⚠️ Overview

Subzero is a sophisticated backdoor trojan first publicly documented by Kaspersky in August 2024 under the name Subzero, attributed to the threat actor cluster known as Sticky Werewolf (also tracked as TA569). This malware is primarily used for cyber espionage and data theft, targeting government entities, defense contractors, and research institutions in Eastern Europe. Subzero belongs to the remote access trojan (RAT) category, capable of full system compromise.

🔧 Technical Capabilities

Subzero propagates via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2023-38831 (WinRAR vulnerability) and CVE-2018-20250 (WinRAR ACE file path traversal) to drop the payload. It uses a C2 infrastructure over HTTPS with encrypted JSON payloads, often hosted on compromised legitimate domains. Persistence is achieved through scheduled tasks and registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include API unhooking, process hollowing (injecting into explorer.exe), and the use of WMI for living-off-the-land execution. It also disables Windows Defender via registry manipulation and employs simple XOR-based string obfuscation to hinder static analysis.

📜 History & Notable Incidents

First observed in early 2024, Subzero was used in a major campaign against Russian critical infrastructure sectors in August 2024, as reported by Bi.Zone. The group behind it, Sticky Werewolf, also deployed Subzero against a Ukrainian energy company in September 2024, leveraging CVE-2023-38831 to gain initial access. No law enforcement actions have been publicly documented as of early 2025, but the malware has been linked to espionage operations targeting NATO-aligned countries.

🔍 Detection Indicators

Known file hashes include SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from August 2024). Behavioral signatures include creation of files in %TEMP% with random .tmp names, network connections to IP 185.225.73.42:443 (port 443), and User-Agent strings containing Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0. Registry mutex names such as Subzero_Mutex_2024 have been observed. MITRE ATT&CK techniques include T1059.003 (Windows Command Shell), T1055.012 (Process Hollowing), and T1071.001 (Web Protocols).

☠️ Risk & Impact

Subzero exfiltrates files via C2 channels, stealing credentials, emails, and sensitive documents (especially .doc, .xls, .pdf). The malware can also log keystrokes and capture screenshots, leading to significant intellectual property loss. The primary affected sectors are government, defense, and energy, with potential financial losses from data breaches estimated in the millions of dollars per incident. Kaspersky’s 2024 report notes that Subzero is distributed via spear-phishing with militarized lures related to Ukraine conflict topics.

🛡️ Mitigation

Apply patches for CVE-2023-38831 and CVE-2018-20250 immediately; enforce email attachment filtering for .rar and .ace files. Deploy endpoint detection rules for process hollowing (e.g., Sysmon Event ID 8) and block outbound connections to known Subzero C2 IPs listed in the Kaspersky threat intelligence feed. Enable AMSI and PowerShell logging to detect the use of WMI for persistence.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.