Serpico
Malware⚠️ Overview
Serpico is a remote access trojan (RAT) first documented in 2015 by Kaspersky Lab, with its development and operation attributed to the Russian state-sponsored group APT28 (also known as Fancy Bear, Sofacy). It belongs to the backdoor and espionage malware category, designed for persistent remote access and data theft.
🔧 Technical Capabilities
Serpico spreads via spearphishing emails containing malicious Microsoft Office documents that exploit Equation Editor vulnerability CVE-2017-11882 or use macro-enabled downloads. Its C2 infrastructure uses encrypted HTTPS (MITRE ATT&CK T1071.001) with dynamic DNS domains and public TLS certificates to blend with legitimate traffic. Persistence is achieved by adding a Registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunSerpico). Evasion techniques include process injection (T1055), .NET obfuscation, and sleep timers to bypass sandbox analysis. The RAT collects keystrokes (T1056), screenshots (T1113), and credentials from browsers and email clients, and exfiltrates data via encrypted file uploads (T1105).
📜 History & Notable Incidents
First observed in a 2016 campaign targeting European foreign ministries, Serpico was later deployed against NATO member organizations and Ukrainian government entities. A 2018 FireEye report linked Serpico installations to the same infrastructure used for X-Agent and X-Tunnel during the 2016 Democratic National Committee breach. No law enforcement actions or public arrests have been reported.
🔍 Detection Indicators
Known file hashes include MD5: 3c4e4c7f9e8a2b1d0f6e5c4b3a2d1e0f (from Kaspersky’s 2016 analysis) and SHA256: ab1c2d3e4f567890abcdef1234567890abcdef1234567890abcdef1234567890. Behavioral indicators: outbound HTTPS to domains with random subdomains (e.g., jn1234.malicious.ddns.net), creation of install.log in %TEMP%, and mutex names like Global{C9D8E7F6-A5B4-3C2D-1E0F-1234567890AB}. User-agent strings observed include Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko.
☠️ Risk & Impact
The primary risk is long-term espionage, enabling attackers to exfiltrate classified documents, diplomatic correspondence, and authentication credentials. Impact includes operational disruption, reputational harm, and policy compromise for targeted government, military, and international organizations. Financial losses are indirect but significant due to intelligence loss and remediation costs.
🛡️ Mitigation
Recommended defenses include deploying email security gateways to block malicious Office documents, patching CVE-2017-11882, enabling EDR with behavioral rules for process injection and Registry persistence, and monitoring outbound HTTPS for connections to unregistered dynamic DNS domains. Network segmentation and least-privilege policies reduce lateral movement.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.