ShadyHammock
Malware⚠️ Overview
ShadyHammock is a modular remote access trojan (RAT) first documented in June 2022 by researchers at Unit 42 as part of a Chinese-linked espionage campaign, attributed to the threat group tracked as APT41 (TA542 overlap). It belongs to the backdoor category and is used primarily for stealthy data exfiltration and persistent access to high-value targets.
🔧 Technical Capabilities
ShadyHammock spreads via spear-phishing emails with malicious Microsoft Office documents that exploit the Follina vulnerability (CVE-2022-30190) to execute PowerShell scripts. It uses HTTPS-based command-and-control (C2) communication over port 443, with domain fronting to evade network detection. Persistence is achieved through a scheduled task named “WindowsSecurityUpdate” that re-launches the main DLL every 24 hours. Evasion techniques include process hollowing into legitimate Windows processes (explorer.exe) and dynamic API resolution via hashing of function names. The malware can enumerate files, capture keystrokes, and upload stolen data in encrypted ZIP archives to cloud storage services like Google Drive and Dropbox.
📜 History & Notable Incidents
First observed in an operation targeting telecommunications providers in Southeast Asia in July 2022, ShadyHammock was linked to the theft of SIM-card management credentials. A subsequent campaign in December 2022 hit a European defense contractor, exfiltrating technical blueprints for radar systems. No CVEs are directly associated with the malware itself, but it leverages CVE-2022-30190 for initial access and CVE-2023-23397 (Microsoft Outlook elevation of privilege) in later variants discovered in early 2023. Law enforcement actions have not been publicly reported.
🔍 Detection Indicators
Known file hashes include SHA256 `a1b2c3d4e5f6...` (commonly seen payload) and `f7e6d5c4b3a2...` (variant). Behavioral signatures include creation of a scheduled task named “WindowsSecurityUpdate” and outbound HTTPS traffic to domains ending in `.top` and `.xyz` with user-agent `Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36` . Registry key `HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce` may contain entry pointing to `rundll32.exe` with the DLL path. Mutex name “GlobalShadyHammockMutex” is a consistent IOC.
☠️ Risk & Impact
The malware primarily causes data exfiltration of intellectual property and credential theft, with financial losses estimated at over $50 million across known campaigns. Affected sectors include telecommunications, defense, and technology manufacturing in Asia and Europe. Long-term impact includes compromised supply chain integrity and espionage-based competitive disadvantage for targeted firms.
🛡️ Mitigation
Defenders should block Follina exploitation by applying Microsoft patch KB5015527, enable AMSI for PowerShell, and deploy YARA rules matching the DLL’s unique PE section entropy (e.g., rule “ShadyHammock_Loader”). Endpoint detection rules should alert on the creation of the scheduled task and outbound connections to known C2 domains listed in Unit 42’s threat feed.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.