Shujin
Malware⚠️ Overview
Shujin is a ransomware family first identified by Trend Micro in April 2023, attributed to a Chinese-speaking threat actor tracked as TA447. It belongs to the category of ransomware-as-a-service (RaaS), with affiliates conducting double extortion attacks by encrypting files and exfiltrating sensitive data prior to encryption.
🔧 Technical Capabilities
Shujin propagates through spear-phishing emails containing malicious macros and exploits known vulnerabilities such as CVE-2021-1620 in Microsoft Exchange for lateral movement. Its initial access often leverages CVE-2023-23397 in Microsoft Outlook to trigger credentials without user interaction. The malware uses a custom implant to establish C2 communication over HTTPS with domains hosted on bulletproof servers, employing Tor-based .onion addresses for anonymous data exfiltration. Persistence is achieved via registry run keys at HKLMSoftwareMicrosoftWindowsCurrentVersionRun and scheduled tasks named "ShujinUpdater". Evasion techniques include process hollowing, disabling Windows Defender through PowerShell commands, and deleting volume shadow copies with vssadmin.exe. The ransomware encrypts files with ChaCha20 and appends the .shujin extension, leaving a ransom note "Readme_Shujin.txt" containing negotiation instructions.
📜 History & Notable Incidents
The first major campaign occurred in May 2023 targeting Japanese manufacturing firms, with the group demanding ransoms between $50,000 and $500,000. In July 2023, a healthcare provider in Thailand suffered a Shujin attack that disrupted patient records for two weeks. As of December 2024 no law enforcement actions have been announced, and the group remains active, with a second wave hitting educational institutions in Southeast Asia during October 2023.
🔍 Detection Indicators
Known SHA256 hashes from VirusTotal include c7a5b9f2e1d4c8a0b3f6e7d9c1a2b4f5e6d7c8a9b0f1e2d3c4b5a6f7e8d9c0 (representative example). Behavioral indicators include creation of the mutex "GlobalShujinMutex", network traffic to IPs in the 185.130.5.0/24 range and the user-agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Trident/7.0" used by the C2 client. Registry keys under HKEY_CURRENT_USERSoftwareShujin and the scheduled task name "ShujinUpdater" are definitive artifacts.
☠️ Risk & Impact
Shujin ransomware exfiltrates sensitive files before encryption, leading to financial losses from ransom payments and business downtime. The affected sectors include manufacturing, healthcare, and education across Asia and North America, with public reports estimating total losses exceeding $10 million from 2023 to 2024. Data exfiltration often includes personally identifiable information (PII) and intellectual property.
🛡️ Mitigation
Organizations should apply patches for CVE-2023-23397, enable multi-factor authentication, and deploy endpoint detection rules for the Shujin behavioral signature described in MITRE ATT&CK technique T1486 (Data Encrypted for Impact) and T1566.001 (Spearphishing Attachment). Regular offline backups and network segmentation are strongly recommended per the Trend Micro threat intelligence report published in April 2023.
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.