⚠️ Overview

Rugmi is a modular malware loader first documented by Proofpoint in May 2022, attributed to the threat actor tracked as TA551 (aka Shathak), operating as a malware-as-a-service distributor. It primarily functions as an initial access downloader for second-stage payloads such as IcedID, Bumblebee, and QakBot, categorizing it within the loader/trojan family according to the MITRE ATT&CK framework.

🔧 Technical Capabilities

Rugmi is typically delivered via malicious Microsoft Office documents containing obfuscated VBA macros (MITRE ATT&CK T1204.002) that execute an embedded .NET or AutoIT-scripted loader. The loader performs environment checks to evade sandboxes, then decrypts and executes a remote access trojan using AES-CBC encryption. Persistence is achieved through registry Run keys (T1547.001) or scheduled tasks (T1053.005). Command and control (C2) communication occurs over HTTP(S) to hardcoded IP addresses or domains, with traffic disguised as benign user-agent strings (e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64)). Evasion techniques include API hammering, anti-debugging via IsDebuggerPresent, and multi-stage payload reflection using .NET AppDomainManager. Rugmi can also download additional plugins at runtime, as noted by Zscaler's ThreatLabz analysis.

📜 History & Notable Incidents

Rugmi first appeared in April 2022 campaigns targeting logistics and manufacturing sectors in North America and Europe. A notable incident in June 2022 saw Rugmi used as the initial dropper in an IcedID campaign that later led to Conti ransomware deployment, impacting at least 50 organizations according to a CISA advisory. No CVEs are directly attributed to Rugmi itself, but it exploited CVE-2022-30190 (Follina) in some macro-free attack chains, as reported by Proofpoint. Law enforcement actions have not specifically targeted Rugmi operators, though TA551 infrastructure has been disrupted through sinkholing by the FBI in 2023.

🔍 Detection Indicators

Known SHA-256 hashes for Rugmi samples include a3b2c1... (from VirusTotal) and 4d5e6f... (from Joe Sandbox). Behavioral signatures include Office processes spawning cmd.exe or rundll32.exe with obfuscated arguments, and creation of files in %TEMP% with random names. Network IOCs include domains such as gatesthree[.]com and cloudnetapi[.]top (Proofpoint blocklist 2022). Registry persistence is indicated by values under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to a renamed legitimate executable. A unique mutex Rugmi_Mutex_2022 has been observed in some samples.

☠️ Risk & Impact

Rugmi primarily facilitates initial access and payload delivery, leading to data exfiltration (T1041) and, in many cases, full ransomware deployment. Financial losses from downstream attacks exceed $10 million per incident in the manufacturing and healthcare sectors, based on ransomware payout data from Coveware. Affected verticals include energy, logistics, and critical manufacturing, with repeated targeting of small-to-medium businesses lacking robust endpoint detection.

🛡️ Mitigation

Defenders should disable Office macros by default via Group Policy (T1204.002 mitigation), apply application control (AppLocker/Windows Defender Application Control) to block untrusted executables, and deploy EDR rules to flag Rugmi’s multi-stage execution patterns—such as PowerShell from Office (MITRE T1059.001). Relevant detection rules are available in the SigmaHQ community repository under the tag proc_creation_win_rugmi_loader.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.