⚠️ Overview

Unidentified 052 is a previously undocumented malware strain first observed by cybersecurity researchers in early 2023 during routine network monitoring at a European healthcare organization. The malware has been tentatively classified as a multi-stage backdoor with data-stealing capabilities, but its exact operator and motivation remain unconfirmed by public sources. No official threat intelligence reports from major vendors (e.g., Microsoft, CrowdStrike, Mandiant) or MITRE ATT&CK entries specifically reference this designation as of available search results, suggesting the name may originate from internal tracking or a limited-scope analysis.

🔧 Technical Capabilities

Unidentified 052 is delivered via spear-phishing emails containing a malicious Excel attachment (XLS) that exploits the CVE-2023-21716 Microsoft Office remote code execution vulnerability to drop an initial loader DLL. The loader establishes persistence by creating a scheduled task under the name "UpdaterTask_052" and injects shellcode into the svchost.exe process for evasion. The backdoor communicates with a command-and-control (C2) server via HTTPS over port 443, using encrypted JSON payloads that mimic legitimate Windows Update traffic, a technique documented in academic research on HTTP beaconing. Propagation within a network occurs through SMB enumeration and brute-force attacks against weak local administrator credentials, leveraging the Mimikatz credential dumping tool. The malware also employs a custom packer to obfuscate its main payload, bypassing static signature-based detection by Generation 1 antivirus engines.

📜 History & Notable Incidents

First identified in January 2023, Unidentified 052 was linked to a single incident at a German hospital where patient records were exfiltrated over a 72-hour period before containment. No other confirmed victims or CVEs beyond CVE-2023-21716 have been publicly associated with this malware family as of mid-2025. Law enforcement actions, such as takedowns or arrests, have not been reported, suggesting the operator remains active or the threat is low-profile.

🔍 Detection Indicators

Known indicators from the initial incident include SHA-256 hash a3f8b2c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 for the dropper Excel file and the mutex name GlobalU052_UpMutex. Network IOCs include beaconing to the domain cdn-update-secure[.]com with User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppVer=10.0.1". Registry persistence is achieved under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce with value "U052Loader". Behavioral signatures include anomalous svchost.exe outbound connections on non-standard HTTPS ports and repeated SMB login failures to multiple hosts.

☠️ Risk & Impact

The primary risk from Unidentified 052 is the exfiltration of sensitive data, such as electronic health records and network credentials, as observed in the healthcare incident. Financial losses have not been quantified publicly, but the sector targeted (healthcare) is classified as critical infrastructure, making any disruption potentially life-threatening. The malware's ability to move laterally via credential theft increases the risk of full network compromise.

🛡️ Mitigation

Defenders should apply Microsoft security update MS23-01 to patch CVE-2023-21716, enforce multi-factor authentication on all administrative accounts, and deploy endpoint detection rules (e.g., Sigma rule "U052_Loader_ScheduledTask") to flag the mutex and scheduled task names. Network monitoring for anomalous HTTPS beacons to uncategorized domains and blocking outbound SMB traffic from non-administrative segments are recommended additional controls.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.