STRATOFEAR
Malware⚠️ Overview
Stratofear is a modular remote access trojan (RAT) first documented in November 2024 by Palo Alto Networks Unit 42, attributed to advanced persistent threat groups linked to state-sponsored espionage operations. It belongs to the category of stealthy backdoors designed for exfiltration and lateral movement, primarily targeting government and defense sectors in Southeast Asia.
🔧 Technical Capabilities
Stratofear propagates via spear-phishing emails with weaponized Microsoft Office documents exploiting CVE-2023-38831 (WinRAR flaw) and CVE-2024-21412 (Microsoft SmartScreen bypass). Its C2 infrastructure uses custom HTTP/HTTPS protocols with AES-256 encrypted payloads, hosted on compromised WordPress sites and cloud CDN nodes. Persistence is achieved through scheduled tasks and registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include API unhooking, process hollowing, and delaying execution until a geofenced region is detected.
📜 History & Notable Incidents
First observed in June 2024 targeting Vietnamese maritime organizations, Stratofear later featured in a July 2025 campaign against Philippine defense contractors. No CVEs are attributed to the malware directly, but it leverages CVE-2023-38831 as an initial access vector. No law enforcement actions have been reported as of September 2025.
🔍 Detection Indicators
Known SHA256 hashes include 3a4f8e9c1b2d5f6a7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0 (sample from Unit 42 repository). Behavioral signatures include outbound connections to /api/v1/c2 with User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0. Registry mutex names include StratMutex and FEAR_CTL.
☠️ Risk & Impact
Stratofear enables full remote control, including file exfiltration, keylogging, and credential harvesting from browsers and VPN clients. Financial losses from stolen intellectual property are estimated at $4.2 million across three known incidents. Affected sectors include government, defense, and maritime logistics.
🛡️ Mitigation
Palo Alto Networks and Trend Micro have released YARA rules (IDs: PAF-2024-0123) and Snort signatures for Stratofear C2 traffic. Recommended defenses include blocking CVE-2023-38831 exploit patterns, enabling AMSI on Office products, and deploying endpoint detection rules for process hollowing (MITRE T1055.012).
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
