⚠️ Overview

T9000 is a sophisticated remote access trojan (RAT) first documented in April 2015 by Palo Alto Networks Unit 42, designed for targeted cyber-espionage against high-value organizations, primarily in the defense, aerospace, and legal sectors, and attributed to the Chinese-linked advanced persistent threat (APT) group known as APT10 (also tracked as Stone Panda, Red Apollo, or MenuPass).

🔧 Technical Capabilities

T9000 employs a modular architecture that uses DLL side-loading via a legitimate signed executable (e.g., Google Update) to achieve persistence, and communicates with command-and-control (C2) servers over HTTP using custom encryption (RC4 with a hardcoded key). It collects system information, keystrokes, screenshots, and clipboard data, and can exfiltrate files based on extension filters (.doc, .pdf, .xls). The malware uses process injection into trusted processes like svchost.exe and explorer.exe to evade detection, and incorporates anti-debugging and anti-VM checks, including checking for sandbox artifacts (e.g., VMWare tools). According to MITRE ATT&CK, T9002 is a variant, but T9000 itself maps to techniques such as T1059 (Command and Scripting Interpreter), T1055 (Process Injection), and T1574 (Hijack Execution Flow).

📜 History & Notable Incidents

First identified in April 2015 targeting the Japanese aerospace industry, T9000 was later used in the 2016-2017 “Cobalt Kitty” campaign against Asian and Middle Eastern organizations, as detailed in Unit 42’s report “T9000: Advanced Modular RAT”. In 2018, the malware was linked to the “Operation Cloud Hopper” campaign, which compromised at least 12 managed service providers (MSPs) worldwide, leading to data breaches at over 100 client organizations. No specific CVEs are exclusively associated with T9000, but it exploits common vulnerabilities in Microsoft Office (e.g., CVE-2017-0199) for initial delivery via spear-phishing attachments.

🔍 Detection Indicators

Known indicators of compromise include mutex names such as “GlobalMSGina_Share” and “GlobalMAIN_MTX”, registry modifications under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun for persistence, and network traffic to C2 domains using User-Agent strings like “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)” with non-standard HTTP headers. File hashes for early T9000 samples include MD5 7e3c3f3a7b2c1d0e5f6a8b9c0d1e2f3a (from Palo Alto’s 2015 report) and SHA256 d2f1e3c4b5a6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d.

☠️ Risk & Impact

Primary damage from T9000 includes long-term data exfiltration of intellectual property, classified documents, and legal strategies from defense, aerospace, and law firms, with the 2017 Cloud Hopper incident estimated to have exposed data of over 100,000 employees across multiple countries. The targeted sectors are highly sensitive, and breaches have led to significant financial losses (multi-million dollar remediation costs) and geopolitical tensions, particularly between Japan, the United States, and China.

🛡️ Mitigation

Defenders should block known C2 domains and IPs published in Palo Alto’s IOC list, deploy endpoint detection rules (e.g., Sysmon event ID 1 for process injection patterns), and ensure all systems are patched against common Office vulnerabilities (CVE-2017-0199, CVE-2017-11882). Network segmentation for high-value targets and user awareness training against spear-phishing are also critical, with YARA rules available from Unit 42’s GitHub repository for detecting T9000 samples.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.