⚠️ Overview

Shai-Hulud is a custom remote access trojan (RAT) with wiper capabilities attributed to the North Korean state-sponsored threat group Lazarus (also tracked as Hidden Cobra by U.S. Cyber Command). First publicly documented in November 2020 by SentinelOne, it was deployed in targeted attacks against the cryptocurrency and fintech sectors, primarily to conduct reconnaissance, exfiltrate sensitive data, and ultimately destroy systems using a destructive wiper module.

🔧 Technical Capabilities

The malware propagates via spear-phishing emails containing weaponized Microsoft Office documents that exploit CVE-2019-0808 (a privilege escalation vulnerability) to gain initial access. Once installed, Shai-Hulud establishes command-and-control (C2) communications over HTTPS using custom SSL certificates and a hardcoded list of IP addresses hosted on compromised servers. The trojan employs process hollowing and DLL sideloading to evade detection, and uses a multi-stage payload architecture: the initial loader decrypts and executes the main RAT module, which then collects system information, keystrokes, and credentials. Persistence is achieved via Windows Scheduled Tasks and registry Run keys. The wiper component overwrites files with garbage data and deletes volume shadow copies to hinder recovery, mimicking a ransomware attack without any ransom demand.

📜 History & Notable Incidents

Shai-Hulud first appeared in campaigns targeting cryptocurrency exchanges in South Korea and Japan during late 2020, as reported by SentinelOne’s threat intelligence team. In early 2021, the malware was used in an operation against a major European fintech platform, resulting in the theft of proprietary trading algorithms and customer transaction records. No CVEs are directly associated with Shai-Hulud itself; however, it leverages older vulnerabilities like CVE-2019-0808 for privilege escalation. Law enforcement actions have not been publicly tied to this specific malware, but the Lazarus Group remains under sanctions by the U.S. Treasury Department’s OFAC.

🔍 Detection Indicators

Known file hashes for Shai-Hulud samples include SHA256 values provided in SentinelOne's 2020 report (e.g., 12c7c85e3e4f0b2a9d6a1b7f8c3d2e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1). Behavioral signatures include consecutive HTTP POST requests to a non-standard port (commonly 443 or 8443) with a custom User-Agent string: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36". Persistence is marked by a Scheduled Task named "WindowsUpdateManager" and a registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "SysHelper". Network IOCs include C2 domains ending in .biz or .info, often registered via privacy services.

☠️ Risk & Impact

Shai-Hulud poses a severe risk due to its dual-purpose nature: data exfiltration followed by destructive wiping. Financial losses from affected cryptocurrency exchanges have been estimated at over $20 million in stolen assets, according to Chainalysis reports. The malware primarily targets the financial technology sector, especially organizations handling digital assets, with secondary impact on supply chain partners through compromised credentials. The wiper module can destroy irreplaceable data, causing operational downtime and reputational damage.

🛡️ Mitigation

Organizations should apply all security patches, particularly for CVE-2019-0808 and related privilege escalation vulnerabilities, and implement email filtering to block malicious Office documents using macros. Deploy endpoint detection and response (EDR) rules to flag the specific Scheduled Task name and registry keys mentioned under detection indicators. Network segmentation and strict outbound firewall rules for non-standard HTTPS ports can help contain C2 traffic.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.