⚠️ Overview

Slingshot is a sophisticated advanced persistent threat (APT) malware platform first publicly documented by Kaspersky Lab in March 2018. It is believed to be operated by a state-sponsored threat group, potentially linked to the Egyptian government based on targeting patterns and infrastructure analysis. The malware is primarily a cyber-espionage tool categorized as a modular remote access trojan (RAT) with kernel-level capabilities, distinct from ransomware or botnets.

🔧 Technical Capabilities

Slingshot employs a two-stage infection chain: an initial kernel-mode module named Cahnadr that loads a second-stage user-mode component called GollumApp to execute espionage functions. It propagates by compromising MikroTik RouterBOARD devices via known vulnerabilities such as CVE-2018-14847 (a directory traversal in the Winbox service) and then weaponizing those routers to deliver the payload to LAN-connected Windows machines. The malware achieves persistence through DLL side-loading (MITRE ATT&CK T1574.002) and kernel-mode process injection (T1055.001). For command-and-control (C2) communication, it uses encrypted tunnels over HTTP/HTTPS (T1071.001) utilizing stolen router configurations to blend traffic. Evasion techniques include code obfuscation, anti-debugging checks, and the use of legitimate router management tools as cover.

📜 History & Notable Incidents

First observed in 2015 but only publicly identified in 2018, Slingshot targeted victims primarily in Kenya, Yemen, Afghanistan, and other Middle Eastern and African nations. Kaspersky’s report documented infections across at least 100 machines, including government entities, telecommunications providers, and academic institutions. No major law enforcement takedowns have been reported; the infrastructure remains partially active as of 2024 based on ongoing monitoring by security researchers.

🔍 Detection Indicators

Known file hashes include SHA256: a1b2c3d4e5f6... (see Kaspersky IOCs page). Behavioral signatures include abnormal router configuration changes, unauthorized Winbox connections, and the presence of the cahnadr.sys driver or GollumApp.dll in %WINDIR%system32. Network IOCs involve communication with compromised router IPs over ports 8291 (Winbox) and 443 (HTTPS) with specific User-Agent strings mimicking legitimate MikroTik tools.

☠️ Risk & Impact

Slingshot enables full remote control of infected endpoints, leading to exfiltration of sensitive documents, keystroke logging, screen captures, and credential theft. The financial impact is high due to the espionage value of stolen data in government and telecom sectors. Affected industries include national security, telecommunications, and academic research institutions in East Africa and the Middle East.

🛡️ Mitigation

Defenders should apply all MikroTik RouterOS patches (especially fixing CVE-2018-14847 and later CVEs), restrict Winbox access to trusted IPs, and deploy endpoint detection rules for kernel-mode driver loading and DLL side-loading (e.g., Sysmon events 7 and 11). Network segmentation between routers and internal hosts can prevent lateral movement from compromised devices.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.