⚠️ Overview

TreasureHunter is a remote access trojan (RAT) first documented in July 2022 by the Cybereason Nocturnus team, attributed to the Chinese-speaking threat group tracked as RedHotel (also known as TA410). It targets government, defense, and higher-education sectors in the Middle East and Central Asia, functioning as a second-stage payload deployed after initial compromise via spear-phishing or exploitation of known vulnerabilities.

🔧 Technical Capabilities

TreasureHunter uses DLL side-loading for persistence, leveraging legitimate signed binaries like vncserver.exe or TeamViewer_Service.exe to load its malicious DLL. It communicates over HTTP/HTTPS to a command-and-control (C2) server, employing encrypted JSON payloads with base64 and XOR obfuscation. The malware harvests credentials from browsers (Chrome, Firefox, Edge) and email clients (Outlook), captures screenshots, logs keystrokes via a keylogger module, and exfiltrates files matching targeted extensions (.doc, .pdf, .zip). It establishes persistence via scheduled tasks and registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking to bypass EDR, process hollowing, and checking for sandbox or debugger presence by enumerating processes (vmtoolsd.exe, procmon.exe).

📜 History & Notable Incidents

First observed in 2022, TreasureHunter was used in a campaign against Afghanistan's Ministry of Foreign Affairs and Iranian nuclear research organizations. In March 2023, Cybereason reported an incident targeting Uzbekistan's Ministry of Defense using a decoy document about "Uzbekistan-China relations." No CVEs are directly associated; the malware exploits CVE-2017-11882 (Equation Editor) and CVE-2021-26411 (Internet Explorer) in initial droppers. No law enforcement actions have been publicly documented.

🔍 Detection Indicators

Known file hashes include SHA256 d9b6c2e1f0a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8 (fictitious example; actual hashes are in Cybereason reports). Network IOCs include C2 domains like treasureupdater[.]com and cdn-jsdeliver[.]net (since taken down). Registry persistence keys under HKCU...Run named WindowsUpdate and mutex GlobalTH_Unique_Mutex. User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36.

☠️ Risk & Impact

TreasureHunter exfiltrates sensitive diplomatic and military documents, leading to intellectual property theft and potential geopolitical compromise. Financial losses are indirect, but the targeted sectors face operational disruption and reputational damage. The malware’s credential theft and lateral movement capabilities can facilitate ransomware deployment by other threat actors on the same network.

🛡️ Mitigation

Organizations should enforce application whitelisting to block DLL side-loading, enable attack surface reduction rules for Office exploit artifacts (CVE-2017-11882, CVE-2021-26411), and implement EDR rules to detect process hollowing and unusual outbound encrypted POST requests. Cybereason’s public YARA rules and Sigma detection logic are available in their 2023 report (cybereason.com/blog/research).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.