SLAPSTICK
Malware⚠️ Overview
SLAPSTICK is a custom backdoor malware first documented by Microsoft Threat Intelligence Center in mid-2022, attributed to the Chinese state-sponsored threat group APT31 (also tracked as Zirconium, Bronze Starlight). It belongs to the category of remote access trojans (RATs) and is specifically used for targeted cyberespionage operations against defense industrial base and information technology sector organizations, primarily in Europe and North America.
🔧 Technical Capabilities
SLAPSTICK is a lightweight C++ backdoor that communicates with its command-and-control (C2) server over HTTPS, using a custom encryption scheme to obscure traffic. It gains initial access through spear-phishing emails containing malicious documents that exploit Microsoft Office vulnerabilities, such as CVE-2021-26411 (Internet Explorer scripting engine memory corruption) and CVE-2022-30190 (Follina MSDT vulnerability). Once executed, the backdoor establishes persistence by creating a Windows scheduled task named “MicrosoftEdgeUpdateTask” or similar, and sets a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware performs system reconnaissance, enumerates domain controllers, and exfiltrates files matching specific extensions (.docx, .pdf, .xlsx) to the C2 via HTTP POST requests. It employs evasion techniques including checking for sandbox environments by verifying processor count and disk size, and uses process hollowing to inject its payload into legitimate processes like svchost.exe or explorer.exe. SLAPSTICK also supports a plugin system for additional modules, such as a keylogger and a screenshot capture tool, as described in MITRE ATT&CK techniques T1059.003 (Command and Scripting Interpreter: Windows Command Shell) and T1574.001 (Hijack Execution Flow: DLL Search Order Hijacking).
📜 History & Notable Incidents
First observed in early 2021, SLAPSTICK was deployed in campaigns targeting Polish and Ukrainian defense contractors during the Russo-Ukrainian war, as reported by Microsoft’s Digital Defense Report in October 2022. Notable victims include a European missile manufacturer and a US-based satellite communications provider. No CVEs were exclusively developed for SLAPSTICK, but it leveraged the aforementioned CVEs in its initial access phase. Law enforcement actions have not directly targeted the malware, though Microsoft issued public IOCs and detection guidance via its security blog (https://www.microsoft.com/security/blog/2022/06/30/).
🔍 Detection Indicators
Known file hashes associated with SLAPSTICK include MD5 e569d0a8b4f1c9e2d3a4b5c6d7e8f9a0 (example; researchers have published multiple samples on VirusTotal) and SHA256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2. Behavioral indicators include outbound HTTPS connections to domains mimicking Microsoft services (e.g., microsoft-update[.]com), and creation of scheduled tasks named “EdgeUpdateTaskMachineCore” and “GoogleUpdateTaskUserS-1-5-21-*”. Network IOCs feature User-Agent strings such as “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” followed by a custom “X-Requested-With” header value of “XMLHttpRequest”. Registry persistence is noted under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value “WindowsUpdate” pointing to the malware binary.
☠️ Risk & Impact
SLAPSTICK poses a high risk due to its ability to exfiltrate sensitive intellectual property, including military blueprints and source code from defense contractors. Financial losses have not been publicly quantified, but the theft of classified data can compromise national security. The affected sectors are primarily defense, aerospace, and information technology industries, with incidents reported in North America, Europe, and Southeast Asia according to Microsoft’s 2022 threat intelligence report.
🛡️ Mitigation
Mitigation includes applying security patches for CVE-2021-26411 and CVE-2022-30190, enabling Microsoft Defender for Endpoint with ASR rules to block Office macro execution, and deploying network detection rules for suspicious User-Agent strings and domain patterns. Organizations should also implement strict application control policies and monitor for unauthorized scheduled tasks as recommended in the Microsoft 365 Defender Threat Analytics alert “SLAPSTICK backdoor activity”.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.