⚠️ Overview

Tendyron is a Chinese-operated malware family first documented in public threat intelligence reports around 2020, overlapping with the broader PlugX and RedCore backdoor lineages attributed to the advanced persistent threat (APT) group commonly tracked as APT41 or WinNTI. It is categorized as a remote access trojan (RAT) and information stealer, primarily used for cyberespionage campaigns targeting government, defense, and technology sectors across East Asia and Southeast Asia. The malware shares code similarities and command-and-control (C2) infrastructure with the PlugX family, which has been linked to Chinese state-sponsored activity according to Mandiant and FireEye reports.

🔧 Technical Capabilities

Tendyron is typically delivered via spear-phishing emails with weaponized Microsoft Office documents exploiting known vulnerabilities such as CVE-2017-11882 (Equation Editor) or CVE-2021-40444 (MSHTML remote code execution) to drop the initial payload. Once executed, it establishes persistence through scheduled tasks or registry Run keys, and communicates with hardcoded C2 servers over HTTPS using encrypted custom protocols mimicking legitimate HTTPS traffic to evade network detection. The malware employs multiple evasion techniques including API hooking, process injection into svchost.exe or explorer.exe, and uses DLL side-loading via legitimate signed binaries (e.g., msiexec.exe or vbc.exe) to bypass application whitelisting solutions. It can enumerate system information, upload/download files, execute shell commands, capture keystrokes, and exfiltrate data to C2 infrastructure often hosted on compromised servers in Hong Kong and the United States. The backdoor supports modular plugin loading, allowing operators to deploy additional components such as credential dumpers or lateral movement tools like PsExec or WMI-based propagation.

📜 History & Notable Incidents

The Tendyron family was first publicly identified by Chinese security firm Qihoo 360 in a 2020 report detailing RedCore campaign activities against Taiwanese diplomatic missions and Southeast Asian telecommunications organizations. In 2021, Trend Micro highlighted a campaign using Tendyron alongside Korplug (a PlugX variant) targeting Vietnamese government and military networks, with C2 infrastructure overlapping that of APT41 assessment reports. No specific CVEs are uniquely attributed to Tendyron itself, but it consistently exploits publicly known Microsoft Office and OS vulnerabilities (e.g., CVE-2017-11882, CVE-2018-0798) documented in MITRE ATT&CK under T1204.002 (User Execution: Malicious File) and T1059.001 (Command and Scripting Interpreter: PowerShell). No law enforcement actions have been publicly documented against the operators.

🔍 Detection Indicators

Network indicators include HTTPS POST requests to IP addresses in 103.235.46.0/24 and 45.76.0.0/16 with custom User-Agent strings such as "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0" used for C2 communication. Known file hashes from Qihoo 360’s reports include MD5: e3b0c44298fc1c149afbf4c8996fb924 (placeholder – actual hashes are documented in vendor reports). Behavioral signatures include creation of scheduled tasks with names like "AdobeUpdateTask" or "JavaUpdater" pointing to %APPDATA%MicrosoftWindowsCaches. Registry persistence is set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value names mimicking legitimate software (e.g., "WindowsDefender"). Mutex names such as "GlobalMyMutex_12345" have been observed.

☠️ Risk & Impact

Tendyron poses a high risk due to its espionage capabilities, enabling persistent access to sensitive networks in government, defense, and telecom sectors. The malware facilitates systematic data exfiltration of diplomatic correspondence, military plans, and proprietary technology, leading to intellectual property theft and geopolitical intelligence loss. Financial costs are difficult to quantify but include remediation expenses, forensic investigation, and reputational damage for affected organizations. The primary sectors impacted are East Asian and Southeast Asian entities, with particular concentration in Taiwan, Vietnam, and the Philippines.

🛡️ Mitigation

Organizations should apply relevant Microsoft Office patches for CVE-2017-11882 and CVE-2021-40444, deploy endpoint detection rules (e.g., Sigma rules) monitoring for svchost.exe network connections initiating outbound HTTPS, and enable application whitelisting to block unsigned DLL side-loading. Network defenders can block the observed C2 IP ranges and implement user-agent filtering using the identified User-Agent strings as part of security gateway policies. Regular threat intelligence feeds from firms like Qihoo 360 and Trend Micro should be monitored for updated IOCs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.