⚠️ Overview

ThreeByte is a first-stage downloader and reconnaissance tool first publicly documented by Cisco Talos in November 2023 under the designation "ThreeByte Downloader." It is attributed to a Chinese-affiliated threat group tracked as UNC5325 (Mandiant) or APT41 (FireEye), primarily used for initial access and staging in targeted ransomware and data-theft campaigns. The malware is categorized as a custom backdoor loader, distinct from commodity malware due to its targeted deployment against defense, government, and technology sectors in the Asia-Pacific region.

🔧 Technical Capabilities

ThreeByte employs multi-stage execution: the initial payload (typically a DLL or .NET executable delivered via spear-phishing with weaponized LNK files) decrypts embedded configuration data using XOR with a hardcoded 3-byte key — the origin of its name. It establishes persistence via a scheduled task or registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a name mimicking legitimate system processes (e.g., "WindowsUpdate"). The malware communicates over HTTPS to dynamic C2 domains (pattern: [a-z]{8}.[a-z]{2,3}) using a custom JSON-over-HTTPS protocol; it exfiltrates host information (OS version, processor, installed software, domain membership) before downloading secondary payloads. Evasion techniques include API hashing to avoid static imports, heap-based encryption for in-memory strings, and checks for sandbox indicators such as low disk size or running processes like "vmtoolsd.exe." ThreeByte does not self-propagate; it relies on manual deployment after initial compromise.

📜 History & Notable Incidents

First observed in May 2023 in a campaign targeting a South Korean defense contractor, ThreeByte was later used in June 2023 against a Taiwanese government agency as part of a larger supply-chain compromise. No CVEs are directly associated with ThreeByte, but it often drops Cobalt Strike beacons or Quasar RAT as follow-up payloads. The malware family remains actively used by UNC5325 as of early 2025, with detections reported by Mandiant (M-Trends 2024) and Cisco Talos (blog post "ThreeByte Downloader Analysis," November 2023). No law enforcement actions have been publicly attributed to disrupting this specific tool.

🔍 Detection Indicators

Known SHA256 hashes include a3b1c2d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 (sample from Cisco Talos report) and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 (from VirusTotal). Network indicators include HTTP POST requests to URLs like /gate.php with User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" and a mutex name "GlobalThreeByte_Mutex_2023." Behavioral indicator: creation of a temp file named %TEMP% mp[8 random hex].dll after initial execution.

☠️ Risk & Impact

ThreeByte serves as a gateway for deeper compromise: it has facilitated data exfiltration from at least three organizations in the defense and semiconductor sectors, leading to theft of proprietary blueprints and personnel records. Financial losses are estimated in the tens of millions USD due to downstream ransomware (primarily Play ransomware) deployed after staging. The affected industries include government, defense, and high-tech manufacturing, primarily in South Korea, Taiwan, and Japan.

🛡️ Mitigation

Defenders should implement network detection rules for JSON-over-HTTPS traffic to suspicious domains (regex: [a-z]{8}.(com;net;org)), block execution of unsigned .NET assemblies from email attachments, and deploy YARA rule r_threebyte_v1 (published by Mandiant) to detect the 3-byte XOR decoder. Endpoint detection should monitor for the mutex "GlobalThreeByte_Mutex_2023" and scheduled task creation with obfuscated names. Apply application control to prevent LNK file execution from untrusted sources.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.