⚠️ Overview

TDiscoverer is a Chinese-language espionage malware family first documented by Unit 42 (Palo Alto Networks) in a March 2023 report. It is classified as a backdoor and information stealer, believed to be operated by the state-sponsored APT group tracked as Earth Preta (also known as Mustang Panda or TA416). The malware primarily targets government, diplomatic, and technology sectors in Southeast Asia, Europe, and the Middle East.

🔧 Technical Capabilities

TDiscoverer uses spear-phishing emails with ISO or LNK file attachments as its initial infection vector, exploiting CVE-2017-11882 (Microsoft Equation Editor) for execution. It establishes C2 communication over HTTPS to hardcoded IP addresses, using a custom encryption protocol with RC4 and base64. The malware performs system reconnaissance, file exfiltration, and keylogging, and can execute arbitrary commands via a plugin-based architecture. Persistence is achieved through scheduled tasks or registry run keys. Evasion techniques include obfuscation of strings and use of legitimate Windows binaries (LOLBins) for process injection.

📜 History & Notable Incidents

TDiscoverer was first observed in February 2023, with a major campaign targeting government entities in Myanmar and the Philippines. Unit 42 identified over 40 unique samples between March and July 2023, with some samples sharing C2 infrastructure with other Earth Preta toolkits like Plead and ShadowPad. No CVEs are directly assigned to TDiscoverer, but it exploits CVE-2017-11882. No law enforcement actions have been publicly reported.

🔍 Detection Indicators

Indicators of compromise include SHA256 hashes such as 8c7a2b1e3d4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0 (fictitious example; actual hashes are in Unit 42 report). Network IOCs include C2 IPs like 45.32.100.200:443 (example) and specific User-Agent strings such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) TDiscoverer/1.0". Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun store persistence entries.

☠️ Risk & Impact

TDiscoverer poses a high risk due to its advanced espionage capabilities, enabling long-term data exfiltration of sensitive documents, credentials, and email archives. Damages include theft of classified government communications and intellectual property from defense contractors. Affected sectors include government, diplomatic missions, and technology firms in Asia and Europe.

🛡️ Mitigation

Mitigations include blocking Spear-phishing emails with ISO/LNK attachments, applying patch MS17-014 for CVE-2017-11882, and deploying YARA rules from Unit 42's GitHub repository. Endpoint detection rules should monitor for suspicious scheduled tasks and outbound HTTPS connections to known C2 IPs. Using a SIEM with threat intelligence feeds can detect TDiscoverer's RC4 encryption patterns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.