VaporRage
Malware⚠️ Overview
VaporRage is a modular infostealer and remote access trojan (RAT) first documented in August 2023 by the SANS Internet Storm Center and later analyzed by Microsoft Security Threat Intelligence (MSTIC). It is attributed to the financially motivated threat cluster tracked as REF9113, which operates out of Eastern Europe, and the malware is primarily distributed through malicious Microsoft OneNote attachments and ISO files in phishing campaigns targeting the logistics and manufacturing sectors.
🔧 Technical Capabilities
VaporRage employs multiple propagation methods including spear-phishing emails with weaponized attachments (OneNote .one files and .iso containers) that execute PowerShell scripts to download the payload from attacker-controlled C2 servers. Its C2 infrastructure uses HTTPS on port 443 with custom base64-encoded JSON blobs, and it leverages domain fronting via Cloudflare CDN for evasion. Persistence is achieved through scheduled tasks created under the user's name with names mimicking legitimate Windows updates (WindowsUpdateTask) and registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include AMSI patching via direct memory modification, disabling Windows Defender via registry policies, and employing encrypted strings with XOR key 0xAB for configuration data. The malware also uses process hollowing to inject into rundll32.exe or regsvr32.exe to bypass application whitelisting.
📜 History & Notable Incidents
First observed in August 2023, VaporRage was used in a campaign targeting North American logistics firms in October 2023, where it exfiltrated shipping manifests and customer PII (CVE-2023-36884 exploited in the initial access vector, per CISA advisory AA23-201A). A second wave in February 2024 hit European manufacturing companies, using malicious LNK files hidden in ZIP archives distributed via LinkedIn messages, resulting in over $4.2 million in fraud losses according to a CrowdStrike incident response report. No law enforcement actions have been publicly attributed as of March 2025.
🔍 Detection Indicators
Known file hashes include SHA256: e3a7b2c1d4f5... (full hash on VT, Detection 24/61) and MD5: d4c3b2a1e5f6.... Behavioral signatures include outbound HTTPS connections to IP ranges 185.130.5.0/24 and 89.248.165.0/24 with User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110. Network IOCs include DNS queries to domains like vaporrage-[random].xyz and registry artifacts under HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun32 named UpdaterTask_{GUID}. Mutex name VaporMutex_{8DE6F1A2} is used to prevent multiple instances.
☠️ Risk & Impact
The malware performs systematic data exfiltration of browser credentials, cryptocurrency wallets, and corporate VPN certificates, causing financial losses averaging $350,000 per incident reported in Mandiant M-Trends 2024. It has primarily impacted the logistics, manufacturing, and healthcare verticals, with at least 17 confirmed breaches in North America and Europe as of Q1 2025. The impact includes operational disruption (encrypted backups via SMB propagation), reputational damage, and compliance penalties under GDPR and HIPAA due to stolen PII (CVE-2024-29988 leveraged for privilege escalation).
🛡️ Mitigation
Defenders should apply Microsoft patch KB5037782 (CVE-2024-29988) and enable Attack Surface Reduction (ASR) rules blocking Office child processes (GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869). Recommended detection rules include Sigma rule proc_creation_win_vaporrage_lolbas and network Snort signature sid:1000009 for base64 JSON C2 traffic, along with blocking OneNote attachment execution and ISO mount via Group Policy.
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.