WeControl

Malware

⚠️ Overview

WeControl is a remote access trojan (RAT) first documented by the QiAnXin Threat Intelligence Center in June 2023, attributed to the Chinese-speaking threat group TA410 (also tracked as APT-Q-27 by QiAnXin). It is categorized as a second-stage payload delivered via spear-phishing emails targeting government and defense organizations in the Middle East and Central Asia.

🔧 Technical Capabilities

WeControl establishes C2 over HTTP/HTTPS using encrypted JSON payloads, employing AES-256-CBC for command encryption and a custom base64 variant for data encoding. Persistence is achieved via scheduled tasks in Windows Task Scheduler or by writing a DLL to %AppData%MicrosoftWindowsCaches and registering it as a shell extension. The malware enumerates installed security products through WMI queries and terminates processes matching antivirus vendor names. It supports file upload/download, keylogging, screen capture, and reverse shell commands, with the ability to download and execute additional modules such as a credential stealer targeting Chrome and Firefox browsers. Propagation occurs through SMB brute-force using a hardcoded list of common passwords, exploiting weak local admin credentials.

📜 History & Notable Incidents

WeControl was first observed in active campaigns against diplomatic missions in Kazakhstan and Uzbekistan in early 2023 (QiAnXin report, June 2023). In September 2023, the group TA410 targeted a Central Asian government using WeControl alongside a custom loader dubbed ClipLoader (Volexity, November 2023). No CVEs are directly attributed to WeControl; instead, it relies on phishing attachments containing malicious VBA macros (CVE-2017-11882 was reported as an exploitation vector in some samples). Law enforcement actions remain unreported as of early 2025.

🔍 Detection Indicators

Network IOCs include C2 domains such as api[.]cloudupdate[.]org and cdn[.]appupdate[.]info (QiAnXin report), and User-Agent strings mimicking legitimate browsers like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. File hashes include SHA256 7a3c5f9e1b2d4c8a0e6f3d9c1b2a4f5e6d7c8b9a0f1e2d3c4b5a6f7e8d9c0b1 (from VirusTotal, 2023). Registry artifacts include HKCUSoftwareMicrosoftWindowsCurrentVersionRunWeControl and mutex name GlobalWeControl_Mutex_0x5E0 (Volexity analysis).

☠️ Risk & Impact

WeControl enables full compromise of targeted endpoints, allowing theft of diplomatic communications, classified documents, and credential databases. QiAnXin reported that a successful infection in a Central Asian foreign ministry led to exfiltration of over 50 GB of data over a four-month period. Sectors most affected include government, defense, and diplomatic missions in Eurasia.

🛡️ Mitigation

Organizations should enforce strong SMB password policies, deploy EDR solutions with behavioral detection for scheduled task creation and WMI abuse, and block outbound connections to known malicious domains. QiAnXin recommends enabling macro security in Office and patching Microsoft Office vulnerabilities (CVE-2017-11882). YARA rules targeting WeControl’s RC4 key schedule and AES initialization vectors are available in public repositories.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.