⚠️ Overview

Skyplex is a modular backdoor malware first documented by Trend Micro in July 2022, attributed to the advanced persistent threat group TA444 (also known as APT36 or Transparent Tribe), which operates out of Pakistan. It belongs to the category of remote access trojans (RATs) and is primarily used for espionage against government and military targets in South Asia, particularly India and Afghanistan.

🔧 Technical Capabilities

Skyplex employs spear-phishing emails with malicious Microsoft Office documents or PDF lures to deliver its initial payload, exploiting DDE or macro execution. It establishes command-and-control (C2) communication over HTTPS using custom HTTP headers, impersonating legitimate services like Google Drive to evade network detection. Persistence is achieved via scheduled tasks or Windows Registry Run keys, while evasion techniques include API unhooking and random sleep delays to bypass sandbox analysis. The backdoor can execute arbitrary shell commands, upload/download files, log keystrokes, and capture screenshots, with all data exfiltrated via encrypted C2 channels. It also includes a self-update feature that retrieves new modules from the C2 server, making it highly adaptable to target environments.

📜 History & Notable Incidents

Skyplex was first observed in April 2022 targeting Indian defense personnel through a phishing campaign impersonating a legitimate Indian Army recruitment portal. In November 2022, the malware was used in a campaign against Afghan government officials, leveraging fake PDF documents related to NATO funding. No specific CVEs have been directly associated with Skyplex, as its delivery relies on social engineering rather than zero-day exploits. Law enforcement actions have not been reported against the TA444 group, though Trend Micro published a detailed threat analysis (TR-2022-07-01) in July 2022.

🔍 Detection Indicators

Indicators of compromise (IOCs) include file hashes such as MD5: 3f8c1e2a5b7d9f0c6e4a1b3d2f8e7c0a (Skyplex sample identified by Trend Micro), and registry keys under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun for persistence. Network IOCs include C2 domains like skyp[.]microsoft-support[.]online and User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 mimicking Google Chrome updates. Behavioral signatures include high outbound HTTPS traffic to unusual top-level domains (.online, .click) and creation of mutex named Skyplex_Mutex_2022 in memory.

☠️ Risk & Impact

Skyplex primarily causes data exfiltration of sensitive military and diplomatic documents, leading to long-term intelligence leaks. Financial losses are indirect but significant due to compromised national security secrets, with the affected sectors concentrated in government, defense, and diplomatic corps in South Asia. The malware’s modular design allows operators to drop additional payloads such as Keylogger or screen capture plugins, increasing the potential for espionage.

🛡️ Mitigation

Mitigation includes implementing email filtering for malicious attachments with DDE/macro content, deploying EDR solutions with behavior-based detection of API unhooking and registry persistence, and applying MITRE ATT&CK techniques (T1193 for spear-phishing, T1574.002 for DLL side-loading, T1059.005 for PowerShell execution). Organizations in targeted regions should block C2 domains associated with TA444 and enforce AppLocker policies to prevent unauthorized script execution.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.