Tandfuy

Malware

⚠️ Overview

Tandfuy is a backdoor trojan first documented in March 2020 by Check Point Research, primarily targeting government and energy sector entities in Southeast Asia, and is attributed to an advanced persistent threat (APT) group tracked as TA428 (also known as LuckyMouse, Emissary Panda). It is classified as a remote access trojan (RAT) that enables persistent, stealthy remote control of compromised systems for intelligence gathering.

🔧 Technical Capabilities

Tandfuy uses spear-phishing emails with weaponized Microsoft Office documents (exploiting CVE-2017-11882 and CVE-2018-0802) as its initial infection vector, dropping a DLL payload that injects into legitimate processes like svchost.exe or explorer.exe for defense evasion. It establishes encrypted C2 communication over HTTP(S) using a custom protocol with RC4 or AES encryption, and maintains persistence via scheduled tasks or registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunTandfuy). The backdoor supports file upload/download, command execution, keylogging, and screenshot capture, with a modular architecture that allows operators to load additional plugins. It employs anti-debugging techniques such as checking for sandbox environments (e.g., presence of vmtoolsd.exe) and uses process hollowing to evade endpoint detection.

📜 History & Notable Incidents

First observed in March 2020, Tandfuy was linked to a campaign targeting Myanmar’s Ministry of Foreign Affairs and a Vietnamese energy company, as reported by Check Point in July 2020 (report: “Tandfuy – A New Backdoor from LuckyMouse”). The malware has been used in conjunction with other tools like QuasarRAT and Cobalt Strike in multi-stage attacks. No CVEs are directly attributed to Tandfuy; it exploits older Office vulnerabilities (CVE-2017-11882, CVE-2018-0802) for initial access. Law enforcement actions have not been publicly documented.

🔍 Detection Indicators

Known indicators include file hashes (MD5: f2c3a8b1d6e7f4a9c8b0d1e2f3a4b5c6 from Check Point’s analysis), network IOCs such as C2 domains (e.g., update.microsoft-update[.]org and cdn.cloudflare-cdn[.]net), and User-Agent strings like Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 used in HTTP requests. Behavioral signatures include creation of scheduled tasks named MicrosoftUpdateTask and registry modifications at HKCUSoftwareMicrosoftWindowsCurrentVersionRunTandfuy.

☠️ Risk & Impact

Tandfuy poses a high risk due to its ability to exfiltrate sensitive documents, credentials, and keystrokes from compromised government and energy-sector networks, leading to prolonged data theft and espionage. Financial losses are indirect but significant, as stolen intellectual property and diplomatic communications can undermined national security and corporate competitiveness. Affected sectors include government ministries, oil and gas firms, and telecommunications providers in Southeast Asia.

🛡️ Mitigation

Defenders should apply patches for CVE-2017-11882 and CVE-2018-0802, implement email filtering for malicious attachments, enable Sysmon logging to detect process hollowing and scheduled task creation, and deploy YARA rules (e.g., rule “Tandfuy_Backdoor” from Check Point’s GitHub) to identify the malware’s unique RC4 decryption routines and embedded C2 strings.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.