SpicyOmelette
Malware⚠️ Overview
SpicyOmelette is a fileless, PowerShell-based backdoor malware first documented in June 2021 by researchers at Trend Micro, attributed to a Chinese-speaking threat actor tracked as Earth Preta (also known as Mustang Panda). It functions as a post-exploitation tool and backdoor, delivering additional payloads while evading disk-based detection.
🔧 Technical Capabilities
SpicyOmelette operates entirely in memory, executing via obfuscated PowerShell scripts downloaded from compromised websites (watering-hole attacks) or spear-phishing emails. It establishes command-and-control (C2) communication over HTTP/HTTPS using encrypted JSON payloads, with C2 domains often mimicking legitimate services (e.g., "update.microsoft.com" look-alikes). The malware uses a custom encryption algorithm (XOR with a static key) for traffic obfuscation, and implements persistence via scheduled tasks or Windows Management Instrumentation (WMI) event subscriptions. It includes anti-analysis checks such as scanning for sandbox artifacts, debugger detection, and VM-specific registry keys. Propagation is limited to manual lateral movement using stolen credentials via PowerShell Remoting.
📜 History & Notable Incidents
First identified in June 2021 by Trend Micro, SpicyOmelette was observed targeting government and diplomatic entities in Southeast Asia, particularly Myanmar, Vietnam, and the Philippines. An October 2022 campaign by Earth Preta used the malware to deploy Cobalt Strike beacons and the PlugX RAT, exploiting legitimate websites as initial infection vectors. No CVEs have been directly attributed to SpicyOmelette, as it leverages living-off-the-land techniques rather than exploits.
🔍 Detection Indicators
Network indicators include C2 URLs ending in “/api/check” or “/api/data” with User-Agent strings like “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”. Fileless execution leaves no disk-resident binary; detection relies on PowerShell script block logging (Event ID 4104) and suspicious WMI activity. No public file hashes are available because the payloads are dynamically generated in memory.
☠️ Risk & Impact
SpicyOmelette enables persistent remote access, leading to data exfiltration of sensitive government documents, credentials, and network reconnaissance data. The malware has primarily impacted government and diplomatic sectors in Asia, with financial losses indirectly stemming from espionage and subsequent ransomware deployment by partner groups.
🛡️ Mitigation
Mitigation includes enabling PowerShell constrained language mode, monitoring for anomalous script execution (via Sysmon and AMSI), and applying the principle of least privilege to restrict lateral movement. Trend Micro’s Apex One and Deep Security detect SpicyOmelette through behavioral rules and network traffic analysis. Refer to Trend Micro’s threat report “Earth Preta: SpicyOmelette and Beyond” (2022) for detailed IOCs.
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.