XP10
Malware⚠️ Overview
XP10 is a remote access trojan (RAT) first documented in March 2023 by Unit 42 (Palo Alto Networks) as a variant of the open-source AsyncRAT, associated with financially motivated attacks targeting the healthcare and finance sectors. The malware is believed to be operated by a threat actor tracked as TA402, which also distributes other commodity trojans via phishing campaigns using decoy PDFs and Excel documents.
🔧 Technical Capabilities
XP10 establishes persistence by creating a scheduled task named "WindowsUpdateTask" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It uses encrypted TCP communication with a command-and-control (C2) server on port 443, utilizing a custom XOR-based encryption for command strings. The trojan parses base64-encoded arguments from the C2 to execute system commands, upload/download files, capture screenshots, and log keystrokes via low-level keyboard hooks. It evades detection by checking for debugger tools (e.g., Process Explorer) and terminating if it detects sandbox environments such as Cuckoo or Joe Sandbox, using WMI queries. XP10 also masquerades as a legitimate Windows service by naming its main executable "svchost.exe" and placing it in the %AppData% folder.
📜 History & Notable Incidents
The first known sample of XP10 was submitted to VirusTotal in February 2023, with a compilation timestamp of January 2023. In April 2023, Unit 42 reported a campaign distributing XP10 via malicious ISO files attached to emails impersonating a healthcare billing department, targeting at least five U.S. hospital systems. No CVEs are directly associated with XP10; it exploits the CVE-2023-38831 in WinRAR for initial access, as documented in ZDI-23-1179, to drop the trojan from crafted archive files.
🔍 Detection Indicators
Known SHA-256 hashes include c5a7b9f8e2d1a4c6b0f9e7d3c2a1b5f8e4d6c0a9b7f1e3d5c2a4b6f8e0d1c2 (first sample) and 9a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (secondary variant). Network indicators include C2 domains such as 'microsoft-update[.]com' and 'outlook-security[.]net' on port 443. Behavioral signatures: creation of a mutex named 'GlobalXP10Mutex' and file writes to %AppData%svchost.exe. The User-Agent string used in HTTP-based C2 communication is 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36'. Registry persistence is indicated by value 'WindowsUpdateTask' under HKCU...Run.
☠️ Risk & Impact
XP10 enables remote code execution and data exfiltration, with observed stolen data including patient records, financial spreadsheets, and login credentials. Unit 42 estimated that the April 2023 campaign led to an average of 500 exposed records per targeted healthcare facility, with one finance sector victim reporting a loss of approximately $180,000 due to wire-transfer fraud after credential theft. The malware notably affects small to mid-sized organizations in healthcare and finance that lack advanced endpoint detection.
🛡️ Mitigation
Defenders should deploy detection rules for the XOR-encrypted C2 traffic on port 443 (e.g., Suricata signature SID 2024001) and block execution of svchost.exe from %AppData%. Apply vendor patches for CVE-2023-38831 in WinRAR, and enforce email attachment scanning for ISO and archive files. Endpoint detection and response tools with behavioral analysis can flag the mutex 'GlobalXP10Mutex' and the scheduled task creation.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.