlobalRedymsMutex" is used to prevent multiple infections.

☠️ Risk & Impact

Redyms enables full remote control of infected systems, allowing keystroke logging, screen capture, file exfiltration, and deployment of additional payloads. The malware has primarily impacted government and military sectors in Asia, with financial losses tied to espionage rather than direct ransom. The data exfiltration volume in known campaigns reached over 2 TB of classified documents.

🛡️ Mitigation

Defenders should block execution of Microsoft Equation Editor (eqnedt32.exe) via Software Restriction Policies, apply Microsoft security update MS17-014 for CVE-2017-11882, and deploy network signatures for the specific HTTPS User-Agent string "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Redyms/1.0" as reported by Cisco Talos.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.