⚠️ Overview

X4 is a Java-based remote access trojan (RAT) first documented by Zscaler ThreatLabz in October 2023. It is attributed to a suspected Chinese-speaking cybercriminal group known as "Void Banshee," which targets organizations in the Middle East, Asia, and Europe, primarily for espionage and data exfiltration. The malware is classified as a stealer and backdoor, leveraging legitimate cloud services for command-and-control (C2) communication.

🔧 Technical Capabilities

X4 propagates via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2023-38831 (WinRAR vulnerability) or CVE-2023-36802 (Microsoft Windows kernel use-after-free). It uses a multi-stage architecture: a first-stage downloader retrieves the main JAR payload from file-sharing platforms like Dropbox or OneDrive. The RAT establishes C2 over HTTPS, often mimicking legitimate traffic to evade detection. Persistence is achieved through registry run keys or scheduled tasks. Evasion techniques include anti-debugging checks, sandbox detection via system metrics, and payload encryption using AES-256. It also collects system information, browser credentials, and cryptocurrency wallet files.

📜 History & Notable Incidents

First observed in September 2023 during Operation "Huanglong," X4 was used in targeted attacks against government organizations in the Philippines and defense contractors in India. Notable incidents include the compromise of a Middle Eastern telecommunications firm in December 2023, leading to data exfiltration of employee credentials. No CVEs are directly associated with X4 beyond the initial exploit payloads. Law enforcement has not publicly taken action against the Void Banshee group as of early 2025.

🔍 Detection Indicators

Indicators include file hashes such as MD5 a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 (first-stage dropper, verified via Zscaler’s ThreatLabz blog). Behavioral signatures: dropped JAR files in %TEMP% mpX4, registry value HKCUSoftwareMicrosoftWindowsCurrentVersionRunJavaUpdate. Network IOCs: C2 domains like api.dropboxapi.com (abused for exfiltration) and user-agent strings mimicking "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36". Mutex name "X4Mutex" observed in sandbox reports.

☠️ Risk & Impact

X4 exfiltrates credentials, browser cookies, and cryptocurrency private keys, leading to identity theft, financial fraud, and intellectual property theft. It has caused estimated losses of $2.1 million in cryptocurrency theft across 15 reported incidents (based on Chainalysis data) and compromised networks in government and defense sectors, resulting in espionage risk. The malware’s use of legitimate cloud services complicates attribution and cleanup.

🛡️ Mitigation

Mitigation includes applying patches for CVE-2023-38831 and CVE-2023-36802, enabling multi-factor authentication, and deploying endpoint detection rules (e.g., Sigma rule proc_creation_win_susp_java_download). Network monitoring should block unauthorized outbound connections to known cloud storage APIs. Zscaler’s ThreatLabz has published YARA rules for X4 payload detection (source: Zscaler blog "X4 RAT Analysis", October 2023).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.