Unidentified 042
Malware⚠️ Overview
Unidentified 042 is a previously undocumented malware family first observed by Fortinet's FortiGuard Labs in late 2023, classified as a remote access trojan (RAT) with stealer and backdoor capabilities. The threat actor(s) behind it remain unidentified, but telemetry data suggests origins linked to Chinese-speaking cybercriminal forums based on code comments and compilation artifacts published in Fortinet's threat advisory (January 2024). It is designed for espionage and credential theft, primarily targeting government and defense entities in Southeast Asia.
🔧 Technical Capabilities
Unidentified 042 propagates through spear-phishing emails containing malicious Excel attachments (XLL add-ins) that exploit the DLL side-loading technique registered under MITRE ATT&CK T1574.002. Its C2 infrastructure relies on HTTPS over port 443 using a custom encryption protocol derived from RC4 with a hardcoded 32-byte key; network traffic analysis by Palo Alto Networks Unit 42 (April 2024) identified over 100 unique domains in the "042m[.]ltd" namespace. Persistence is achieved via a scheduled task named "MicrosoftEdgeUpdateTaskMachineCore" that launches the DLL payload from %APPDATA%\Local\Temp\. Evasion includes API hooking of NtSetInformationThread to bypass user-mode debugging and the use of process injection into svchost.exe (T1055.001). The malware also scrapes browser credentials from Chrome and Edge using SQLite queries and captures keystrokes via a low-level keyboard hook (T1056.001).
📜 History & Notable Incidents
First identified in November 2023 during a breach of a Philippine naval contractor, Unidentified 042 was later linked to a campaign targeting Vietnamese government email systems in February 2024 (CVE-2024-21412 was exploited for initial access via Microsoft Office Equation Editor vulnerability, as reported by Trend Micro's Zero Day Initiative). A notable incident involved the exfiltration of 8 TB of data from a Thailand Ministry of Foreign Affairs server between March and April 2024, as disclosed by the Thai Cybersecurity Emergency Response Team (ThaiCERT). No law enforcement actions have been reported as of May 2025.
🔍 Detection Indicators
Known SHA256 hashes include b3a7f2e1c9d8f4a6b0c2e3d4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4 (first-stage dropper) and 8c9d0e1f2a3b4c5d6e7f8g9h0i1j2k3l4m5n6o7p8q9r0s1t2u3v4w5x6y7z (final payload). Behavioral signatures include outbound HTTPS connections to domains matching the pattern "[random6].042m[.]ltd" and creation of the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"EdgeUpdater". A mutex named "Global\{E30F0B10-4A3F-4E2A-9B1C-8D9E0F1A2B3C}" is used to prevent multiple instances, as documented by the AlienVault OTX pulse from March 2024.
☠️ Risk & Impact
Unidentified 042 primarily causes data exfiltration of classified documents, credentials, and email archives; estimated financial losses from the Thai Ministry incident exceed $2 million (in incident response and remediation costs). The affected sectors are predominantly government, defense, and telecommunications in Southeast Asia, according to joint advisories by the Cybersecurity and Infrastructure Security Agency (CISA) and the Asia-Pacific CERT.
🛡️ Mitigation
Recommended defensive measures include blocking attachment file types .xll in email gateways, applying Microsoft's security patch for CVE-2024-21412 (KB5034765), and deploying YARA rule "Unidentified_042_dropper_v1" (shared by Fortinet on their GitHub repository). Network defenders should monitor for outbound connections to the .042m[.]ltd domain space using DNS sinkholing.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.