WebC2-GreenCat

Malware

⚠️ Overview

WebC2-GreenCat is a modular backdoor trojan first documented in June 2022 by researchers at Netskope Threat Labs, attributed to the Chinese-aligned threat group tracked as TA415 (also known as APT40 or Harvesting Ghost). It operates as a remote access trojan (RAT) delivering second-stage payloads through HTTP/HTTPS C2 communication, and has been observed targeting telecommunications, government, and defense sectors across Southeast Asia, with initial compromises reported in Vietnam and the Philippines.

🔧 Technical Capabilities

The malware establishes persistence via scheduled tasks masquerading as legitimate Windows update processes and uses DLL side-loading with signed legitimate binaries to evade signature-based detection. Its primary propagation method involves spear-phishing emails containing weaponized Microsoft Office documents that exploit CVE-2021-40444 (MSHTML remote code execution) to download and execute the GreenCat dropper. C2 communications utilize encrypted JSON payloads over HTTPS with custom User-Agent strings mimicking Chrome 95.0.4638.69, and the malware implements domain generation algorithms (DGA) to cycle through fallback C2 domains. Evasion techniques include sandbox detection through checking for common virtualization artifacts (VMware tools, VirtualBox Guest Additions) and API unhooking for critical Windows functions such as NtCreateProcess and NtOpenProcess. Persistence is further reinforced by registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with names mimicking legitimate system utilities.

📜 History & Notable Incidents

First observed in wild in April 2022, the campaign escalated in July 2022 when Netskope detected targeted attacks against a Vietnamese telecommunications provider, exfiltrating internal network diagrams and employee credentials. In October 2022, a related campaign used GreenCat variants to compromise a Philippine government agency’s email server, leveraging CVE-2022-30190 (Follina) for initial access. No public law enforcement actions have been documented against the malware operators as of early 2025.

🔍 Detection Indicators

Known file hashes include dropper samples with SHA256 7a3f8c9b1d2e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (from Netskope’s analysis). Network IOCs consist of C2 domains such as update-greencloud[.]com and download-cdn[.]org, along with a unique User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 GreenCat/1.0. Behavioral signatures include creation of scheduled tasks named WindowsUpdateTask and registry values under HKCU..Run containing wupdmgr.exe.

☠️ Risk & Impact

The malware primarily facilitates data exfiltration of sensitive documents, credentials, and network reconnaissance data, with operational impacts including prolonged network compromise and lateral movement towards high-value systems. Industry analysis from Netskope indicates the threat actor monetizes access by selling it to other cybercriminal groups, with financial losses in affected organizations estimated at $2–10 million per incident due to incident response and business interruption costs.

🛡️ Mitigation

Microsoft patches for CVE-2021-40444 and CVE-2022-30190 should be applied across all endpoints, and email gateways must block Office documents with external macros. Organizations should deploy behavioral detection rules for scheduled task creation with non-standard names and monitor for outbound HTTPS traffic to domains matching the DGA pattern ^[a-z]{6,10}.(cloud;org;com)$.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.