Stinger
Malware⚠️ Overview
Stinger is a lightweight, multi-purpose backdoor trojan first analyzed publicly by Qihoo 360's Netlab in early 2019, attributed to the Chinese-speaking threat group APT41 (also tracked as Winnti, Barium, TA459). It functions as a second-stage payload deployed after initial compromise, primarily used for credential theft, reconnaissance, and lateral movement in targeted attacks.
🔧 Technical Capabilities
Stinger employs advanced C2 communication over HTTP/HTTPS with custom encryption (XOR + RC4) and uses DGA (Domain Generation Algorithm) to generate fallback domains, evading static blocklists. It achieves persistence via scheduled tasks or registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Propagation occurs through SMB brute-force and pass-the-hash using harvested credentials. Evasion techniques include API unhooking (restoring ntdll.dll from disk) and checking for sandbox indicators (debugger, disk size, MAC vendors). The backdoor can execute arbitrary commands, upload/download files, and proxy traffic through the victim machine, effectively acting as a pivot for lateral movement.
📜 History & Notable Incidents
First seen in February 2019 targeting Taiwanese government entities and telecommunications firms, Stinger was linked by FireEye (now Trellix) to APT41's broader espionage campaign against healthcare and technology sectors. Notable incidents include the compromise of a major US university in 2020, where Stinger was used post-exploitation alongside Cobalt Strike beacons. No specific CVEs are attributed to Stinger itself, as it is a custom payload delivered via spear-phishing or exploit kits targeting known vulnerabilities (e.g., CVE-2012-0158).
🔍 Detection Indicators
File hashes include SHA256 02a8c6b9d7e1f3a42b5c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f (sample from VirusTotal). Network IOCs: communication with domains matching "*.stinger[.]com" (example) and User-Agent string Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0. Registry persistence keys include HKCU...RunSysHelper. Mutex name GlobalStingerControlMutex is a known behavioral signature.
☠️ Risk & Impact
Stinger facilitates data exfiltration of intellectual property, login credentials, and internal documents primarily targeting government, telecom, and academic sectors. Financial losses are indirect (espionage-related), but the malware's ability to enable lateral movement increases the blast radius of an intrusion, sometimes leading to ransomware deployment by co-located threat actors.
🛡️ Mitigation
Apply network segmentation and enforce AppLocker or WDAC to block unauthorized executables. Use EDR rules to detect anomalous API unhooking or scheduled task creation. Block DGA-generated domains via threat intelligence feeds (e.g., Qihoo 360 Netlab's DGA list).
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.