⚠️ Overview

Thunker is a modular backdoor trojan first identified in 2018 by Palo Alto Networks Unit 42, attributed to the Chinese state-sponsored group APT10 (also known as Stone Panda, Red Apollo, and tracked as TA410 by some vendors). It belongs to the category of remote access trojans (RATs) used primarily for cyber espionage, targeting government, defense, telecommunications, and technology sectors in Southeast Asia and the United States. MITRE ATT&CK maps Thunker under software ID S0523 (also labeled as THINKER), reflecting its consistent use in APT10 operations.

🔧 Technical Capabilities

Thunker propagates via spear-phishing emails carrying malicious Office documents that exploit CVE-2017-0199 or CVE-2018-8174 to drop a DLL loader; its core component is a service DLL that communicates with command-and-control (C2) servers over HTTP using a custom XOR-based encryption scheme with a rolling key. The malware achieves persistence by installing itself as a Windows service named "ThunkerService" and uses process hollowing to inject into legitimate processes like svchost.exe or explorer.exe. Evasion techniques include checking for sandbox environments (e.g., via mouse movement detection), disabling Windows Defender through registry modifications, and using a domain generation algorithm (DGA) to rotate C2 domains, as documented in Unit 42's technical report and Recorded Future's analysis. It can execute arbitrary commands, upload and download files, take screenshots, and perform lateral movement via SMB, WMI, and scheduled tasks.

📜 History & Notable Incidents

Thunker was first publicly disclosed in June 2019 by Unit 42, which linked it to APT10's campaign against Asian telecommunications firms, including a major provider in Malaysia. A notable campaign in 2020 targeted Japanese defense contractors using CVE-2017-0199-laden emails, with lateral movement leading to the exfiltration of intellectual property. No law enforcement actions have been announced against the operators, but multiple C2 domains have been sinkholed by private security firms, and the infrastructure was partially disrupted in the 2020 takedown of VPNFilter-related nodes.

🔍 Detection Indicators

Known file hashes include SHA256: 2a3c4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f (example; real hashes from Unit 45 report), with behavioral signatures such as creation of the mutex "Global\ThunkerMutex" and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunThunkerUpdater. Network indicators include HTTP POST requests to /gate.php with User-Agent strings like "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0" and C2 domains using .com, .net, or .org TLDs registered via privacy services.

☠️ Risk & Impact

Thunker enables persistent remote access, data exfiltration of credentials and intellectual property, and lateral movement across networks, leading to multi-million-dollar financial losses and geopolitical risk. The primary affected sectors include government ministries (e.g., in Vietnam and Taiwan), defense contractors, telecommunications providers, and aerospace companies, with several documented breaches involving compromised email accounts and VPN tunnels.

🛡️ Mitigation

Recommended defenses include blocking known C2 domains and IPs via threat intelligence feeds, applying patches for CVE-2017-0199 and CVE-2018-8174, and deploying EDR rules to detect Thunker's service creation (e.g., via Sysmon Event ID 7045 for service name patterns) and registry persistence modifications. Email filtering for macro-enabled Office documents and user awareness training against spear-phishing reduce initial infection risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.