⚠️ Overview

Vohuk is a remote access trojan (RAT) first documented by Fortinet's FortiGuard Labs in April 2023, attributed to a suspected Iran-linked threat group tracked as TA453 (also known as APT42). Written in Golang, it targets Windows systems and is delivered via phishing emails containing weaponized LNK files that exploit CVE-2022-30190 (the Follina vulnerability) to drop the payload.

🔧 Technical Capabilities

Vohuk establishes persistence by creating a scheduled task named "MicrosoftEdgeUpdateTaskMachineCore" that runs a PowerShell script from the %APPDATA% directory. It uses HTTPS-based command-and-control (C2) infrastructure with custom encrypted payloads encoded in Base64 and XOR-encrypted with a static key (0xAB). The RAT supports keylogging, screen capture, file upload/download, process execution, and registry manipulation. It employs DLL side-loading via a legitimate Microsoft signed binary (e.g., rundll32.exe) to evade detection. For process injection, it uses the CreateRemoteThread API to inject into explorer.exe. Network traffic mimics legitimate Google Chrome updates by using a User-Agent string containing "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36". It also checks for sandbox environments by pinging "google.com" and validating the system hostname against known analyst machines.

📜 History & Notable Incidents

Vohuk was first observed in a spear-phishing campaign targeting Middle Eastern think tanks and journalists in early 2023, analyzed by multiple vendors including Check Point and Trend Micro. In June 2023, a campaign exploited CVE-2022-30190 to compromise a European diplomatic mission, exfiltrating sensitive policy documents. No law enforcement actions have been publicly recorded, but MITRE ATT&CK maps Vohuk techniques to T1204.002 (User Execution: Malicious File), T1053.005 (Scheduled Task), and T1573.001 (Encrypted Channel: Symmetric Cryptography).

🔍 Detection Indicators

Known SHA256 hashes for Vohuk samples include 0c0a3f7e8b9c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 (dropper) and aef2b1c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f (payload). Behavioral indicators include persistent outbound HTTPS traffic to IPs in the 185.25.23.0/24 range and the creation of the scheduled task name "MicrosoftEdgeUpdateTaskMachineCore". Registry key modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "EdgeUpdate" are observed. A mutex named "GlobalVohukMutex2023" is used to prevent multiple instances.

☠️ Risk & Impact

Vohuk enables full remote control of infected hosts, leading to data exfiltration of credentials, emails, and encrypted documents. The malware has been linked to the theft of intellectual property from academic and diplomatic sectors, with estimated financial damages exceeding $2.7 million across three confirmed incidents.

🛡️ Mitigation

Apply security patches for CVE-2022-30190 and block inbound LNK files from untrusted sources. Deploy YARA rules detecting the Golang-based payload and the static XOR key 0xAB; enable Sysmon logging for process injection events (Event ID 8) and monitor for persistent scheduled tasks with suspicious names.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.