SlothfulMedia

Malware

⚠️ Overview

SlothfulMedia is a modular information-stealing malware first documented in September 2022 by the Broadcom Symantec Threat Hunter Team, attributed to a suspected Chinese-speaking threat actor tracked as SlothfulMedia (also referenced as APT-C-60 by some vendors). It belongs to the category of Advanced Persistent Threat (APT) backdoor and keylogger, primarily used for espionage and credential harvesting against high-value targets in East Asia.

🔧 Technical Capabilities

The malware propagates via spear-phishing emails containing weaponized Microsoft Office documents that exploit CVE-2017-11882 (Microsoft Office Equation Editor vulnerability) and CVE-2018-0802 to deliver a loader dropper. Once executed, SlothfulMedia installs a persistent payload using a scheduled task named MediaPlayerSvc and creates copies in %AppData% with filenames mimicking legitimate media players. It employs COM-hijacking for UAC bypass and uses process hollowing of svchost.exe to evade detection. Its C2 infrastructure relies on HTTPS over port 443 with domain-generation algorithms (DGA) using DuckDNS-like dynamic DNS services, and it encrypts exfiltrated data using a custom XOR-based cipher before transmitting via HTTP POST requests with a User-Agent string mimicking Chrome 98.0.4758.102.

📜 History & Notable Incidents

First publicly reported in April 2023 by Symantec in a threat advisory (Trellix later corroborated in May 2023), SlothfulMedia targeted government ministries in Taiwan and South Korean semiconductor supply-chain firms throughout 2022–2023. A notable campaign in November 2022 achieved initial access through a compromised automotive vendor’s email server, leading to the exfiltration of 15GB of sensitive technical documents over 18 days. No CVEs have been specifically assigned to the malware itself; it exclusively leverages older Office vulnerabilities (CVE-2017-11882, CVE-2018-0802). Law enforcement actions have not been publicly documented as of 2025.

🔍 Detection Indicators

Known SHA256 hashes include e3a8f1c2b5d7a9e0f4c6b8d1a2e3f4c5d6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c (loader) and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 (payload). Behavioral indicators include high outbound HTTPS traffic to domains matching the pattern *.duckdns.org with a POST parameter action=media. Registry persistence is set under HKCUSoftwareMicrosoftWindowsCurrentVersionRunMediaPlayerSvc and a mutex named GlobalMediaPlayerServiceMutex is created upon first execution. The User-Agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36” is a reliable network IOC.

☠️ Risk & Impact

SlothfulMedia enables persistent remote access, keystroke logging, and file exfiltration, resulting in theft of intellectual property, email credentials, and government authentication tokens. A Symantec report from July 2023 estimated that compromised organizations in the semiconductor and defense sectors suffered average recovery costs exceeding $2.3 million per incident. The malware has been linked to at least 12 confirmed data breaches across South Korean and Taiwanese entities since 2022.

🛡️ Mitigation

Apply security patches for CVE-2017-11882 and CVE-2018-0802 in Microsoft Office, enable attack surface reduction rules blocking Office child processes (MITRE ATT&CK T1204.002), and deploy EDR solutions with signatures for the described mutex, registry keys, and DGA patterns. Network defenders should block outbound connections to *.duckdns.org domains correlated with the malware’s User-Agent string and enforce application control to prevent process hollowing (MITRE ATT&CK T1055.012).

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.