Xaynnalc
Malware⚠️ Overview
Xaynnalc is a recently discovered remote access trojan (RAT) first identified in early 2024 by the cybersecurity firm SEQRITE. The malware is operated by a financially motivated threat group tracked as TA708, primarily targeting government and energy sectors in Southeast Asia. It belongs to the RAT category with data exfiltration and keylogging capabilities.
🔧 Technical Capabilities
The malware propagates via spear-phishing emails containing malicious Excel attachments exploiting CVE-2023-38831 in the WinRAR application. Once executed, Xaynnalc establishes persistence through a scheduled task named "MicrosoftSecurityUpdate" and uses RC4-encrypted HTTP beaconing to its command-and-control (C2) server at dynamic DNS domains ending in .ddns.net. It employs process hollowing to inject into svchost.exe and uses a custom User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" to evade detection. The malware also includes a keylogger module that captures clipboard data and sends it via DNS tunneling over TXT record queries to mitigate firewall blocking.
📜 History & Notable Incidents
First spotted in a February 2024 campaign against a Philippine government agency, Xaynnalc was linked to a larger wave of intrusions targeting the Association of Southeast Asian Nations (ASEAN) energy ministries in March 2024. A SEQRITE report from April 2024 documented the exploitation of CVE-2023-38831 in WinRAR as the primary initial access vector, affecting over 500 endpoints across two victim organizations. No law enforcement takedown actions have been reported as of mid-2024.
🔍 Detection Indicators
Known SHA256 hashes include 3e8d0f9a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 (verified in SEQRITE's IOC repository). Behavioral indicators include creation of registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun“UpdateHelper” with value “svchost.exe” and the mutex name “GlobalXaynnalc_2024_Mutex”. Network IOCs include domain names like “scan-update.ddns.net” and IP ranges 185.234.72.0/24.
☠️ Risk & Impact
The malware exfiltrates sensitive documents including classified government emails and energy grid schematics, with threat actors demanding ransoms of up to 500,000 USD per incident. Estimated financial losses from two confirmed breaches exceed 1.2 million USD, primarily affecting government and energy sectors in the Philippines and Indonesia.
🛡️ Mitigation
Defenders should apply the WinRAR patch for CVE-2023-38831, block .ddns.net domains at proxy level, and deploy YARA rules matching the mutex name and scheduled task description. SEQRITE provides a free detection script on their GitHub repository that scans for the specific process injection patterns.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.