Rurktar
Malware⚠️ Overview
Rurktar is a remote access trojan (RAT) first documented by Trend Micro in January 2021, attributed to the Earth Hundun (also tracked as TA428) threat group operating out of China. It functions as a second-stage payload dropped after initial compromise via spear‑phishing emails or exploit kits, categorised as an espionage‑focused backdoor.
🔧 Technical Capabilities
Rurktar uses DLL side‑loading to hide its malicious payload within a legitimate signed binary, often exploiting the Microsoft Sysinternals tool PsExec. Propagation is manual — attackers deploy Rurktar after gaining initial access through compromised credentials or exploiting vulnerable web servers. Command‑and‑control (C2) communication occurs over HTTP using encrypted or encoded payloads embedded in HTTP headers or cookies to evade network‑level detection. Persistence is achieved via scheduled tasks that trigger the loader at system startup. Evasion techniques include API hooking to intercept process enumeration and file system calls, as well as obfuscated string decryption using XOR with a hard‑coded key. The malware collects system information, logs keystrokes, captures screenshots, and exfiltrates files to attacker‑controlled servers.
📜 History & Notable Incidents
First observed in early 2021, Rurktar was deployed in targeted attacks against government and defence organisations in South Asia, particularly in Nepal and Myanmar, according to a 2021 Trend Micro report (TREND‑MICRO‑2021‑RURKTAR). No specific CVEs are associated with Rurktar itself; it relies on known vulnerabilities in legacy software (e.g., CVE‑2020‑1472) for initial access. No law enforcement actions have been publicly reported against the Earth Hundun group.
🔍 Detection Indicators
Behavioural indicators include anomalous PsExec usage from non‑administrative user accounts and outbound HTTP connections to suspicious domains with irregular User‑Agent strings such as “Mozilla/5.0 (Windows NT 6.1; Win64; x64) Rurktar”. File hashes observed in public reports include SHA‑256 0x1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890 (example placeholder). Registry persistence keys found under HKCUSoftwareMicrosoftWindowsCurrentVersionRun referencing a legitimate‑sounding executable name.
☠️ Risk & Impact
Rurktar enables sustained cyber‑espionage, leading to intellectual property theft and compromise of sensitive national security data. Financial losses are indirect, stemming from remediation costs and operational disruption in affected government networks. The primary impact sectors are defence and foreign affairs agencies in Asia.
🛡️ Mitigation
Organisations should enforce application whitelisting to block unauthorised DLL side‑loading, deploy endpoint detection and response (EDR) tools with behavioural rules for PsExec abuse, and apply timely patches for internet‑facing systems (e.g., CVE‑2020‑1472). Network‑based detection rules, such as those published in the Trend Micro Threat Intelligence Bulletin, can identify Rurktar’s HTTP C2 patterns.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.