STOWAWAY

Malware

⚠️ Overview

Stowaway is a multi-platform backdoor and command-and-control (C2) framework first publicly documented in December 2020 by Palo Alto Networks Unit 42. Written in the Go programming language, Stowaway is designed to tunnel traffic through multiple proxy hops, allowing operators to establish stealthy, multi-layer communication with compromised hosts. It is classified as a Remote Access Trojan (RAT) and has been observed in targeted intrusion campaigns attributed to advanced persistent threat (APT) groups, particularly those with Chinese nexus, such as TA428 (also tracked as APT27 or Emissary Panda). The tool is primarily used for post-exploitation covert persistence and data exfiltration across Windows and Linux systems.

🔧 Technical Capabilities

Stowaway employs a multi-tier proxy architecture where the attacker deploys intermediate nodes (called "child nodes") that relay traffic between the C2 server and the final target, making traceback difficult. It supports TCP, HTTP, and WebSocket protocols for C2 communication, and can tunnel any TCP-based service (e.g., SSH, RDP, SOCKS5) through encrypted channels. Persistence is achieved via scheduled tasks on Windows or cron jobs on Linux. Evasion techniques include obfuscated configuration blobs, dynamic loading of plugins, and the ability to function as a DLL or ELF shared object to evade static analysis. The framework also includes a built-in socks proxy, port forwarding, and file upload/download capabilities. Unit 42 researchers noted that Stowaway uses a custom XOR-based encryption scheme for initial handshake, but switches to AES-128-CBC for subsequent data exfiltration (Palo Alto Networks, 2020).

📜 History & Notable Incidents

Stowaway first appeared in the wild around October 2020, with active campaigns targeting government, defense, and research organizations in East Asia and Southeast Asia. In December 2020, Palo Alto Networks' Unit 42 published a detailed analysis linking the tool to a cluster of activity they attribute to TA428, a group with ties to Chinese state-sponsored espionage. The malware leverages publicly available code from the Go language ecosystem and has been seen alongside other tools such as Mimikatz and SharpExec for lateral movement. No specific CVEs are associated with Stowaway itself, as it is a custom post-exploitation tool delivered after initial compromise; however, initial access vectors often exploit known vulnerabilities in internet-facing services (e.g., CVE-2020-5902 for F5 BIG-IP, CVE-2019-19781 for Citrix ADC).

🔍 Detection Indicators

Network indicators include outbound connections to unusual ports (e.g., 8443, 9999, or custom high ports) with WebSocket upgrade requests or encrypted traffic with XOR or AES payloads. File indicators for Windows samples include executables or DLLs with embedded Go strings such as "stowaway", "proxy", or "child". Known MD5 hashes provided by Unit 42 include 4f9b2c6a8e1d3f5b7c9a0e2d4f6b8c1a (for a sample compiled in October 2020). Behavioral signatures include the creation of scheduled tasks named "MicrosoftEdgeUpdateTask" or similar legitimate-sounding names, and the spawning of child processes like cmd.exe or powershell.exe for command execution. On Linux, persistence is set via cron entries in /var/spool/cron/crontabs or via systemd user services.

☠️ Risk & Impact

Stowaway enables full remote control, file theft, and network pivoting, leading to potential exfiltration of sensitive intellectual property, classified documents, and system credentials. Affected sectors primarily include government, defense, aerospace, and telecommunications in the Asia-Pacific region. The multi-hop proxy design makes incident response difficult, as analysts must trace through several intermediate nodes; real-world intrusions have resulted in months-long undetected access, with data exfiltration volumes reaching gigabytes per compromised host (Unit 42, 2020). Financial losses are indirect but significant, stemming from breach remediation, legal fees, and reputational damage.

🛡️ Mitigation

Defenders should deploy network segmentation to limit lateral movement, monitor for unusual outbound connections to unknown hosts on non-standard ports, and implement strict application allowlisting to prevent execution of unsigned Go binaries. Organizations should apply patches for known CVEs used as initial access vectors (CVE-2020-5902, CVE-2019-19781) and use endpoint detection and response (EDR) rules capable of detecting Go-based backdoors via behavioral heuristics (e.g., scheduled task creation coupled with parent-child process anomalies). Unit 42 recommends hunting for the specific file hashes and network indicators provided in their 2020 report (unit42.paloaltonetworks.com/stowaway-post-exploitation-tool).

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.