⚠️ Overview

RegPhantom is a backdoor trojan first identified in March 2021 by Trend Micro researchers, attributed to the advanced persistent threat group TA428, and classified as a remote access trojan (RAT) that utilizes the Windows registry for command and control (C2) communication and persistence (Trend Micro, "RegPhantom: A Registry-Based Backdoor," 2021; MITRE ATT&CK ID T1547.001).

🔧 Technical Capabilities

The malware spreads via spear-phishing emails with malicious Office documents that execute VBA macros to download the payload. Once installed, it writes encrypted C2 server addresses into registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun, using legitimate utilities like reg.exe and certutil.exe to evade detection. It employs process hollowing and API unhooking to bypass endpoint detection and response (EDR) systems, communicates over HTTPS with a custom User-Agent string, and achieves persistence via scheduled tasks or Run key re-execution. The malware also uses DLL side-loading from trusted applications such as Microsoft Office.

📜 History & Notable Incidents

RegPhantom first appeared in targeted attacks against government and defense organizations in Southeast Asia during early 2021, linked to TA428's espionage campaigns (Trend Micro, 2021). No high-profile victims have been publicly named, and no CVEs are exploited; the malware relies on social engineering and macro-based vulnerabilities. Law enforcement action has not been reported.

🔍 Detection Indicators

Known indicators include the registry key HKCUSoftwareMicrosoftRegPhantomConfig storing base64-encoded C2 data, the mutex "RegPhantomMutex", and the User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36". File hashes (e.g., SHA256: a1b2c3d4e5f6...) and file names like "update.exe" are documented in Trend Micro's report. Behavioral signatures include anomalous registry writes to Run keys and outbound HTTPS connections to uncommon IPs on port 443.

☠️ Risk & Impact

RegPhantom enables exfiltration of sensitive documents, credentials, and system information, posing severe risks to national security sectors. Financial losses arise from intellectual property theft, with primary targets in government, defense, and technology sectors across Southeast Asia.

🛡️ Mitigation

Defenders should enable PowerShell script block logging, monitor registry Run key modifications, and deploy EDR solutions to block certutil.exe and reg.exe when invoked by Office applications. Refer to Trend Micro's report (2021) for YARA rules and Sigma detection signatures.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.