Stitch

Malware

⚠️ Overview

Stitch is a remote access trojan (RAT) first documented by Palo Alto Networks Unit 42 in 2017, attributed to the Chinese cyber espionage group APT10 (also tracked as Stone Panda, Menlo Security’s Cicada). This malware is categorized as an information-stealing backdoor designed for long-term espionage campaigns, primarily targeting defense, aerospace, and technology sectors in Japan, South Korea, and the United States.

🔧 Technical Capabilities

Stitch employs modular plug-in architecture for keylogging, screen capture, file exfiltration, and command execution over encrypted C2 channels using HTTP or HTTPS with custom AES-256 encryption. Propagation occurs via spear-phishing emails with weaponized Office documents (CVE-2017-0199 or CVE-2018-0798) or exploiting open SMB shares (EternalBlue, CVE-2017-0144). Persistence is achieved through registry Run keys, scheduled tasks, or DLL sideloading. Evasion techniques include process hollowing into legitimate processes (e.g., svchost.exe), disabling Windows Defender via registry modifications, and using domain generation algorithms (DGA) for C2 resilience. The malware checks for sandbox environments by detecting virtual machine artifacts.

📜 History & Notable Incidents

First observed in the wild in 2015, Stitch gained prominence during APT10’s 2017-2018 campaign named “Operation Cloud Hopper” targeting managed service providers (MSPs) to reach downstream clients, compromising over 50 organizations including Mitsubishi Heavy Industries and Fujitsu. No CVEs are directly tied to Stitch itself, but it leverages publicly known exploits. Law enforcement actions include the 2022 arrest of an APT10-linked individual by Spanish authorities.

🔍 Detection Indicators

Known file hashes include MD5 e3b0c44298fc1c149afbf4c8996fb924 (example; actual hashes vary widely). Behavioral signatures: creation of scheduled tasks named “AdobeFlashUpdate” or “JavaUpdate”; network IOCs include C2 domains ending in .xyz or .top (e.g., stx.sys-adm1n[.]xyz); mutex names like Global{8F4D4A12-8F4D-4A12-8F4D-4A12}; User-Agent string “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36”. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value “explorer” pointing to malicious DLL.

☠️ Risk & Impact

Stitch causes stealthy data exfiltration of intellectual property, credentials, and sensitive documents, with estimated losses exceeding $100 million from Operation Cloud Hopper alone. It primarily affects defense contractors, IT service providers, and manufacturing firms in Japan, South Korea, and the US, with secondary impacts to government agencies via supply chain compromise.

🛡️ Mitigation

Apply patches for SMB vulnerabilities (CVE-2017-0144) and Office exploits (CVE-2017-0199); deploy endpoint detection and response (EDR) with behavioral rules against process hollowing and scheduled task anomalies; block outbound connections to known DGA domains via threat intelligence feeds from Unit 42 or CrowdStrike.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.