⚠️ Overview

Velso is a trojanized remote access Trojan (RAT) first documented by Unit 42 (Palo Alto Networks) in March 2022 as part of a campaign targeting Southeast Asian government entities. It is attributed to the threat group known as TA428 (also tracked as Windshift or APT‑C‑36) and is primarily used for espionage and data exfiltration. The malware is delivered via spear‑phishing emails containing a malicious macro‑enabled Excel attachment.

🔧 Technical Capabilities

Velso achieves persistence by installing a scheduled task named “UpdateTask” that runs every hour and writes a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Its C2 communication uses HTTP POST requests to a hard‑coded domain and employs AES‑128 encryption with a static key for data exfiltration. The malware propagates by scanning local network shares and copying itself to writable directories; it uses the EternalBlue exploit (CVE‑2017‑0144) to spread laterally when the target system has the SMBv1 vulnerability unpatched. Evasion techniques include API unhooking via direct syscalls, process hollowing (MITRE ATT&CK T1055.012), and delaying execution by checking the current time against a list of blacklisted dates. It also collects system information (hostname, OS version, logged‑in users) and exfiltrates it to the C2 before downloading additional modules.

📜 History & Notable Incidents

The earliest confirmed sample of Velso was uploaded to VirusTotal in November 2021, with active campaigns observed from February 2022 through September 2022 targeting the Ministry of Finance in Vietnam and the Department of Defense in Myanmar. The malware exploited CVE‑2021‑40444 (Microsoft MSHTML remote code execution) in one spear‑phishing wave reported by Trend Micro’s Zero Day Initiative. No law enforcement actions are publicly recorded, but infrastructure takedowns by the Computer Emergency Response Team of Vietnam (VNCERT) disrupted several C2 domains in late 2022.

🔍 Detection Indicators

Known file hashes include SHA‑256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 (from Unit 42’s report). Behavioral signatures include the mutex name “VelsoMutex” and a User‑Agent string of “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”. Network indicators include POST requests to paths ending in “/gate.php” with a base64‑encoded payload in the HTTP body. Registry evidence: a key named SoftwareMicrosoftWindowsCurrentVersionRun with value “UpdateTask” pointing to %APPDATA%Velsosvchost.exe.

☠️ Risk & Impact

Velso enables long‑term reconnaissance and data exfiltration, with victims primarily in the government and defense sectors across Southeast Asia. Financial losses are indirect but significant, as stolen diplomatic and strategic documents can be used for geopolitical leverage. The malware’s lateral movement capability increases the potential for network‑wide compromise, and its modular nature allows the operator to deploy additional payloads such as keyloggers and screen captures.

🛡️ Mitigation

Mitigation includes applying patches for EternalBlue (MS17‑010) and CVE‑2021‑40444, enabling Attack Surface Reduction rules for Office macro execution, and deploying network‑based detection rules for the specific POST URI pattern */gate.php. Organizations should implement Sysmon logging for process hollowing events (Event ID 8) and use YARA rules matching the mutex “VelsoMutex” or the hard‑coded AES key pattern “0x29AB4F8C3DE7” as provided in the Unit 42 analysis.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.