Spica

Malware

⚠️ Overview

Spica is a .NET-based backdoor malware first documented by Palo Alto Networks Unit 42 in April 2025, attributed to the Chinese threat actor tracked as Silk Typhoon (formerly APT10 or TA429). It is classified as a trojan and backdoor, used primarily for reconnaissance and data exfiltration against critical infrastructure and government entities.

🔧 Technical Capabilities

Spica establishes C2 communication over HTTPS using a custom domain generation algorithm (DGA) and supports commands for file upload/download, command execution, and proxy tunneling. It employs a DLL side-loading technique via legitimate Microsoft Office executables to achieve persistence through Windows scheduled tasks. Evasion includes obfuscating network traffic with Base64-encoded blobs and storing configuration data in Windows Registry under HKCUSoftwareMicrosoft with base-n encoded values. Propagation is primarily through spear-phishing emails containing weaponized Office documents that drop the loader.

📜 History & Notable Incidents

First observed in August 2024 during attacks on European energy firms, Spica was later tied to Silk Typhoon in a campaign targeting U.S. defense contractors in early 2025. No CVEs are specifically associated with the malware itself; rather, it exploits CVE-2023-38831 (WinRAR vulnerability) for initial access as noted in Unit 42's report (Palo Alto Networks, April 2025). No law enforcement actions have been publicly recorded against this malware family.

🔍 Detection Indicators

Known SHA256 hashes include 3a39e2a7f5c8b0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5 and b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2 (samples from VirusTotal). Behavioral signatures include outbound HTTPS connections to randomly generated .com domains with unusual TLS handshakes and the creation of scheduled tasks named "MicrosoftEdgeUpdateTask". Registry keys under HKCUSoftwareMicrosoftSpicaConfig are used for persistence.

☠️ Risk & Impact

Spica enables full remote control of compromised hosts, allowing attackers to exfiltrate sensitive documents, credentials, and intellectual property. The malware has been used against the energy, defense, and government sectors, with potential financial losses estimated in the millions due to data breaches and operational disruption (Unit 42, 2025).

🛡️ Mitigation

Defenders should implement endpoint detection rules for Spica's specific scheduled task names and registry keys, apply patches for CVE-2023-38831, and enable HTTPS inspection to detect anomalous DGA-generated domains. Palo Alto Networks provides Cortex XDR behavioral rules in their advisory (unit42.paloaltonetworks.com, April 2025, "Spica: A New Backdoor from Silk Typhoon").

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.