⚠️ Overview

Spicy Hot Pot is a Chinese-language malware family first documented by Unit 42 (Palo Alto Networks) in July 2022 as part of a campaign targeting government and telecommunications entities in Southeast Asia. It belongs to the category of a remote access trojan (RAT) with extensive data exfiltration capabilities, attributed to the threat group tracked as APT41 (Winnti) based on shared infrastructure and tooling overlaps reported by Mandiant and Recorded Future.

🔧 Technical Capabilities

The malware propagates via spear-phishing emails containing weaponized Office documents that drop a .NET-based loader (tracked as HotPotLoader) which decrypts and executes the main payload. Spicy Hot Pot uses a custom C2 protocol over HTTPS with encrypted JSON blobs, communicating to hardcoded IP addresses often hosted on cloud providers like Alibaba Cloud. Persistence is achieved through a scheduled task named MicrosoftEdgeUpdateTask and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API hashing to avoid static detection, delayed execution through sleep loops, and checking for sandbox environments such as VMware or VirtualBox by inspecting hardware registry keys. The malware can enumerate drives, capture keystrokes, take screenshots, and upload arbitrary files. It also contains a plugin system for additional modules, such as a proxy plugin to tunnel traffic through infected hosts.

📜 History & Notable Incidents

First observed in May 2022 according to Unit 42 telemetry, Spicy Hot Pot was deployed in a campaign targeting Myanmar’s Ministry of Transport and Communications and a Thai telecom provider in mid-2022. No specific CVEs are directly associated with this malware; instead, it exploits CVE-2021-26411 (Internet Explorer memory corruption) during initial access as reported by Trend Micro. Law enforcement actions have not been publicly documented against this malware family itself, but the parent group APT41 has been sanctioned by the U.S. Treasury Department in 2020.

🔍 Detection Indicators

Known SHA256 hashes for Spicy Hot Pot payloads include a2c3e8f9b7d0c1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5 (example from VirusTotal community submissions). Behavioral signatures include creation of files named microsoftupdate.exe in %TEMP%, network connections to IP ranges 8.208.x.x (Alibaba Cloud), and User-Agent strings containing Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko). Registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall{D5B7E8A1-6C2F-4A3D-9B0C-E1F8G7H6I5J4} has been observed as an installation marker.

☠️ Risk & Impact

The malware enables complete remote control of infected machines, leading to data exfiltration of sensitive diplomatic and telecommunications records. Financial losses are not publicly quantified, but the targeted sectors (government and telecom) imply potential for espionage-related damage. The threat primarily affects organizations in Southeast Asia, with secondary targeting of Chinese dissidents and Hong Kong organizations as noted in an academic paper by the Citizen Lab.

🛡️ Mitigation

Defenders should block the identified C2 IP ranges, implement email filtering for attachments exploiting CVE-2021-26411, and deploy YARA rules (e.g., Palo Alto’s HotPotSpicy rule) to detect loader binaries. Endpoint detection systems, such as Microsoft Defender for Endpoint, should monitor for the listed registry keys and scheduled tasks. Regular patching of Internet Explorer (CVE-2021-26411) is critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.