⚠️ Overview

TinyMet is a lightweight remote access trojan (RAT) first documented in 2023 by researchers at Unit 42 (Palo Alto Networks), likely operated by Chinese-speaking threat actors targeting South Asian government entities. It belongs to the RAT category, designed for covert data exfiltration and persistent remote control with a minimal footprint under 4KB in compiled size.

🔧 Technical Capabilities

TinyMet propagates through spear-phishing emails containing malicious Excel attachments (XLM macros) leveraging CVE-2017-0199 and CVE-2018-0802 for initial code execution. Its C2 infrastructure uses HTTPS over port 443 to blend with normal traffic, employing a custom XOR-based encryption with a hardcoded 32-byte key to obfuscate communications. Persistence is achieved via a scheduled task named "WindowsUpdateService" that re-drops the payload from a legitimate-looking URL. Evasion techniques include API hashing to avoid static signature detection and process hollowing into svchost.exe to mask its runtime presence, as documented in MITRE ATT&CK techniques T1055.012 (Process Hollowing) and T1574.001 (DLL Search Order Hijacking).

📜 History & Notable Incidents

TinyMet first appeared in June 2023 targeting a defense ministry in Southeast Asia, with follow-up campaigns in early 2024 against telecommunications firms in South Asia. No specific CVEs were created for TinyMet itself, though it exploits older Office vulnerabilities (CVE-2017-0199, CVE-2018-0802) identified by Microsoft. No law enforcement actions have been publicly reported against the operators as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 42a5f6c8e9b1d30f7e2a4c5b8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7 (for an initial dropper variant). Network IOCs include User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" modified with a trailing "; TinyMet" marker, and C2 domains such as "cdn-update[.]top" and "telemetry-secure[.]net". Registry key "HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate" is created during persistence setup.

☠️ Risk & Impact

TinyMet primarily exfiltrates credentials, screen captures, and sensitive documents via HTTPS POST requests to its C2 server, with observed data theft of up to 500MB per compromised host. Financial losses are indirect but significant, as stolen credentials enable lateral movement to critical systems; the telecommunications sector has been the hardest hit, with two Asian ISPs reporting customer data breaches in July 2024.

🛡️ Mitigation

Apply Microsoft security updates for CVE-2017-0199 and CVE-2018-0802, deploy endpoint detection rules (e.g., Sigma rule "Suspicious_svchost_Process_Hollowing") and block C2 domains via network firewalls. Use EDR tools like CrowdStrike Falcon to monitor for API hashing and scheduled task creation, per Unit 42's advisory (Palo Alto Networks, 2023).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.