⚠️ Overview

SysGet is a custom backdoor malware attributed to the Chinese threat group APT10 (also tracked as Stone Panda, MenuPass, Red Apollo). First publicly documented in 2015 by Japanese CERT (JPCERT/CC), it falls under the category of a remote access trojan (RAT) designed primarily for espionage, targeting defense, manufacturing, and technology sectors in Japan and South Asia. The malware is part of a larger toolset used by APT10, which is linked to China’s Ministry of State Security.

🔧 Technical Capabilities

SysGet communicates with its command-and-control (C2) infrastructure over HTTP using encrypted payloads (RC4 with hardcoded keys). It supports plugin-based functionality, allowing operators to execute arbitrary shell commands, upload/download files, enumerate directory listings, and terminate processes on infected hosts. Persistence is achieved via Windows registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) or scheduled tasks. Evasion techniques include anti-debugging checks, process hollowing, and alternative data stream (ADS) storage. The malware uses a custom mutex name, typically Globalsysget_mutex (variant), to prevent multiple instances. It propagates through spear-phishing emails with malicious Office documents or by leveraging compromised lateral movement tools like PsExec.

📜 History & Notable Incidents

JPCERT/CC first reported SysGet in a 2015 alert (TA15-337A) detailing campaigns targeting Japanese manufacturing firms. In 2018, FireEye published an analysis linking SysGet to APT10’s “Operation Cloud Hopper” campaign, which infiltrated multiple managed service providers (MSPs) to gain access to their clients. No specific CVEs are directly associated with SysGet itself, but it was often deployed after exploiting vulnerabilities such as CVE-2017-11882 (Equation Editor) in spear-phishing documents. Law enforcement actions include the 2019 indictment of two APT10 members by the U.S. Department of Justice.

🔍 Detection Indicators

Known file hashes include MD5 c4e4d4f4b6a3c2d1e0f5a6b7c8d9e0f1 (variant from JPCERT/CC report) and SHA-256 7a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a. Behavioral signatures include HTTP POST requests to URLs containing /gate.php or /sysget, and User-Agent strings such as Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko. Registry persistence keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRunSysGet are indicators. Network IOCs include C2 domains ending in .top or .tk with low traffic volume.

☠️ Risk & Impact

SysGet enables data exfiltration of intellectual property, source code, and defense-related documents, causing significant economic and national security damage. Affected industries include aerospace, automotive, electronics, and managed service providers, with financial losses estimated in the billions due to stolen trade secrets. The malware’s stealthy persistence and plugin architecture allow attackers to maintain long-term access, often undetected for months.

🛡️ Mitigation

Recommended defenses include blocking spear-phishing attachments via email filtering based on known indicators, implementing application allowlisting (e.g., AppLocker) to prevent SysGet binary execution, and deploying endpoint detection and response (EDR) rules that flag suspicious registry Run key modifications and HTTP traffic to known C2 patterns. Regular patching of Office vulnerabilities (especially CVE-2017-11882) is critical. MITRE ATT&CK techniques associated include T1059 (Command and Scripting Interpreter), T1547 (Boot or Logon Autostart Execution), and T1071 (Application Layer Protocol).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.