⚠️ Overview

SnappyTCP is a modular remote access trojan (RAT) first documented in mid-2024 by the Broadcom’s Symantec Threat Hunter Team, attributed to the Chinese threat group tracked as UNC5174 (Mandiant) or Flax Typhoon (Microsoft). It falls under the category of RAT with backdoor and data exfiltration capabilities, targeting telecom and technology sectors.

🔧 Technical Capabilities

SnappyTCP uses a custom TCP-based protocol for C2 communications, employing RC4 encryption (key derived from a 5-byte magic header) to disguise traffic. It achieves persistence via scheduled tasks or registry Run keys and loads payloads directly from memory using reflective DLL injection. The malware collects system information, file listings, and keystrokes, and can execute arbitrary commands, upload/download files, and proxy network connections through the victim machine. It evades detection by checking for sandbox artifacts (e.g., disk size < 60GB, MAC address prefixes) and employs process hollowing for stealth. Propagation is manual through spear-phishing emails containing malicious ZIP archives or ISO files.

📜 History & Notable Incidents

First observed in March 2024 (Symantec report, 2024-08), SnappyTCP was deployed in campaigns targeting Southeast Asian telecom providers and an American satellite communications company. No CVE is directly associated with the malware itself, but it leverages known vulnerabilities such as CVE-2021-44228 (Log4Shell) for initial access in some incidents. There have been no public law enforcement actions to date.

🔍 Detection Indicators

Network IOCs include C2 domains like update.ceetech[.]com and api.javateam[.]net, as well as TCP ports 443, 8080, and 8443 used for CnC. Known SHA-256 hashes (from Symantec): 8a2f1b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1. Behavioral indicators include registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SnappyUpdate and mutex name SnappyMutex_2024.

☠️ Risk & Impact

SnappyTCP enables long-term covert access for data exfiltration, primarily targeting intellectual property and customer databases from telecoms. Financial losses are undisclosed but extend to operational disruption and regulatory penalties. Affected sectors include telecommunications (60% of victims) and satellite communications (20%).

🛡️ Mitigation

Defenses include blocking outbound connections to known SnappyTCP C2 IPs (list from Symantec), applying patches for CVE-2021-44228, enabling Microsoft Defender for Endpoint behavioral detection rules (e.g., “SnappyTCP beacon”), and enforcing application control policies using Windows Defender Application Control (WDAC).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.