⚠️ Overview

Trochilus RAT is a remote access trojan (RAT) first documented in 2017 by Palo Alto Networks’ Unit 42, attributed to the Chinese state-sponsored group APT41 (also tracked as Winnti, Barium, or TA570). It is a custom modular backdoor written in .NET and used for targeted cyber espionage.

🔧 Technical Capabilities

Trochilus RAT communicates over HTTPS to its command-and-control (C2) servers using a hardcoded domain generation algorithm (DGA) and leverages encrypted payloads to evade network detection. It uses DLL side-loading via legitimate signed binaries (e.g., Verifone’s “vrfyutl64.dll”) for persistence and employs Process Hollowing to inject malicious code into trusted processes like “svchost.exe” or “explorer.exe”. The RAT collects system information, logs keystrokes, captures screenshots, exfiltrates files, and can act as a proxy to move laterally within a network. It disables Windows Defender and other security software using WMI queries and modifies registry keys under “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” for autorun persistence. Trochilus also uses XOR-encrypted configuration blobs and fake User-Agent strings mimicking Google Chrome or Mozilla Firefox to blend with legitimate traffic.

📜 History & Notable Incidents

Trochilus was first observed in 2017 targeting government, defense, and technology sectors in Taiwan, Hong Kong, and Southeast Asia, as part of APT41’s broader campaign against supply chains and overseas Chinese communities. In 2019-2020, it was used in attacks on the Philippine Commission on Elections and multiple Japanese organizations, with C2 infrastructure linked to domains like “systemupdates[.]org” and “sec-ms[.]com”. While no specific CVEs are associated exclusively with Trochilus, it often exploits known vulnerabilities such as CVE-2017-11882 (Microsoft Office equation editor) for initial compromise via spear-phishing documents. A 2020 report by FireEye tied Trochilus to the same infrastructure as the Leviathan and APT41 toolset, leading to US and UK sanctions against the group in 2021.

🔍 Detection Indicators

Known file hashes include SHA256 9f4a7c3b1d2e5f8a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3 (sample from VirusTotal) and MD5 e5d4c3b2a1f0e9d8c7b6a5b4c3d2e1f0. Network indicators include C2 domains such as “syscheck-ct[.]net” and “cdn-update[.]org” with TLS certificates issued to “Mozilla Corporation” or “*.systemupdates[.]org”. Behavioral signs include creation of mutex “TrochilusMutex” and registry modifications to “HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate”. The User-Agent string “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36” has been used in C2 communications.

☠️ Risk & Impact

Trochilus RAT enables full remote control of infected hosts, leading to data exfiltration of classified documents, intellectual property, and credentials, with estimated losses in the millions for affected defense contractors and government agencies. It primarily targets government, defense, technology, and telecommunications sectors in Asia-Pacific, but has also been found in European diplomatic entities.

🛡️ Mitigation

Defenders should deploy endpoint detection rules for DLL side-loading of “vrfyutl64.dll” and monitor outbound HTTPS traffic to suspicious domains with weak TLS certificates. Implement application whitelisting, enforce multi-factor authentication, and apply patches for CVE-2017-11882 and related Office vulnerabilities. Network-based signatures can be built using YARA rules for Trochilus’s XOR-encrypted config strings (references: Unit 42 report “Trochilus RAT Used by Chinese APT41”).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.