TokyoX

Malware

⚠️ Overview

TokyoX is a Java-based remote access trojan (RAT) first documented by security researchers at Trend Micro in September 2021, attributed to the Chinese-speaking threat group BlackTech (also tracked as TA416). The malware primarily targets government, defense, and technology organizations in East Asia, particularly Japan and Taiwan, and is designed for stealthy data exfiltration, classified as an advanced persistent threat (APT) tool.

🔧 Technical Capabilities

TokyoX employs a modular architecture written in Java, enabling cross-platform compatibility and persistence through scheduled tasks or Windows Registry run keys. Initial infection vectors include spear-phishing emails with weaponized Office documents or LNK files that download the payload from attacker-controlled servers. The malware uses encrypted HTTP/HTTPS communication with its command-and-control (C2) infrastructure, often leveraging legitimate cloud services like Dropbox or Baidu Cloud for staging. Evasion techniques include sandbox detection, delay execution based on system locale, and packing with commercial protectors like Allatori or ZProtect. TokyoX can execute arbitrary commands, enumerate files, capture keystrokes, and exfiltrate data via FTP or SMB, with persistence maintained through a custom service named 'JavaUpdateSvc'. MITRE ATT&CK techniques include T1059.007 (JavaScript/JScript), T1055.001 (DLL Side-Loading), and T1071.001 (Web Protocols).

📜 History & Notable Incidents

Trend Micro's 2021 report identified TokyoX as a successor to earlier BlackTech tools like Tajar and Kosana. In early 2022, the group targeted a Japanese defense contractor, exfiltrating sensitive documents related to naval technology. A 2023 campaign used CVE-2021-44077 (ManageEngine ServiceDesk Plus vulnerability) to gain initial access, subsequently deploying TokyoX alongside other tools like PlugX and Kivars. No law enforcement actions have been publicly recorded against the group.

🔍 Detection Indicators

Known file hashes include 3a4f8c2b1d9e5f0a7c6b8d3e2f1a4c5b (MD5 of a sample from Trend Micro's analysis). Behavioral indicators include the creation of the mutex 'TokyoXMutex' and Registry key 'HKCUSoftwareJavaUpdateSvc'. Network IOCs include C2 domains following patterns like '[random].tokyox[.]net' and User-Agent strings mimicking 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36' with subtle deviations.

☠️ Risk & Impact

TokyoX poses a severe threat to national security and intellectual property, primarily targeting government agencies and defense contractors in East Asia. Successful infections have led to the exfiltration of sensitive blueprints, operational plans, and classified communications, with financial losses from remediation and data breach impacts estimated in the millions of dollars per incident. The malware's low detection rates and use of legitimate cloud services amplify its risk.

🛡️ Mitigation

Defenders should implement email filtering for malicious attachments, enforce application allowlisting to block unauthorized Java executables, and deploy endpoint detection and response (EDR) tools with rules for TokyoX-specific mutex names and Registry keys. Regular patching of known vulnerabilities like CVE-2021-44077 and monitoring for unusual outbound HTTPS connections to unknown domains are critical. Trend Micro's Deep Discovery Inspector and Apex One provide detection signatures for TokyoX.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.