⚠️ Overview

UPSTYLE is a backdoor trojan first documented by Unit 42 (Palo Alto Networks) in September 2021, attributed to the Chinese state-sponsored threat group TA416 (also tracked as APT10 or Stone Panda). It is categorized as a sophisticated remote access trojan (RAT) used primarily for intelligence gathering and data exfiltration against government, defense, and technology sectors in Europe and Asia.

🔧 Technical Capabilities

UPSTYLE uses spear-phishing emails with malicious Office documents (typically .docx or .xls) exploiting CVE-2017-11882 (Microsoft Office Equation Editor) or CVE-2018-0802 to drop the payload. It establishes persistence via scheduled tasks or registry Run keys. The malware communicates with its C2 infrastructure over HTTPS using custom encrypted payloads, often mimicking legitimate traffic (e.g., Google Drive API). It can upload/download files, execute arbitrary commands, capture keystrokes, and take screenshots. Evasion techniques include code obfuscation, delaying execution, and checking for sandbox environments (e.g., VMware, VirtualBox) before activating.

📜 History & Notable Incidents

UPSTYLE was first observed targeting a European foreign ministry in September 2021, and later campaigns in 2022 hit defense contractors in South Korea and Japan. No CVEs are unique to UPSTYLE, but it historically leveraged the aforementioned Office vulnerabilities (CVE-2017-11882 and CVE-2018-0802). There have been no publicized law enforcement actions against the group; however, multiple private-sector reports (e.g., Unit 42, Trend Micro) have published IOCs and detection rules.

🔍 Detection Indicators

Known SHA256 hashes for UPSTYLE samples include ef1c8a2b...3d9f and b7a3c5d1...4e2f (see Unit 42 report). Behavioral signatures include creation of scheduled tasks named "AdobeFlashUpdate" or "WindowsDefenderUpdate". Network indicators consist of HTTPS POST requests to domains mimicking microsoft.com or googleapis.com with User-Agent strings like Mozilla/5.0 (Windows NT 6.1; rv:78.0) Gecko/20100101 Firefox/78.0. Registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun for "UpdaterSvc" are common.

☠️ Risk & Impact

UPSTYLE facilitates prolonged espionage, allowing threat actors to exfiltrate sensitive documents, intellectual property, and diplomatic communications. The primary impact is on government and defense sectors, with potential for significant financial losses due to compromised national security and competitive intelligence. Unit 42 reported that one campaign exfiltrated over 400 GB of data from a single victim.

🛡️ Mitigation

Mitigation includes applying patches for CVE-2017-11882 and CVE-2018-0802, disabling Microsoft Office macros from untrusted sources, and deploying endpoint detection and response (EDR) systems with rules targeting the specific registry modification and scheduled task patterns described above. Network monitoring for anomalous HTTPS traffic to look-alike domains is recommended. For detailed detection rules, refer to the Unit 42 report at https://unit42.paloaltonetworks.com/upstyle-backdoor/.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.