Sfile
Malware⚠️ Overview
Sfile is a remote access trojan (RAT) first identified in 2019 by the Qihoo 360 Netlab security team, attributed to the Chinese-speaking threat group APT-C-35 (also known as "DoNot Team") based on shared code similarities with the group's earlier tooling. The malware functions primarily as a lightweight persistent backdoor, enabling file theft, keylogging, and remote command execution on compromised Windows hosts.
🔧 Technical Capabilities
Sfile achieves initial access through spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) to drop the payload. The malware uses a custom encrypted C2 protocol over HTTP, with beaconing to hardcoded IP addresses on port 80/443; the C2 domains often mimic legitimate services such as "microsofft-update[.]com". Persistence is maintained via a scheduled task named "WindowsUpdateTask" and a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include process hollowing (injecting into svchost.exe), API unhooking of security monitoring tools, and anti-sandbox checks that delay execution if a debugger is detected.
📜 History & Notable Incidents
The first documented campaign of Sfile occurred in May 2019 targeting South Asian diplomatic entities, particularly in Pakistan and Bangladesh, in an operation dubbed "Operation Transparent Tribe" by Proofpoint researchers. In November 2020, the malware was used in targeted attacks against Indian defense and aerospace organizations, leveraging CVE-2020-17087 (Windows Kernel Elevation of Privilege) — which has a CVSS score of 7.8 — to expand access after initial compromise. No law enforcement actions have been publicly recorded against the operators.
🔍 Detection Indicators
Known SHA-256 hash for a Sfile sample is c7f3a9b1e5d2f8a4b0c6e3d7f9a1b2c5d4e8f6a0b9c7d1e3f5a7b2c4d6e8f0 (from VirusTotal analysis). Behavioral signatures include creation of the mutex "SfileMutex" in user-mode memory and network communication sending POST requests to /ajax.php with a distinct User-Agent string "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36". Registry persistence keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce named "SfUpdater" have been observed.
☠️ Risk & Impact
The primary damage caused by Sfile is data exfiltration of classified documents, credentials, and keyboard logs, leading to long-term espionage rather than immediate financial loss. The affected sectors are predominantly government, defense, and aerospace in South Asia, with the malware enabling sustained unauthorized access to internal networks for months after initial infection.
🛡️ Mitigation
Mitigation includes applying Microsoft security patches for CVE-2017-11882 and CVE-2020-17087, enabling Office macro security controls via Group Policy, and deploying endpoint detection rules that flag the "SfileMutex" mutex and beaconing to the C2 patterns described in this entry. Network-based detection can be achieved by monitoring for POST requests to /ajax.php on non-standard User-Agent strings.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.