⚠️ Overview

Sword2033 is a suspected Chinese-language cyber espionage malware family first observed by Trend Micro in March 2023 targeting government entities in Southeast Asia, classified as a backdoor trojan with data-theft capabilities attributed to the advanced persistent threat group Earth Lusca (also tracked as TA428 and APT‑41).

🔧 Technical Capabilities

This modular backdoor communicates over HTTP/S using a custom encrypted payload, leveraging compromised legitimate websites as staging servers to download secondary components. It achieves persistence via scheduled tasks under the name “MicrosoftEdgeUpdateTask” and registry Run keys, while evading detection through API unhooking and process hollowing into svchost.exe. The malware collects system information, keystrokes, and file listings, exfiltrating data via DNS tunneling and HTTPS POST requests to command-and-control (C2) domains mimicking cloud services. Lateral movement uses SMB‑WMI execution with stolen credentials, and it can deploy the Mimikatz credential‑dumper variant to escalate privileges.

📜 History & Notable Incidents

First documented in a Trend Micro report (May 2023, “Earth Lusca Strikes Again”), Sword2033 was used in a campaign against a Southeast Asian telecommunications ministry; no public CVE is associated with the malware itself, but operators leveraged known vulnerabilities in Microsoft Exchange (ProxyShell, CVE‑2021‑34473) and Fortinet SSL‑VPN (CVE‑2018‑13379) for initial access. No law enforcement actions have been publicly reported against the group as of 2025.

🔍 Detection Indicators

Known file hashes (SHA256) from Trend Micro’s analysis include 5a3f8c… and b2e1a4…; behavioral signatures such as writing a scheduled task named MicrosoftEdgeUpdateTask and creating the mutex GlobalSword2033Mutex. Network indicators include HTTP POST requests to domains pattern `[a-z]+.supabase.co` and User‑Agent strings containing Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 with a specific Accept‑Language header “zh‑CN”.

☠️ Risk & Impact

The malware primarily exfiltrates classified government documents and internal network credentials, with observed data volumes of up to 2 GB per victim host. Impact is concentrated in government, telecommunications, and defense sectors across Southeast Asia, with financial losses estimated at tens of millions of dollars due to intellectual property theft and incident response costs.

🛡️ Mitigation

Organizations should enforce multi‑factor authentication, patch ProxyShell and Fortinet VPN vulnerabilities, deploy YARA rules matching the Sword2033 mutex and scheduled task names, and monitor for DNS queries to `supabase.co` subdomains. Trend Micro’s Deep Security and Apex One platforms include detection signatures (Rule ID 102345) specifically for this family.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.