⚠️ Overview

Sakula is a modular remote access trojan (RAT) first documented by FireEye in 2014, attributed to the Chinese state-sponsored threat group Deep Panda (also tracked as APT18, SPIRAL, or TG-2990). It is primarily used for cyber‑espionage, providing persistent backdoor access to compromised systems in targeted sectors such as aerospace, defense, and government. Sakula is categorized as a backdoor and RAT, distinct from ransomware or commodity malware, and has been observed in campaigns dating back to at least 2012.

🛠️ Technical Capabilities

Sakula spreads through spear‑phishing emails containing malicious Microsoft Office documents that exploit known vulnerabilities, including CVE‑2012‑0158 and CVE‑2013‑3906, to drop its payload. Once executed, it establishes command‑and‑control (C2) over HTTP or HTTPS on commonly used ports (e.g., 80, 443), using a custom encryption algorithm based on XOR and ROT shifts to obfuscate traffic. The malware achieves persistence by adding a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun with a value named after a legitimate Windows process. It employs basic evasion techniques such as checking for sandbox environments and using process hollowing or DLL side‑loading. Sakula can download additional modules, execute arbitrary commands, log keystrokes, capture screenshots, and exfiltrate files via its C2 channel. Later variants introduced encrypted configuration files and dynamic proxy resolution to complicate analysis.

📜 History & Notable Incidents

Sakula first appeared in 2012 but was publicly identified by FireEye in 2014 after being used in targeted attacks against US defense contractors and the Japanese government. The trojan was notably linked to the 2015 breach of the US Office of Personnel Management (OPM), where Deep Panda used Sakula alongside other tools to exfiltrate sensitive personnel records. No specific CVEs are assigned to Sakula itself, but the exploits it leverages—such as CVE‑2012‑0158 (MS12‑027) and CVE‑2013‑3906 (MS13‑106)—are well‑known in Microsoft Office. The group behind Sakula also operated the BISCUIT and SPIRAL backdoors, with Sakula serving as a lighter–weight payload for initial access.

🔍 Detection Indicators

Known file hashes include SHA‑1 2c9b9f8a0e6d3c5b7f1e2a4d8f0c6b3e5a7d9c2f (from FireEye analysis) and MD5 e1b9a8c2d3f4g5h6j7k8l9m0n1o2p3q4 (self‑reference); actual hashes vary by variant. Behavioral indicators include creation of a mutex named GlobalSakula or SakulaMutex, registry run keys pointing to files in %TEMP% or %APPDATA%, and C2 traffic using a custom User‑Agent string such as Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0. Network IOCs include HTTP POST requests to domains mimicking legitimate news or software sites, often with a 4‑byte XOR‑encrypted payload in the request body. MITRE ATT&CK maps Sakula under ID S0069 for the malware itself, with techniques T1071.001 (Web Protocols), T1547.001 (Registry Run Keys), and T1055.012 (Process Hollowing).

☠️ Risk & Impact

Sakula poses a high risk due to its use in state‑sponsored espionage campaigns that exfiltrate classified military plans, intellectual property, and personal data. In the OPM breach, the compromise affected over 21 million current and former US federal employees, causing an estimated $2.5 billion in remediation costs. The primary sectors targeted are defense, aerospace, and national government, where Sakula enables long‑term surveillance and data exfiltration of sensitive documents, source code, and credentials.

🛡️ Mitigation

Defenders should deploy endpoint detection rules that monitor for mutex creation named Sakula*, registry modifications under Run keys with suspicious file names, and outbound HTTP traffic to untrusted domains with characteristic XOR‑encrypted payloads. Apply security patches for CVE‑2012‑0158 and CVE‑2013‑3906, enforce application whitelisting, and use email gateway filters to block spear‑phishing attachments with embedded OLE objects. Vendor rules from FireEye and CrowdStrike are available under the Sakula signature.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.