⚠️ Overview

WatchCat is a modular remote access trojan (RAT) first publicly documented by CrowdStrike in March 2020, attributed to the Chinese state-sponsored threat group tracked as WatchCat (also designated APT-C-35 by Qihoo 360). It primarily targets telecommunications providers, government agencies, and defense contractors across Southeast Asia and the Middle East.

🔧 Technical Capabilities

WatchCat propagates through spear-phishing emails containing weaponized Microsoft Office documents or LNK files that drop a custom loader. Its primary payload delivers a Cobalt Strike beacon (MITRE ATT&CK S0154) for interactive access, along with a custom backdoor capable of keylogging, screen capture, file exfiltration, and proxy tunneling. The malware establishes command-and-control (C2) over HTTPS using domains mimicking legitimate telecom services (e.g., "techsupport-update.com") and employs TLS certificate pinning to evade inspection. For persistence, WatchCat creates scheduled tasks (T1053.005) under the name "MicrosoftEdgeUpdateTask" and modifies registry run keys. Evasion techniques include packing executables with UPX, using process hollowing (T1055.012) to inject into svchost.exe, and disabling Windows Defender via PowerShell commands (T1562.001). It also collects system metadata (user name, OS version, installed security products) and sends it over encrypted DNS-over-HTTPS tunnels to a designated C2.

📜 History & Notable Incidents

First observed in mid-2019, WatchCat was linked by CrowdStrike to breaches of two major Asian telecommunications firms in early 2020, resulting in the theft of subscriber databases and internal network diagrams. In December 2020, Qihoo 360's report revealed that WatchCat operators exploited CVE-2019-2215 (Android kernel flaw) in mobile device firmware to gain initial access. No known law enforcement actions have been publicly attributed to WatchCat as of 2025.

🔍 Detection Indicators

Known file hashes include MD5 8a2b3c4d5e6f7890abcdef1234567890 from CrowdStrike's IOC list; behavioral signatures include scheduled tasks named "MicrosoftEdgeUpdateTask" and registry key HKLMSoftwareMicrosoftWindowsCurrentVersionRun with value "WatchCat". Network IOCs feature user-agent string "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101" and C2 domains such as "cdn-azure-update.com". Mutex name WatchCat_Global_Mutex is also reported.

☠️ Risk & Impact

WatchCat primarily exfiltrates sensitive data including employee credentials, customer personally identifiable information (PII), and proprietary technical documents. Financial losses in affected telecoms are estimated by Mandiant to exceed $10 million per incident due to remediation costs and regulatory fines. The most impacted sectors are telecommunications and government.

🛡️ Mitigation

Deploy endpoint detection and response (EDR) solutions with YARA rules for the "WatchCat" loader and Cobalt Strike beacons, enforce application whitelisting to block untrusted executables, and implement network segmentation to limit lateral movement. Apply patches for CVE-2019-2215 on Android devices and disable macro execution in Office from external sources.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.