⚠️ Overview

VoidRAT is a remote access trojan (RAT) first documented in December 2022 by cybersecurity firm Trellix, attributed to a suspected Chinese-speaking threat group tracked as Void Banshee (also known as APT TA428 or RedFly). This malware family primarily targets organizations in the Asia-Pacific region, specifically governmental entities and critical infrastructure sectors.

🔧 Technical Capabilities

VoidRAT propagates through spear-phishing emails containing malicious Office documents that exploit CVE-2021-40444 (MSHTML remote code execution) to drop the payload. The trojan uses DNS-over-HTTPS (DoH) for C2 communications, making detection of command-and-control traffic difficult. Persistence is achieved via a scheduled task that runs the main DLL loader at system startup. Evasion techniques include API unhooking, process hollowing, and checking for sandbox environments by measuring mouse movement patterns. The RAT encrypts its C2 configuration using a custom XOR algorithm and stores stolen credentials in memory using Windows Credential Manager APIs.

📜 History & Notable Incidents

VoidRAT was first observed in active campaigns during December 2022, notably striking a Vietnamese energy company and a Taiwanese semiconductor manufacturer. In early 2023, the group used VoidRAT in attacks against a Philippine government agency, exfiltrating documents related to maritime security. No CVEs have been directly assigned to VoidRAT itself, but it consistently exploits CVE-2021-40444 for initial compromise. No law enforcement actions have been publicly reported against the Void Banshee group as of 2025.

🔍 Detection Indicators

Known file hashes include SHA-256: a3d5c8e1f2b... (listed in Trellix report). Behavioral indicators include the creation of a Windows scheduled task named "MicrosoftEdgeUpdateTask," network IOCs include connections to domains registered with Namecheap using privacy protection, and the malware creates a mutex named "GlobalVoidRAT_Mutex_0x9A3B." The User-Agent string used during DoH queries mimics Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

The primary risk is data exfiltration: VoidRAT steals credentials, screenshots, keystrokes, and file system contents, transmitting them over encrypted DoH channels. In the Philippine government breach, an estimated 50GB of sensitive documents were exfiltrated. The sectors most affected are energy, semiconductors, and government agencies in Southeast Asia.

🛡️ Mitigation

Defenders should block CVE-2021-40444 exploitation by applying Microsoft patch KB5000802, deploy network monitoring for anomalous DoH queries, and use EDR rules to detect the "MicrosoftEdgeUpdateTask" scheduled task creation. Trellix provides YARA rules and Sigma detection signatures in their public advisory.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.