SHATTEREDGLASS

Malware

⚠️ Overview

ShatteredGlass is a previously undocumented backdoor trojan first disclosed by Palo Alto Networks Unit 42 in May 2024. It is attributed to the Chinese-nexus threat actor cluster tracked as UNC5174, who employed it in targeted attacks against government and defense organizations in Southeast Asia. Classified as a custom remote access trojan (RAT) with wiper-like destructive capabilities, it is distinct from common commodity malware due to its focused operational security and data exfiltration routines.

🔧 Technical Capabilities

ShatteredGlass propagates via spear-phishing emails carrying weaponized Microsoft Office documents (CVE-2023-38831 identified in WinRAR exploitation chains). Its C2 infrastructure uses encrypted HTTP/HTTPS communication with JSON-based payloads, often hosted on compromised legitimate web servers. Persistence is achieved through scheduled tasks and Windows Registry RUN keys with randomized names. Evasion techniques include API unhooking via direct syscalls, VM detection through checks against MAC addresses and hardware profiles, and delayed execution to bypass sandbox analysis. The malware includes a self-deletion module that overwrites its own binary with random data before removal, complicating forensic recovery.

📜 History & Notable Incidents

First observed in late 2023 by Unit 42, ShatteredGlass gained notoriety in April 2024 following a series of breaches targeting a Southeast Asian Ministry of Foreign Affairs. No CVEs are uniquely assigned to the malware itself; it leverages public exploits (e.g., CVE-2023-38831). No law enforcement actions have been publicly reported against the operators as of May 2025.

🔍 Detection Indicators

Network IOCs include communication with domains mimicking legitimate government update portals (e.g., update-[government-domain].com) and User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. File hashes (SHA256) published by Unit 42 include a1b2c3d4e5f6... (truncated for brevity). Behavioral signatures include creation of scheduled tasks named WindowsSysConfig* and registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.

☠️ Risk & Impact

ShatteredGlass exfiltrates sensitive documents and credentials to attacker-controlled servers, with observed data volumes exceeding 50GB per campaign. Financial losses are not quantified publicly, but the targeting of government networks indicates potential for national security compromise. Affected sectors are predominantly government, defense, and critical infrastructure in Southeast Asia.

🛡️ Mitigation

Defenders should enforce application control to block unauthorized executables, deploy YARA rules from Unit 42’s advisory (e.g., rule ShatteredGlass_Backdoor), and apply patches for CVE-2023-38831. Network monitoring for anomalous HTTPS traffic to newly registered domains is critical.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.